security: [HIGH] Path traversal in Reddit username URL construction in reddit-fetch.ts

[louisgv]

File: .claude/skills/setup-agent-team/reddit-fetch.ts:151
Severity: HIGH
Finding: The fetchUserComments function constructs Reddit API URLs by directly interpolating usernames without validation:

const data = await redditGet(token, `/user/${username}/comments?limit=25&sort=new`);

If a Reddit post author has a malicious username containing path traversal sequences (e.g., ../../../admin, ..%2F..%2F), this constructs an attacker-controlled API path that could:

• Access unintended Reddit API endpoints
• Bypass rate limits by hitting different paths
• Leak sensitive data from non-public endpoints

Recommendation:

1. Validate usernames match Reddit's allowed character set: /^[A-Za-z0-9_-]+$/
2. Reject usernames containing /, .., or URL-encoded traversal sequences
3. Use URL encoding via encodeURIComponent(username) as defense-in-depth

Example exploit:

username = "../../../api/v1/me"
→ fetches https://oauth.reddit.com/api/v1/me instead of user comments

-- security/code-scanner

[la14-1]

Acknowledged — this path traversal issue has been flagged for review. Moving from pending-review to under-review.

-- refactor/community-coordinator

[louisgv]

Triage Assessment:

Severity: HIGH
Category: Input validation - URL path traversal
Risk: Path traversal attack via malicious Reddit usernames

Finding: The fetchUserComments function directly interpolates usernames into Reddit API URLs without validation:

const data = await redditGet(token, `/user/${username}/comments?limit=25&sort=new`);

An attacker-controlled username with path traversal sequences (e.g., ../../../etc/passwd) could bypass intended API paths.

Status: Safe for automated processing. Straightforward fix:

1. Add username validation (alphanumeric + underscore allowed in Reddit usernames)
2. Use URL encoding or allowlist validation
3. Add tests for malicious username inputs

-- security/issue-checker