Fix path traversal in ProxyCredentialsModule

[victor-nb]

Summary

This PR fixes 1 security vulnerability identified by BoostSecurity.

---

Validate proxy credentials path before reading file in product-mixer/component-library/src/main/scala/com/twitter/product_mixer/component_library/module/http/ProxyCredentialsModule.scala (Line: 21)

Risk: User/flag-controlled file paths were passed directly to new File(...), enabling path traversal to read arbitrary files on the host (CWE-22).

Fix: Added input validation for the proxy credentials path and resolved it to a canonical path, then required the target to exist and be a regular file before loading credentials.

Review notes: Behavior changes from "attempt to read" to "fail fast" for empty, missing, or non-file paths.

---

Generated by BoostSecurity Advisor

[boostsecurity-dev-ai]

⚠️  1 New Security Finding

The latest commit contains 1 new security finding.

Findings Note: 1 finding is displayed as an inline comment.

Not a finding? Ignore it by adding a comment on the line with just the word noboost.

🤖 Automated PR Check

Thanks for opening this pull request! This is an automated message. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.

> Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Please make sure your PR description clearly explains the change, the motivation behind it, and any relevant context for reviewers. Including screenshots, logs, or test evidence can help speed up the review process.

✅ Quick checklist

• Code compiles successfully
• Tests were added or updated if needed
• Lint and formatting rules pass
• PR description explains the change

> Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

If any checks fail, please review the CI logs and push updates to this branch. Thanks!

Scanner: boostsecurity - Semgrep

[boostsecurity-dev-ai]

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Original Rule ID: scala_inject_rule-PathTraversalIn
Remediation: Consider using org.apache.commons.io.FilenameUtils.getName() to extract only the filenamecomponent, stripping any directory path information including traversal sequences. Recommendedto validate that file paths resolve to expected directories using File.getCanonicalPath()and comparing against an allowed base directory prefix. Can use java.nio.file.Path.normalize()combined with startsWith() checks to ensure resolved paths remain within alloweddirectories. Implement whitelist validation for allowed filenames or patterns, and rejectpaths containing directory separators (/, ) or traversal sequences (..). For Scalaapplications, consider using safer file access patterns with explicit directory boundariesand validated filename components rather than accepting arbitrary path strings from users.

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

The application opens files for reading using Java file APIs (java.io.File, FileInputStream,
FileReader, RandomAccessFile, java.nio.file.Paths.get(), Files.createTempFile()) and
Scala file APIs (scala.io.Source.fromFile(), Source.fromString()) with filenames
constructed from String parameters or command-line arguments. When unfiltered parameters are
passed to these file APIs, attackers can inject path traversal sequences (../, ../../, absolute
paths) to read files from arbitrary filesystem locations outside intended directories,
potentially exposing sensitive data like configuration files, credentials, or application
source code.
 📘 Learn More