[Security] restoreState navigates to saved URLs without validation

[mr-k-man]

Summary

browse/src/browser-manager.ts:633-635 — restoreState() calls page.goto(saved.url) without running validateNavigationUrl(). State files loaded from disk via the state load command could contain file://, chrome://, or cloud metadata URLs that would bypass the scheme/host blocklist enforced by newTab() and goto.

Reproduction

# Save state normally
$B state save mystate

# Tamper with the state file — inject a blocked URL
# Edit ~/.gstack/browse-states/mystate.json:
# Change a page URL to "file:///etc/passwd"

# Load the tampered state
$B state load mystate
# → Browser navigates to file:///etc/passwd without validation

Severity

Medium — requires local file tampering, but bypasses all URL validation.

Fix

PR #664 adds validateNavigationUrl(saved.url) before page.goto in restoreState(). Blocked URLs are skipped. 5 tests added to url-validation.test.ts.

Found via sqry AST-based semantic code graph analysis.