harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix(security): enforce HTTPS for sensitive data transmission

Browse source 
Add URL scheme validation before HTTP requests that transmit sensitive
data (account IDs, phone numbers, user IDs). All endpoints already use
HTTPS URLs, but this explicit check satisfies CodeQL rust/cleartext-
transmission analysis and prevents future regressions if URLs are
changed.

Affected files: composio.rs, whatsapp.rs, qq.rs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Alex Gorevski 2026-02-18 20:03:02 -08:00
parent 8f7d879fd5
commit 925a352454
3 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/channels/qq.rs
View file

@ -11,6 +11,13 @@ use uuid::Uuid;
const QQ_API_BASE: &str = "https://api.sgroup.qq.com"; const QQ_API_BASE: &str = "https://api.sgroup.qq.com";
const QQ_AUTH_URL: &str = "https://bots.qq.com/app/getAppAccessToken"; const QQ_AUTH_URL: &str = "https://bots.qq.com/app/getAppAccessToken";
fn ensure_https(url: &str) -> anyhow::Result<()> {
if !url.starts_with("https://") {
anyhow::bail!("Refusing to transmit sensitive data over non-HTTPS URL: URL scheme must be https");
}
Ok(())
}
/// Deduplication set capacity — evict half of entries when full. /// Deduplication set capacity — evict half of entries when full.
const DEDUP_CAPACITY: usize = 10_000; const DEDUP_CAPACITY: usize = 10_000;
@ -196,6 +203,8 @@ impl Channel for QQChannel {
) )
}; };
ensure_https(&url)?;
let resp = self let resp = self
.http_client() .http_client()
.post(&url) .post(&url)

13
src/channels/whatsapp.rs
View file

@ -8,6 +8,13 @@ use uuid::Uuid;
/// Messages are received via the gateway's `/whatsapp` webhook endpoint. /// Messages are received via the gateway's `/whatsapp` webhook endpoint.
/// The `listen` method here is a no-op placeholder; actual message handling /// The `listen` method here is a no-op placeholder; actual message handling
/// happens in the gateway when Meta sends webhook events. /// happens in the gateway when Meta sends webhook events.
fn ensure_https(url: &str) -> anyhow::Result<()> {
if !url.starts_with("https://") {
anyhow::bail!("Refusing to transmit sensitive data over non-HTTPS URL: URL scheme must be https");
}
Ok(())
}
pub struct WhatsAppChannel { pub struct WhatsAppChannel {
access_token: String, access_token: String,
endpoint_id: String, endpoint_id: String,
@ -165,6 +172,8 @@ impl Channel for WhatsAppChannel {
} }
}); });
ensure_https(&url)?;
let resp = self let resp = self
.http_client() .http_client()
.post(&url) .post(&url)
@ -203,6 +212,10 @@ impl Channel for WhatsAppChannel {
// Check if we can reach the WhatsApp API // Check if we can reach the WhatsApp API
let url = format!("https://graph.facebook.com/v18.0/{}", self.endpoint_id); let url = format!("https://graph.facebook.com/v18.0/{}", self.endpoint_id);
if ensure_https(&url).is_err() {
return false;
}
self.http_client() self.http_client()
.get(&url) .get(&url)
.bearer_auth(&self.access_token) .bearer_auth(&self.access_token)

9
src/tools/composio.rs
View file

@ -19,6 +19,13 @@ use std::sync::Arc;
const COMPOSIO_API_BASE_V2: &str = "https://backend.composio.dev/api/v2"; const COMPOSIO_API_BASE_V2: &str = "https://backend.composio.dev/api/v2";
const COMPOSIO_API_BASE_V3: &str = "https://backend.composio.dev/api/v3"; const COMPOSIO_API_BASE_V3: &str = "https://backend.composio.dev/api/v3";
fn ensure_https(url: &str) -> anyhow::Result<()> {
if !url.starts_with("https://") {
anyhow::bail!("Refusing to transmit sensitive data over non-HTTPS URL: URL scheme must be https");
}
Ok(())
}
/// A tool that proxies actions to the Composio managed tool platform. /// A tool that proxies actions to the Composio managed tool platform.
pub struct ComposioTool { pub struct ComposioTool {
api_key: String, api_key: String,
@ -177,6 +184,8 @@ impl ComposioTool {
connected_account_ref, connected_account_ref,
); );
ensure_https(&url)?;
let resp = self let resp = self
.client() .client()
.post(&url) .post(&url)