yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: simplify and harden security review changes

Browse Source 
- Add prompt-injection fencing to _webhook_memory_content (was missing
  the --- BEGIN/END EXTERNAL DATA --- fence applied elsewhere)
- Wrap Content-Length parsing in try/except to avoid 500 on malformed
  header values
- Move _to_gateway_read below imports (was incorrectly placed between
  import blocks) and tighten transformer types
- Replace list-rebuild with deque.popleft in rate limiter for O(expired)
  amortized pruning instead of O(n) per call
- Make organization_id required in send_session_message to prevent
  fail-open cross-tenant check

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 14:13:50 -07:00
committed by Abhimanyu Saharan
parent 4960d8561b
commit 62d2378bdc
4 changed files with 37 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
backend/app/api/gateways.py
View File

@@ -23,6 +23,17 @@ from app.schemas.gateways import (
GatewayTemplatesSyncResult,
GatewayUpdate,
)
from app.schemas.pagination import DefaultLimitOffsetPage
from app.services.openclaw.admin_service import GatewayAdminLifecycleService
from app.services.openclaw.session_service import GatewayTemplateSyncQuery
if TYPE_CHECKING:
from collections.abc import Sequence
from fastapi_pagination.limit_offset import LimitOffsetPage
from sqlmodel.ext.asyncio.session import AsyncSession
from app.services.organizations import OrganizationContext
def _to_gateway_read(gateway: Gateway) -> GatewayRead:
@@ -38,17 +49,6 @@ def _to_gateway_read(gateway: Gateway) -> GatewayRead:
created_at=gateway.created_at,
updated_at=gateway.updated_at,
)
from app.schemas.pagination import DefaultLimitOffsetPage
from app.services.openclaw.admin_service import GatewayAdminLifecycleService
from app.services.openclaw.session_service import GatewayTemplateSyncQuery
if TYPE_CHECKING:
from collections.abc import Sequence
from fastapi_pagination.limit_offset import LimitOffsetPage
from sqlmodel.ext.asyncio.session import AsyncSession
from app.services.organizations import OrganizationContext
router = APIRouter(prefix="/gateways", tags=["gateways"])
SESSION_DEP = Depends(get_session)
@@ -100,8 +100,8 @@ async def list_gateways(
.statement
)
def _transform(items: Sequence[object]) -> Sequence[object]:
return [_to_gateway_read(item) for item in items if isinstance(item, Gateway)]
def _transform(items: Sequence[Gateway]) -> list[GatewayRead]:
return [_to_gateway_read(item) for item in items]
return await paginate(session, statement, transformer=_transform)