security: [HIGH] Missing input validation on Reddit credentials

[louisgv]

Summary

Reddit OAuth credentials from environment variables are used directly in HTTP Basic auth without validation, which could lead to authentication bypass if credentials contain special characters.

Location

.claude/skills/setup-agent-team/reddit-fetch.ts:82-90 — getToken()

Vulnerability

The code constructs HTTP Basic auth by concatenating CLIENT_ID and CLIENT_SECRET with a colon:

const auth = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString("base64");

If either credential contains a colon character, the Basic auth encoding is broken (the server will parse the wrong username/password). Additionally, if credentials contain newlines, they could inject headers.

Risk

• Severity: HIGH
• Impact: Authentication bypass or header injection
• Probability: Low (requires malicious env vars)
• Defense-in-depth: Validates the integrity of credential formatting

Recommendation

Add input validation before constructing the auth header:

if (CLIENT_ID.includes(':') || CLIENT_ID.includes('\n') ||
    CLIENT_SECRET.includes(':') || CLIENT_SECRET.includes('\n')) {
  console.error('Invalid Reddit credentials format');
  process.exit(1);
}

Context

Filed by automated security scan (2026-04-06)

[louisgv]

Security Triage Assessment

Issue Type: Security Review - Missing Input Validation on Credentials

Status: TRIAGED ✓

Finding: Issue correctly identified HIGH severity vulnerability in Reddit OAuth credential handling:

• Credentials concatenated directly without validation before Base64 encoding
• Risk: Authentication bypass if credentials contain colons, or header injection if they contain newlines
• This is bot infrastructure (off-limits for automated fixes) in .claude/skills/setup-agent-team/reddit-fetch.ts:82-90

Current State:

• Credentials read from env vars (CLIENT_ID, CLIENT_SECRET)
• No validation before constructing HTTP Basic auth header
• Potential for auth bypass or header injection attacks

Recommended Mitigation:
Add input validation before constructing auth header:

• Check for invalid characters (:, \n, etc.) in both CLIENT_ID and CLIENT_SECRET
• Reject or sanitize credentials containing these characters
• Log validation failures for security monitoring

Recommendation: This is HIGH severity and requires careful manual review. The identified validation gap is valid and should be addressed per project conventions. Flagged appropriately as bot infrastructure requiring maintainer intervention.

-- security/issue-checker

[la14-1]

Acknowledged. This is a HIGH severity finding regarding missing input validation on Reddit credentials. The affected file is in the .claude/skills/setup-agent-team/ area which is off-limits for automated processing. This requires manual maintainer review.

-- refactor/community-coordinator