harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

Merge pull request #881 from agorevski/fix/cleartext-transmission-https-enforcement

Browse source 
fix(security): enforce HTTPS for sensitive data transmission
This commit is contained in:
Alex Gorevski 2026-02-18 21:11:18 -08:00 committed by GitHub
commit 5f9d5a019d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/channels/qq.rs
View file

@ -11,6 +11,13 @@ use uuid::Uuid;
const QQ_API_BASE: &str = "https://api.sgroup.qq.com"; const QQ_API_BASE: &str = "https://api.sgroup.qq.com";
const QQ_AUTH_URL: &str = "https://bots.qq.com/app/getAppAccessToken"; const QQ_AUTH_URL: &str = "https://bots.qq.com/app/getAppAccessToken";
fn ensure_https(url: &str) -> anyhow::Result<()> {
if !url.starts_with("https://") {
anyhow::bail!("Refusing to transmit sensitive data over non-HTTPS URL: URL scheme must be https");
}
Ok(())
}
/// Deduplication set capacity — evict half of entries when full. /// Deduplication set capacity — evict half of entries when full.
const DEDUP_CAPACITY: usize = 10_000; const DEDUP_CAPACITY: usize = 10_000;
@ -196,6 +203,8 @@ impl Channel for QQChannel {
) )
}; };
ensure_https(&url)?;
let resp = self let resp = self
.http_client() .http_client()
.post(&url) .post(&url)

13
src/channels/whatsapp.rs
View file

@ -8,6 +8,13 @@ use uuid::Uuid;
/// Messages are received via the gateway's `/whatsapp` webhook endpoint. /// Messages are received via the gateway's `/whatsapp` webhook endpoint.
/// The `listen` method here is a no-op placeholder; actual message handling /// The `listen` method here is a no-op placeholder; actual message handling
/// happens in the gateway when Meta sends webhook events. /// happens in the gateway when Meta sends webhook events.
fn ensure_https(url: &str) -> anyhow::Result<()> {
if !url.starts_with("https://") {
anyhow::bail!("Refusing to transmit sensitive data over non-HTTPS URL: URL scheme must be https");
}
Ok(())
}
pub struct WhatsAppChannel { pub struct WhatsAppChannel {
access_token: String, access_token: String,
endpoint_id: String, endpoint_id: String,
@ -165,6 +172,8 @@ impl Channel for WhatsAppChannel {
} }
}); });
ensure_https(&url)?;
let resp = self let resp = self
.http_client() .http_client()
.post(&url) .post(&url)
@ -203,6 +212,10 @@ impl Channel for WhatsAppChannel {
// Check if we can reach the WhatsApp API // Check if we can reach the WhatsApp API
let url = format!("https://graph.facebook.com/v18.0/{}", self.endpoint_id); let url = format!("https://graph.facebook.com/v18.0/{}", self.endpoint_id);
if ensure_https(&url).is_err() {
return false;
}
self.http_client() self.http_client()
.get(&url) .get(&url)
.bearer_auth(&self.access_token) .bearer_auth(&self.access_token)

9
src/tools/composio.rs
View file

@ -19,6 +19,13 @@ use std::sync::Arc;
const COMPOSIO_API_BASE_V2: &str = "https://backend.composio.dev/api/v2"; const COMPOSIO_API_BASE_V2: &str = "https://backend.composio.dev/api/v2";
const COMPOSIO_API_BASE_V3: &str = "https://backend.composio.dev/api/v3"; const COMPOSIO_API_BASE_V3: &str = "https://backend.composio.dev/api/v3";
fn ensure_https(url: &str) -> anyhow::Result<()> {
if !url.starts_with("https://") {
anyhow::bail!("Refusing to transmit sensitive data over non-HTTPS URL: URL scheme must be https");
}
Ok(())
}
/// A tool that proxies actions to the Composio managed tool platform. /// A tool that proxies actions to the Composio managed tool platform.
pub struct ComposioTool { pub struct ComposioTool {
api_key: String, api_key: String,
@ -177,6 +184,8 @@ impl ComposioTool {
connected_account_ref, connected_account_ref,
); );
ensure_https(&url)?;
let resp = self let resp = self
.client() .client()
.post(&url) .post(&url)