fix: validate app ID via shell:AppsFolder instead of string check#112
Merged
Jeomon merged 1 commit intoCursorTouch:mainfrom Mar 17, 2026
Merged
Conversation
The previous alphanumeric validation was too fragile — legitimate app IDs could be rejected and invalid ones could pass. Query the shell:AppsFolder COM object to check whether the app ID actually exists before attempting to launch it. Co-Authored-By: Claude Opus 4.6 <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR improves Windows app launching by replacing the previous AppID “string shape” validation with a real existence check against shell:AppsFolder, reducing both false negatives (valid but complex AppIDs) and false positives (valid-looking but nonexistent IDs).
Changes:
- Added
_check_app_exists()to validate an AppID by queryingShell.Application.NameSpace('shell:AppsFolder').ParseName(...)via PowerShell. - Removed the previous character-stripping/
isalnum()heuristic inlaunch_app. - Updated
launch_appto reject AppIDs that don’t resolve inshell:AppsFolder.
Comments suppressed due to low confidence (1)
src/windows_mcp/desktop/service.py:502
launch_appnow runs an extra PowerShell subprocess for every non-path AppID (first_check_app_exists, thenStart-Process). This adds noticeable overhead givenexecute_commandspawns a new shell each time. Consider folding validation into the same PowerShell invocation as the launch (e.g., ParseName + Start-Process in one script, returning a clear error if not found) to avoid the double round-trip.
if not self._check_app_exists(appid):
return (f"Invalid app identifier: {appid}", 1, 0)
safe = ps_quote(f"shell:AppsFolder\\{appid}")
command = f"Start-Process {safe}"
response, status = self.execute_command(command)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+468
to
+469
| def _check_app_exists(self, app_id: str) -> bool: | ||
| """Check if an app with the given AppID exists in shell:AppsFolder.""" |
Comment on lines
+497
to
498
| if not self._check_app_exists(appid): | ||
| return (f"Invalid app identifier: {appid}", 1, 0) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The previous app ID validation in
launch_appwas too simplistic — it stripped a hardcoded set of special characters (\,_,.,-,!) and then checked whether the remainder was purely alphanumeric (isalnum()). This approach suffered from both false negatives and false positives:Microsoft.AutoGenerated.{525860DE-BA83-3DA3-C7D9-9E4A0AEA596C}) would be incorrectly rejected.Solution
Replace the string-format heuristic with an actual lookup against the Windows shell. A new
_is_valid_app_idmethod queries theshell:AppsFolderCOM object viaShell.Application.NameSpace('shell:AppsFolder').ParseName(appId)to determine whether the app ID corresponds to a real installed application. This eliminates both false positives and false negatives.Changes
_is_valid_app_idmethod that queriesshell:AppsFolderto verify the app ID existslaunch_app