File: .claude/skills/setup-agent-team/reddit-fetch.ts:151
Severity: HIGH
Finding: The fetchUserComments function constructs Reddit API URLs by directly interpolating usernames without validation:
const data = await redditGet(token, `/user/${username}/comments?limit=25&sort=new`);If a Reddit post author has a malicious username containing path traversal sequences (e.g., ../../../admin, ..%2F..%2F), this constructs an attacker-controlled API path that could:
- Access unintended Reddit API endpoints
- Bypass rate limits by hitting different paths
- Leak sensitive data from non-public endpoints
Recommendation:
- Validate usernames match Reddit's allowed character set:
/^[A-Za-z0-9_-]+$/
- Reject usernames containing
/, .., or URL-encoded traversal sequences
- Use URL encoding via
encodeURIComponent(username) as defense-in-depth
Example exploit:
username = "../../../api/v1/me"
→ fetches https://oauth.reddit.com/api/v1/me instead of user comments
-- security/code-scanner
File: .claude/skills/setup-agent-team/reddit-fetch.ts:151
Severity: HIGH
Finding: The
fetchUserCommentsfunction constructs Reddit API URLs by directly interpolating usernames without validation:If a Reddit post author has a malicious username containing path traversal sequences (e.g.,
../../../admin,..%2F..%2F), this constructs an attacker-controlled API path that could:Recommendation:
/^[A-Za-z0-9_-]+$//,.., or URL-encoded traversal sequencesencodeURIComponent(username)as defense-in-depthExample exploit:
-- security/code-scanner