Skip to content

fix(gateway): accept http aliases for loopback announce delivery#39064

Closed
Narcooo wants to merge 1 commit intoopenclaw:mainfrom
Narcooo:fix/38882-loopback-http-secure-check
Closed

fix(gateway): accept http aliases for loopback announce delivery#39064
Narcooo wants to merge 1 commit intoopenclaw:mainfrom
Narcooo:fix/38882-loopback-http-secure-check

Conversation

@Narcooo
Copy link
Copy Markdown
Contributor

@Narcooo Narcooo commented Mar 7, 2026

Summary

  • treat http: URLs like ws: and https: like wss: in the secure gateway URL validator
  • preserve the existing loopback-only/default and private-network opt-in policy
  • add regression coverage for loopback and private-network http aliases

Problem

Cron announce delivery can target loopback gateways with http://127.0.0.1:<port>. The validator currently rejects those URLs before the ws client gets a chance to normalize them.

Verification

  • PATH=/Users/majunxian/Desktop/PyProject/openclaw/node_modules/.bin:$PATH vitest run src/gateway/net.test.ts
  • PATH=/Users/majunxian/Desktop/PyProject/openclaw/node_modules/.bin:$PATH oxfmt --check src/gateway/net.ts src/gateway/net.test.ts

Closes #38882

@openclaw-barnacle openclaw-barnacle bot added gateway Gateway runtime size: XS labels Mar 7, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 7, 2026
edited
Loading

Greptile Summary

This PR fixes cron announce delivery for loopback gateways by teaching isSecureWebSocketUrl to treat http: as an alias for ws: and https: as an alias for wss:, matching the normalization that Node's ws client already does internally. The existing loopback-only default and the opt-in private-network policy are fully preserved — only the protocol-sniffing step at the top of the function is changed.

  • https: URLs are immediately accepted as TLS-backed (mapped to wss:), matching wss:// behaviour.
  • http: URLs continue through the existing loopback / private-network checks (mapped to ws:), so no new plaintext-to-public-internet paths are opened.
  • The JSDoc comment on isSecureWebSocketUrl was not updated to reflect the newly supported http:/https: schemes, which may confuse future readers of the function signature.

Confidence Score: 5/5

  • This PR is safe to merge — the security policy is unchanged and the normalization is correct.
  • The change is small and focused: a single protocol-normalisation expression is added before the existing security checks, which are all left intact. https:wss: immediately returns true (TLS is always safe), and http:ws: still goes through the loopback/private-network guards so no new cleartext-to-public-internet paths are opened. The added tests directly cover the four critical combinations (loopback http, loopback https, remote http, remote https). The only finding is a documentation gap in the JSDoc.
  • No files require special attention.

Comments Outside Diff (1)

  1. src/gateway/net.ts, line 400-410 (link)

    The function now accepts http: and https: URLs in addition to ws:/wss:, but the JSDoc still only mentions WebSocket schemes. Callers reading the docs may not realise HTTP URLs are valid inputs.

Last reviewed commit: a099dcf

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 7, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a099dcf85f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

src/gateway/net.ts
Comment on lines +427 to +428
const protocol =
parsed.protocol === "https:" ? "wss:" : parsed.protocol === "http:" ? "ws:" : parsed.protocol;
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Treat https alias consistently with wss in client TLS logic

Mapping https: to wss: here makes isSecureWebSocketUrl accept https://..., but the connection path still gates TLS pinning on the literal wss:// prefix (src/gateway/client.ts:113 and src/gateway/client.ts:147, and local auto-pinning in src/gateway/call.ts:520). In environments that set gateway.remote.tlsFingerprint (or depend on local TLS fingerprint auto-loading), an https:// URL now passes validation and then fails at connect time with gateway tls fingerprint requires wss:// gateway url, so the alias support introduced by this change is incomplete and breaks pinned-TLS usage.

Useful? React with 👍 / 👎.

@steipete steipete mentioned this pull request Mar 7, 2026
Closed
steipete added a commit that referenced this pull request Mar 7, 2026
@steipete @Narcooo
fix(gateway): land #39064 from @Narcooo
2f59a3c 
Co-authored-by: Narcooo <[email protected]>
@steipete
Copy link
Copy Markdown
Contributor

steipete commented Mar 7, 2026

Landed. Thank you @Narcooo.

What I did:

  • rebased onto latest main via a temp landing branch
  • kept/finalized the loopback http/https alias handling and regression tests in src/gateway/net.ts + src/gateway/net.test.ts
  • added changelog entry under 2026.3.7 fixes mentioning fix(gateway): accept http aliases for loopback announce delivery #39064 and @Narcooo
  • ran full gate before commit: pnpm lint && pnpm build && pnpm test
  • landed to main with co-author trailer

SHA hashes:

  • original PR commit: a099dcf85f8a
  • landed commit on main: 2f59a3cff

Thanks again for the fix.

