Pensar - auto fix for Unrestricted Path Traversal in Twitter Profile Data Storage

[pensarappstaging]

1. Path Traversal Vulnerability Fix (CWE-22) in create_social_profile_sns & create_social_profile_tweepy:

   • The unsanitized use of user and outdir to build file paths allowed malicious users to traverse directories and access or overwrite arbitrary files.
   • I imported the standard library re to sanitize usernames. Only alphanumeric characters, underscores, and hyphens are allowed in filenames, replacing everything else with underscores.
   • Output directory (outdir) is normalized to an absolute path with os.path.abspath and created safely using os.makedirs.
   • Each user file path is constructed with os.path.normpath(os.path.join(outdir_abs, filename)).
   • After construction, os.path.commonpath ensures the resultant file path is within the intended parent directory (outdir_abs). If not, a ValueError is raised indicating path traversal detection.
   • The same rigorous sanitization and path validation are applied at all locations where files are read from or written to.

2. Other Notes:

   • No dependencies were updated because there were no vulnerable dependencies according to the metadata.
   • All white space, structure, logic, and functionality outside the direct vulnerability scope remain unchanged.

More Details

Type	Identifier	Message	Severity	Link
Application	CWE-22	Both outdir and user are received as function arguments with no validation or normalisation. They are directly concatenated into file-system paths that are opened for read and write operations. An attacker who controls either parameter could supply values such as ../../../../etc/passwd (absolute or relative paths, path separators, etc.) and trigger path traversal, allowing arbitrary file creation, overwriting, or disclosure outside the intended directory. This matches CWE-22 (Path Traversal) and can lead to full compromise of the host file system in environments where the script is exposed to untrusted input.	high	Link