From b07b9cfd25951d542e019cb0fb03d7c7e6dcaec4 Mon Sep 17 00:00:00 2001 From: OpenClawd Date: Tue, 24 Feb 2026 14:00:55 +0000 Subject: [PATCH] fix: return 400 for invalid protocols and unresolvable hostnames (was 500) --- src/routes/playground.ts | 2 +- src/routes/screenshot.ts | 2 +- src/services/ssrf.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/routes/playground.ts b/src/routes/playground.ts index ece1592..f39f858 100644 --- a/src/routes/playground.ts +++ b/src/routes/playground.ts @@ -136,7 +136,7 @@ playgroundRouter.post("/", playgroundLimiter, async (req, res) => { res.status(504).json({ error: "Screenshot timed out." }); return; } - if (err.message.includes("blocked") || err.message.includes("not allowed") || err.message.includes("Invalid URL")) { + if (err.message.includes("blocked") || err.message.includes("not allowed") || err.message.includes("Invalid URL") || err.message.includes("Could not resolve")) { res.status(400).json({ error: err.message }); return; } diff --git a/src/routes/screenshot.ts b/src/routes/screenshot.ts index bcd4207..3d3aa06 100644 --- a/src/routes/screenshot.ts +++ b/src/routes/screenshot.ts @@ -352,7 +352,7 @@ async function handleScreenshotRequest(req: any, res: any) { res.status(504).json({ error: "Screenshot timed out. The page may be too slow to load." }); return; } - if (err.message.includes("blocked") || err.message.includes("not allowed") || err.message.includes("Invalid URL")) { + if (err.message.includes("blocked") || err.message.includes("not allowed") || err.message.includes("Invalid URL") || err.message.includes("Could not resolve")) { res.status(400).json({ error: err.message }); return; } diff --git a/src/services/ssrf.ts b/src/services/ssrf.ts index aaa4d4f..0c1f86c 100644 --- a/src/services/ssrf.ts +++ b/src/services/ssrf.ts @@ -39,7 +39,7 @@ export async function validateUrl(urlStr: string): Promise<{ hostname: string; r } if (!["http:", "https:"].includes(parsed.protocol)) { - throw new Error("Only HTTP and HTTPS URLs are allowed"); + throw new Error("URL protocol not allowed: only HTTP and HTTPS are supported"); } const hostname = parsed.hostname;