@steipete steipete closed this Mar 7, 2026
@steipete steipete mentioned this pull request Mar 7, 2026
Closed
mrosmarin added a commit to mrosmarin/openclaw that referenced this pull request Mar 7, 2026
@mrosmarin
Merge branch 'main' into feat/add-extraargs-to-zod-schema-tests
3f5d85d 
* main: (133 commits)
  reduce image size, offer slim image (openclaw#38479)
  fix(security): harden install base drift cleanup
  fix(agents): respect explicit provider baseUrl in merge mode (openclaw#39103)
  fix(agents): apply contextTokens cap for compaction threshold (openclaw#39099)
  fix(exec): block dangerous override-only env pivots
  fix(security): stage installs before publish
  fix(daemon): normalise whitespace in checkTokenDrift to prevent false-positive warning (openclaw#39108)
  fix(security): harden fs-safe copy writes
  refactor: dedupe bluebubbles webhook auth test setup
  refactor: dedupe discord native command test scaffolding
  refactor: dedupe anthropic probe target test setup
  refactor: dedupe minimax provider auth test setup
  refactor: dedupe runtime snapshot test fixtures
  fix: harden zip extraction writes
  fix(tests): stabilize diffs localReq headers (supersedes openclaw#39063)
  fix: harden workspace skill path containment
  fix(agents): land openclaw#38935 from @MumuTW
  fix(models): land openclaw#38947 from @davidemanuelDEV
  fix(gateway): land openclaw#39064 from @Narcooo
  fix(models-auth): land openclaw#38951 from @MumuTW
  ...
vincentkoc pushed a commit to BryanTegomoh/openclaw-fork that referenced this pull request Mar 8, 2026
@steipete @Narcooo @vincentkoc
fix(gateway): land openclaw#39064 from @Narcooo
aed723f 
Co-authored-by: Narcooo <[email protected]>
openperf pushed a commit to openperf/moltbot that referenced this pull request Mar 8, 2026
@steipete @Narcooo @openperf
fix(gateway): land openclaw#39064 from @Narcooo
f5fd131 
Co-authored-by: Narcooo <[email protected]>
mcaxtr pushed a commit to mcaxtr/openclaw that referenced this pull request Mar 8, 2026
@steipete @Narcooo @mcaxtr
fix(gateway): land openclaw#39064 from @Narcooo
48fb154 
Co-authored-by: Narcooo <[email protected]>
@github-actions github-actions bot mentioned this pull request Mar 8, 2026
Open
Saitop pushed a commit to NomiciAI/openclaw that referenced this pull request Mar 8, 2026
@steipete @Narcooo
fix(gateway): land openclaw#39064 from @Narcooo
57c1cee 
Co-authored-by: Narcooo <[email protected]>
GordonSH-oss pushed a commit to GordonSH-oss/openclaw that referenced this pull request Mar 9, 2026
@steipete @Narcooo @GordonSH-oss
fix(gateway): land openclaw#39064 from @Narcooo
62c33e6 
Co-authored-by: Narcooo <[email protected]>
jenawant pushed a commit to jenawant/openclaw that referenced this pull request Mar 10, 2026
@steipete @Narcooo @jenawant
fix(gateway): land openclaw#39064 from @Narcooo
6cadb78 
Co-authored-by: Narcooo <[email protected]>
@alexey-pelykh alexey-pelykh mentioned this pull request Mar 10, 2026
Closed
4 tasks
dhoman pushed a commit to dhoman/chrono-claw that referenced this pull request Mar 11, 2026
@steipete @Narcooo @dhoman
fix(gateway): land openclaw#39064 from @Narcooo
da401b7 
Co-authored-by: Narcooo <[email protected]>
senw-developers pushed a commit to senw-developers/va-openclaw that referenced this pull request Mar 17, 2026
@steipete @Narcooo @Shlemon
fix(gateway): land openclaw#39064 from @Narcooo
b2ada29 
Co-authored-by: Narcooo <[email protected]>
V-Gutierrez pushed a commit to V-Gutierrez/openclaw-vendor that referenced this pull request Mar 17, 2026
@steipete @Narcooo @V-Gutierrez
fix(gateway): land openclaw#39064 from @Narcooo
d2a6323 
Co-authored-by: Narcooo <[email protected]>
alexey-pelykh pushed a commit to remoteclaw/remoteclaw that referenced this pull request Mar 21, 2026
@steipete @Narcooo @alexey-pelykh
fix(gateway): land openclaw#39064 from @Narcooo
d07b1ac 
Co-authored-by: Narcooo <[email protected]>
(cherry picked from commit 2f59a3c)
alexey-pelykh pushed a commit to remoteclaw/remoteclaw that referenced this pull request Mar 21, 2026
@steipete @Narcooo @alexey-pelykh
fix(gateway): land openclaw#39064 from @Narcooo
fb8d296 
Co-authored-by: Narcooo <[email protected]>
(cherry picked from commit 2f59a3c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

gateway Gateway runtime size: XS

Projects

None yet

Milestone

No milestone

2 participants

@Narcooo @steipete