Security: No HTTPS enforcement in HTTP client (CWE-319) #182
Description
Summary
The ResilientHttpClient accepts any URL without enforcing HTTPS. The API key is sent in the Authorization header and would be transmitted in cleartext over HTTP connections, exposing credentials to network-level attackers.
Vulnerable Code
// src/conway/http-client.ts
async request(url: string, options?: RequestInit & { ... }): Promise<Response> {
// No URL protocol validation
const response = await fetch(url, {
...opts,
headers: {
...opts.headers, // May contain Authorization: Bearer <api_key>
},
});Recommendation
Add URL validation that rejects non-HTTPS URLs in production:
const parsed = new URL(url);
if (parsed.protocol !== 'https:' && parsed.hostname !== 'localhost' && parsed.hostname !== '127.0.0.1') {
throw new Error(`Refusing to send request over insecure protocol: ${parsed.protocol}`);
}Severity: HIGH
CWE: CWE-319 (Cleartext Transmission of Sensitive Information)
Location: src/conway/http-client.ts — line 52