Pensar - auto fix for 2 issues (CWE-117, CWE-400)

[pensarappstaging]

1. Log Injection Vulnerability (CWE-117) - user_lookup_sns (line 54)

   • What was fixed: The code previously interpolated the user parameter directly in logger.info(f"Pulling {user}'s tweets").
   • How it was addressed: Introduced a variable sanitized_user that replaces all \n and \r characters in user with spaces, then logged with logger.info(f"Pulling {sanitized_user}'s tweets (max {quantity})"). This prevents injection of control/log control characters by attacker-supplied usernames.
   • Impact: Only log display is changed. Functional usage of the user parameter elsewhere is untouched.

2. Resource Exhaustion/DoS - Lack of quantity Limiting and Input Validation (lines 55-60)

   • What was fixed: The quantity parameter (user-controlled) was used without bounds, allowing attackers to force excessive computation/memory/network requests.
   • How it was addressed: Added at the start of user_lookup_sns():
     • An integer type check for quantity.
     • A check for quantity > 0.
     • An enforced upper bound (MAX_TWEETS = 5000).
     • If these checks fail, a ValueError is raised.
   • The loop condition was also fixed to use idx >= quantity (so it collects up to the intended number, matching Python conventions).
   • Impact: Prevents accidental or malicious requests for unreasonably large numbers of tweets. If violated, a clear error is raised.

3. No Dependency Issues:

   • No dependency_issues were found, so no changes to dependencies were required.

All changes were strictly limited to the lines and logic described in the provided vulnerabilities, and surrounding code/formatting was left untouched.

More Details

Type	Identifier	Message	Severity	Link
Application	CWE-117	The string interpolation writes raw, attacker-controlled data (user) directly into application logs. A malicious value such as "bob\n[ERROR] Injected log entry" can inject new lines or log directives, polluting log files, hiding real alerts, or triggering downstream log-parsers. Input should be sanitized or encoded before logging to prevent log-injection attacks.	medium	Link
Application	CWE-400	quantity is supplied by the caller without any upper bound or validation. An attacker can pass an extremely large value (e.g., 10^9) causing the loop to fetch and store massive numbers of tweets. This leads to excessive network requests, memory consumption, and CPU usage, potentially resulting in denial-of-service or unexpected billing. Input bounds or rate limits should be enforced before starting the scrape.	high	Link