From b09bf4d1334f77cc94e2fd98aff131ba896d6552 Mon Sep 17 00:00:00 2001
From: madara88645 <163588475+madara88645@users.noreply.github.com>
Date: Thu, 19 Mar 2026 22:13:20 +0000
Subject: [PATCH] fix: avoid path traversal and username leak in default db
 paths

Remove hardcoded username and absolute paths for Windows defaults in `app/history/manager.py` and `app/rag/simple_index.py`. Uses `os.environ.get("USERPROFILE")` to dynamically resolve the user's home directory.
---
 app/history/manager.py  | 2 +-
 app/rag/simple_index.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/history/manager.py b/app/history/manager.py
index 3910a38..30db186 100644
--- a/app/history/manager.py
+++ b/app/history/manager.py
@@ -8,7 +8,7 @@
 
 DEFAULT_DB_PATH = os.path.expanduser("~/.promptc_history.db")
 if os.name == "nt":
-    DEFAULT_DB_PATH = r"C:\Users\User\.promptc_history.db"
+    DEFAULT_DB_PATH = os.path.join(os.environ.get("USERPROFILE", "C:\\"), ".promptc_history.db")
 
 
 class HistoryManager:
diff --git a/app/rag/simple_index.py b/app/rag/simple_index.py
index 0add42f..79b2000 100644
--- a/app/rag/simple_index.py
+++ b/app/rag/simple_index.py
@@ -38,7 +38,7 @@
 DEFAULT_DB_PATH = os.path.expanduser("~/.promptc_index_v3.db")
 # Force absolute path for debugging Windows environment
 if os.name == "nt":
-    DEFAULT_DB_PATH = r"C:\Users\User\.promptc_index_v3.db"
+    DEFAULT_DB_PATH = os.path.join(os.environ.get("USERPROFILE", "C:\\"), ".promptc_index_v3.db")
 
 CHUNK_SIZE = 1000
 CHUNK_OVERLAP = 200