[Shieldy] Fix: Unvalidated user input injected directly into external API URLs

[shieldy-security]

Security Fix

Vulnerability: Unvalidated user input injected directly into external API URLs
Severity: HIGH
Category: ssrf
File: cli/src/stockData.ts:28

What was found

Ticker symbols entered by the user are inserted directly into Yahoo Finance API URLs without any sanitization or validation. For example, a user could enter a ticker like AAPL&symbols=evil.com or use URL-encoded characters to manipulate the request. While this is a CLI tool and the attacker would need local access, the constructed URL could be redirected to unintended hosts or manipulate query parameters to exfiltrate data or bypass intended API behavior. If this code were ever adapted for a ser

What was changed

Before:

static async getStockQuote(tickers: string[]) {
    const tickers_array = tickers.join(',');
    const url = `${this.yf_quote_url}${tickers_array}${this.yf_quote_ending_url}`;
  
    const response = await axios.get(url);
    return response.data.quoteResponse.result;
  }

After:

static async getStockQuote(tickers: string[]) {
    // Validate each ticker: only allow alphanumeric characters, dots, hyphens, and carets
    const validTickers = tickers.map(t => t.trim()).filter(t => /^[A-Z0-9.^-]{1,10}$/i.test(t));
    if (validTickers.length !== tickers.length) {
      throw new Error('One or more ticker symbols contain invalid characters.');
    }
    const tickers_array = encodeURIComponent(validTickers.join(','));
    const url = `${this.yf_quote_url}${tickers_array}${this.yf_quote_ending_url}`;
  
    const response = await axios.get(url);
    return response.data.quoteResponse.result;
  }

---

This fix was automatically generated by Shieldy security scanner.