openclaw/apps/ios/Sources/SessionKey.swift
ronitchidara 56926e73ec security: wire transformation phase audit fixes
Fix all 7 issues identified in the ChatGPT audit of transformation work:

1. Android build break: Remove duplicate normalizeMainKey/isCanonicalMainSessionKey
   from NodeGatewaySync.kt (they're already in SessionKey.kt). Align both Android
   and iOS implementations to use "main" as canonical (case-insensitive match).

2. Rate limiting: Wire rateLimiter through GatewayRequestContext and enforce:
   - Auth failure backoff (recordAuthFailure on auth failure, clearAuthFailure on success)
   - Request rate limiting before handleGatewayRequest
   - Channel message rate limiting in send handler
   - Add TOO_MANY_REQUESTS error code

3. Injection defenses: Call sanitizeIncomingMessage in chat.send and chat.inject
   handlers to detect prompt injection attempts.

4. RBAC enforcement: Add canAccessAgent check in chat.send handler and
   canExecuteCommand check in node-host runner for exec commands.

5. WhatsApp encrypted backup restore: Update maybeRestoreCredsFromBackup to
   handle encrypted backup files (.bak.enc -> .json.enc restoration).

6. Exec blocklist bypass: Add evaluateBlocklist check in argv-only code path
   in runner.ts (previously only checked for rawCommand path).

7. iOS voice transcript: Fix line 329 in NodeAppModel.swift to use computed
   'key' variable instead of original 'sessionKey' parameter.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 17:01:41 +05:30

14 lines
469 B
Swift

import Foundation
enum SessionKey {
static func normalizeMainKey(_ raw: String?) -> String {
let trimmed = (raw ?? "").trimmingCharacters(in: .whitespacesAndNewlines)
return trimmed.isEmpty ? "main" : trimmed
}
static func isCanonicalMainSessionKey(_ value: String?) -> Bool {
let trimmed = (value ?? "").trimmingCharacters(in: .whitespacesAndNewlines)
return trimmed.caseInsensitiveCompare("main") == .orderedSame
}
}