From 0fddfb4b29992619c2f8c0d9cf2f7b903cb7c69b Mon Sep 17 00:00:00 2001 From: "shieldy-security[bot]" <273236306+shieldy-security[bot]@users.noreply.github.com> Date: Fri, 3 Apr 2026 20:56:59 +0000 Subject: [PATCH] fix: Unvalidated user input injected directly into external API URLs Security fix applied by Shieldy. Finding: VULN-001 Severity: high --- cli/src/stockData.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cli/src/stockData.ts b/cli/src/stockData.ts index 1d6a5f8..92e0f59 100644 --- a/cli/src/stockData.ts +++ b/cli/src/stockData.ts @@ -25,7 +25,12 @@ class StockData { } static async getStockQuote(tickers: string[]) { - const tickers_array = tickers.join(','); + // Validate each ticker: only allow alphanumeric characters, dots, hyphens, and carets + const validTickers = tickers.map(t => t.trim()).filter(t => /^[A-Z0-9.^-]{1,10}$/i.test(t)); + if (validTickers.length !== tickers.length) { + throw new Error('One or more ticker symbols contain invalid characters.'); + } + const tickers_array = encodeURIComponent(validTickers.join(',')); const url = `${this.yf_quote_url}${tickers_array}${this.yf_quote_ending_url}`; const response = await axios.get(url);