release: 4.6.62 open-file blocks executable extensions

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "twitch-vod-manager",
-  "version": "4.6.61",
+  "version": "4.6.62",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "twitch-vod-manager",
-      "version": "4.6.61",
+      "version": "4.6.62",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "twitch-vod-manager",
-  "version": "4.6.61",
+  "version": "4.6.62",
   "description": "Twitch VOD Manager - Download Twitch VODs easily",
   "main": "dist/main.js",
   "author": "xRangerDE",

src/main.ts

@@ -6919,9 +6919,24 @@ ipcMain.handle('open-folder', (_, folderPath: string) => {
     }
 });
 
+// Extensions that shell.openPath would happily execute via the system
+// default. Calc.exe via XSS smuggling is the canonical example; this
+// list blocks the obvious vectors. Media/text/image extensions are
+// still fine — shell.openPath opens them in the OS's default viewer.
+const OPEN_FILE_BLOCKED_EXTENSIONS = new Set([
+    '.exe', '.bat', '.cmd', '.com', '.ps1', '.vbs', '.vbe',
+    '.js', '.jse', '.wsf', '.wsh', '.scr', '.msi', '.msp',
+    '.lnk', '.cpl', '.reg', '.hta', '.jar', '.application'
+]);
+
 ipcMain.handle('open-file', async (_, filePath: string): Promise<boolean> => {
     if (typeof filePath !== 'string' || !filePath) return false;
     if (!fs.existsSync(filePath)) return false;
+    const ext = path.extname(filePath).toLowerCase();
+    if (OPEN_FILE_BLOCKED_EXTENSIONS.has(ext)) {
+        appendDebugLog('open-file-rejected-extension', { ext, path: filePath.slice(0, 200) });
+        return false;
+    }
     const result = await shell.openPath(filePath);
     // shell.openPath returns '' on success, an error string on failure.
     return result === '';