fix: Add stricter URL validation to openURLMiddleware

Author: huntie

packages/cli-server-api/src/openURLMiddleware.ts

@@ -31,7 +31,20 @@ async function openURLMiddleware(
 
     const {url} = req.body as {url: string};
 
-    await open(url);
+    try {
+      const parsedUrl = new URL(url);
+      if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+        res.writeHead(400);
+        res.end('Invalid URL protocol');
+        return;
+      }
+    } catch (error) {
+      res.writeHead(400);
+      res.end('Invalid URL format');
+      return;
+    }
+
+    await open(url, {app: 'browser'});
 
     res.writeHead(200);
     res.end();