From 0bba4defd88fa37db8e3c1fbcc73ab4357f31acf Mon Sep 17 00:00:00 2001 From: snoopysecurity Date: Tue, 20 Jan 2026 16:06:42 +0000 Subject: [PATCH] fix: prevent crashes from app scanners --- controllers/notebook.js | 36 +++++++++++++++++++----------------- controllers/passphrase.js | 9 +++++++-- rpc_server.js | 6 +++++- 3 files changed, 31 insertions(+), 20 deletions(-) diff --git a/controllers/notebook.js b/controllers/notebook.js index 092385f..862b992 100644 --- a/controllers/notebook.js +++ b/controllers/notebook.js @@ -84,25 +84,27 @@ module.exports = { }); }, get_release: (req, res) => { + try { + var uservalue = decodeURI(req.params.release.toString()) + var xpath_result = xpath.evaluate( + "//config/*[local-name(.)='release' and //config//release/text()='" + uservalue + "']", // xpathExpression + doc, // contextNode + null, // namespaceResolver + xpath.XPathResult.ANY_TYPE, // resultType + null // result + ) + + var result = []; + node = xpath_result.iterateNext(); + while (node) { + result.push(node.toString()); + node = xpath_result.iterateNext(); + } - var uservalue = decodeURI(req.params.release.toString()) - var xpath_result = xpath.evaluate( - "//config/*[local-name(.)='release' and //config//release/text()='" + uservalue + "']", // xpathExpression - doc, // contextNode - null, // namespaceResolver - xpath.XPathResult.ANY_TYPE, // resultType - null // result - ) - - var result = []; - node = xpath_result.iterateNext(); - while (node) { - result.push(node.toString()); - node = xpath_result.iterateNext(); + res.send(result.toString()); + } catch (e) { + res.status(500).send("Error processing request"); } - - res.send(result.toString()); - }, create_a_note: async (req, res) => { res = set_cors(req, res) diff --git a/controllers/passphrase.js b/controllers/passphrase.js index 9eea507..d9d3f69 100644 --- a/controllers/passphrase.js +++ b/controllers/passphrase.js @@ -90,8 +90,13 @@ const options = { return res.status(500).send(err.message); } - const payload = Buffer.from(req.body.data, 'base64'); - const data = serialize.unserialize(payload.toString()); + let data; + try { + const payload = Buffer.from(req.body.data, 'base64'); + data = serialize.unserialize(payload.toString()); + } catch (e) { + return res.status(400).send("Invalid data"); + } if (data) { const myDoc = new PDFDocument({ bufferPages: true }); diff --git a/rpc_server.js b/rpc_server.js index 0bf0643..f55b6aa 100644 --- a/rpc_server.js +++ b/rpc_server.js @@ -3,6 +3,11 @@ var needle = require('needle'); // Creates an XML-RPC server to listen to XML-RPC method calls var server = xmlrpc.createServer({ port: process.env.XML_RPC_PORT, path: '/xmlrpc' }) + +server.on('error', function (err) { + console.error('XML-RPC Server Error:', err); +}) + // Handle methods not found server.on('NotFound', function (method, params) { console.log('Method ' + method + ' does not exist'); @@ -45,4 +50,3 @@ server.on('dvws.CheckUptime', function (err, params, callback) { }) console.log(`🚀 XML-RPC server listening on port ${process.env.XML_RPC_PORT}`) -