fix(security): enforce HTTPS for sensitive data transmission

Add URL scheme validation before HTTP requests that transmit sensitive data (account IDs, phone numbers, user IDs). All endpoints already use HTTPS URLs, but this explicit check satisfies CodeQL rust/cleartext- transmission analysis and prevents future regressions if URLs are changed. Affected files: composio.rs, whatsapp.rs, qq.rs Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-18 20:03:02 -08:00 · 2026-02-18 20:03:02 -08:00 · 925a352454
commit 925a352454
parent 8f7d879fd5
3 changed files with 31 additions and 0 deletions
--- a/src/channels/whatsapp.rs
+++ b/src/channels/whatsapp.rs
@ -8,6 +8,13 @@ use uuid::Uuid;
 /// Messages are received via the gateway's `/whatsapp` webhook endpoint.
 /// The `listen` method here is a no-op placeholder; actual message handling
 /// happens in the gateway when Meta sends webhook events.
+fn ensure_https(url: &str) -> anyhow::Result<()> {
+    if !url.starts_with("https://") {
+        anyhow::bail!("Refusing to transmit sensitive data over non-HTTPS URL: URL scheme must be https");
+    }
+    Ok(())
+}
+
 pub struct WhatsAppChannel {
    access_token: String,
    endpoint_id: String,
@ -165,6 +172,8 @@ impl Channel for WhatsAppChannel {
            }
        });

+        ensure_https(&url)?;
+
        let resp = self
            .http_client()
            .post(&url)
@ -203,6 +212,10 @@ impl Channel for WhatsAppChannel {
        // Check if we can reach the WhatsApp API
        let url = format!("https://graph.facebook.com/v18.0/{}", self.endpoint_id);

+        if ensure_https(&url).is_err() {
+            return false;
+        }
+
        self.http_client()
            .get(&url)
            .bearer_auth(&self.access_token)