From 6ea3bd9ebfe50244b4fef7096f8279c1af913329 Mon Sep 17 00:00:00 2001
From: RinZ27 <222222878+RinZ27@users.noreply.github.com>
Date: Fri, 6 Feb 2026 23:37:06 +0700
Subject: [PATCH] Refactor file handling for improved robustness and path
 safety

---
 src/utils/cache.ts |  5 ++++-
 src/utils/env.ts   | 18 +++++++++++++-----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/utils/cache.ts b/src/utils/cache.ts
index 1847e307..efc9d371 100644
--- a/src/utils/cache.ts
+++ b/src/utils/cache.ts
@@ -77,7 +77,10 @@ export function buildCacheKey(
     .replace(/\//g, '_');
 
   // Prefix with ticker when available for human-readable filenames (optional)
-  const ticker = typeof params.ticker === 'string' ? params.ticker.toUpperCase() : null;
+  // Sanitize ticker to prevent path traversal: allow only alphanumeric and hyphens
+  const ticker = typeof params.ticker === 'string' 
+    ? params.ticker.replace(/[^a-zA-Z0-9-]/g, '').toUpperCase() 
+    : null;
   const prefix = ticker ? `${ticker}_` : '';
 
   return `${cleanEndpoint}/${prefix}${hash}.json`;
diff --git a/src/utils/env.ts b/src/utils/env.ts
index 7aea4cef..baf7eb1f 100644
--- a/src/utils/env.ts
+++ b/src/utils/env.ts
@@ -1,4 +1,4 @@
-import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { readFileSync, writeFileSync } from 'fs';
 import { config } from 'dotenv';
 
 // Load .env on module import
@@ -39,7 +39,7 @@ export function checkApiKeyExists(apiKeyName: string): boolean {
   }
 
   // Also check .env file directly
-  if (existsSync('.env')) {
+  try {
     const envContent = readFileSync('.env', 'utf-8');
     const lines = envContent.split('\n');
     for (const line of lines) {
@@ -54,6 +54,8 @@ export function checkApiKeyExists(apiKeyName: string): boolean {
         }
       }
     }
+  } catch (e) {
+    // .env doesn't exist, ignore
   }
 
   return false;
@@ -64,8 +66,14 @@ export function saveApiKeyToEnv(apiKeyName: string, apiKeyValue: string): boolea
     let lines: string[] = [];
     let keyUpdated = false;
 
-    if (existsSync('.env')) {
-      const existingContent = readFileSync('.env', 'utf-8');
+    let existingContent = '';
+    try {
+      existingContent = readFileSync('.env', 'utf-8');
+    } catch (e) {
+      // .env doesn't exist or is not readable, which is fine
+    }
+
+    if (existingContent) {
       const existingLines = existingContent.split('\n');
 
       for (const line of existingLines) {
@@ -111,4 +119,4 @@ export function saveApiKeyForProvider(providerId: string, apiKey: string): boole
   const apiKeyName = getApiKeyNameForProvider(providerId);
   if (!apiKeyName) return false;
   return saveApiKeyToEnv(apiKeyName, apiKey);
-}
+}
\ No newline at end of file