fix(reddit): add input validation and HTTP error guards

- Add validateEnum/validatePathSegment to prevent URL path traversal
- Add !response.ok guards to send_message and reply tools
- Centralize subreddit validation in normalizeSubreddit

Author: waleedlatif1

apps/sim/tools/reddit/get_comments.ts

@@ -1,3 +1,4 @@
+import { validatePathSegment } from '@/lib/core/security/input-validation'
 import type { RedditCommentsParams, RedditCommentsResponse } from '@/tools/reddit/types'
 import { normalizeSubreddit } from '@/tools/reddit/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -114,8 +115,15 @@ export const getCommentsTool: ToolConfig<RedditCommentsParams, RedditCommentsRes
 
       if (params.comment) urlParams.append('comment', params.comment)
 
+      // Validate postId to prevent path traversal
+      const postId = params.postId.trim()
+      const postIdValidation = validatePathSegment(postId, { paramName: 'postId' })
+      if (!postIdValidation.isValid) {
+        throw new Error(postIdValidation.error)
+      }
+
       // Build URL using OAuth endpoint
-      return `https://oauth.reddit.com/r/${subreddit}/comments/${params.postId.trim()}?${urlParams.toString()}`
+      return `https://oauth.reddit.com/r/${subreddit}/comments/${postId}?${urlParams.toString()}`
     },
     method: 'GET',
     headers: (params: RedditCommentsParams) => {

apps/sim/tools/reddit/get_messages.ts

@@ -1,6 +1,17 @@
+import { validateEnum } from '@/lib/core/security/input-validation'
 import type { RedditGetMessagesParams, RedditMessagesResponse } from '@/tools/reddit/types'
 import type { ToolConfig } from '@/tools/types'
 
+const ALLOWED_MESSAGE_FOLDERS = [
+  'inbox',
+  'unread',
+  'sent',
+  'messages',
+  'comments',
+  'selfreply',
+  'mentions',
+] as const
+
 export const getMessagesTool: ToolConfig<RedditGetMessagesParams, RedditMessagesResponse> = {
   id: 'reddit_get_messages',
   name: 'Get Reddit Messages',
@@ -67,6 +78,10 @@ export const getMessagesTool: ToolConfig<RedditGetMessagesParams, RedditMessages
   request: {
     url: (params: RedditGetMessagesParams) => {
       const where = params.where || 'inbox'
+      const validation = validateEnum(where, ALLOWED_MESSAGE_FOLDERS, 'where')
+      if (!validation.isValid) {
+        throw new Error(validation.error)
+      }
       const limit = Math.min(Math.max(1, params.limit ?? 25), 100)
 
       const urlParams = new URLSearchParams({

apps/sim/tools/reddit/get_posts.ts

@@ -1,7 +1,10 @@
+import { validateEnum } from '@/lib/core/security/input-validation'
 import type { RedditPostsParams, RedditPostsResponse } from '@/tools/reddit/types'
 import { normalizeSubreddit } from '@/tools/reddit/utils'
 import type { ToolConfig } from '@/tools/types'
 
+const ALLOWED_SORT_OPTIONS = ['hot', 'new', 'top', 'controversial', 'rising'] as const
+
 export const getPostsTool: ToolConfig<RedditPostsParams, RedditPostsResponse> = {
   id: 'reddit_get_posts',
   name: 'Get Reddit Posts',
@@ -88,6 +91,10 @@ export const getPostsTool: ToolConfig<RedditPostsParams, RedditPostsResponse> =
     url: (params: RedditPostsParams) => {
       const subreddit = normalizeSubreddit(params.subreddit)
       const sort = params.sort || 'hot'
+      const sortValidation = validateEnum(sort, ALLOWED_SORT_OPTIONS, 'sort')
+      if (!sortValidation.isValid) {
+        throw new Error(sortValidation.error)
+      }
       const limit = Math.min(Math.max(1, params.limit ?? 10), 100)
 
       // Build URL with appropriate parameters using OAuth endpoint

apps/sim/tools/reddit/get_user.ts

@@ -1,3 +1,4 @@
+import { validatePathSegment } from '@/lib/core/security/input-validation'
 import type { RedditGetUserParams, RedditUserResponse } from '@/tools/reddit/types'
 import type { ToolConfig } from '@/tools/types'
 
@@ -30,6 +31,10 @@ export const getUserTool: ToolConfig<RedditGetUserParams, RedditUserResponse> =
   request: {
     url: (params: RedditGetUserParams) => {
       const username = params.username.trim().replace(/^u\//, '')
+      const validation = validatePathSegment(username, { paramName: 'username' })
+      if (!validation.isValid) {
+        throw new Error(validation.error)
+      }
       return `https://oauth.reddit.com/user/${username}/about?raw_json=1`
     },
     method: 'GET',

apps/sim/tools/reddit/reply.ts

@@ -71,6 +71,17 @@ export const replyTool: ToolConfig<RedditReplyParams, RedditWriteResponse> = {
   transformResponse: async (response: Response) => {
     const data = await response.json()
 
+    if (!response.ok) {
+      const errorMsg = data?.message || `HTTP error ${response.status}`
+      return {
+        success: false,
+        output: {
+          success: false,
+          message: `Failed to post reply: ${errorMsg}`,
+        },
+      }
+    }
+
     // Reddit API returns errors in json.errors array
     if (data.json?.errors && data.json.errors.length > 0) {
       const errors = data.json.errors.map((err: any) => err.join(': ')).join(', ')

apps/sim/tools/reddit/send_message.ts

@@ -78,6 +78,17 @@ export const sendMessageTool: ToolConfig<RedditSendMessageParams, RedditWriteRes
   transformResponse: async (response: Response) => {
     const data = await response.json()
 
+    if (!response.ok) {
+      const errorMsg = data?.message || `HTTP error ${response.status}`
+      return {
+        success: false,
+        output: {
+          success: false,
+          message: `Failed to send message: ${errorMsg}`,
+        },
+      }
+    }
+
     if (data.json?.errors && data.json.errors.length > 0) {
       const errors = data.json.errors.map((err: any) => err.join(': ')).join(', ')
       return {

apps/sim/tools/reddit/utils.ts

@@ -1,10 +1,19 @@
+import { validatePathSegment } from '@/lib/core/security/input-validation'
+
 const SUBREDDIT_PREFIX = /^r\//
 
 /**
  * Normalizes a subreddit name by removing the 'r/' prefix if present and trimming whitespace.
+ * Validates the result to prevent path traversal attacks.
  * @param subreddit - The subreddit name to normalize
  * @returns The normalized subreddit name without the 'r/' prefix
+ * @throws Error if the subreddit name contains invalid characters
  */
 export function normalizeSubreddit(subreddit: string): string {
-  return subreddit.trim().replace(SUBREDDIT_PREFIX, '')
+  const normalized = subreddit.trim().replace(SUBREDDIT_PREFIX, '')
+  const validation = validatePathSegment(normalized, { paramName: 'subreddit' })
+  if (!validation.isValid) {
+    throw new Error(validation.error)
+  }
+  return normalized
 }