fix: critical security issues - webhook bypass, SSRF, XSS

src/routes/billing.ts

@@ -2,6 +2,10 @@ import { Router, Request, Response } from "express";
 import Stripe from "stripe";
 import { createProKey, revokeByCustomer } from "../services/keys.js";
 
+function escapeHtml(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+
 let _stripe: Stripe | null = null;
 function getStripe(): Stripe {
   if (!_stripe) {
@@ -69,7 +73,7 @@ a { color: #4f9; }
 <div class="card">
 <h1>🎉 Welcome to Pro!</h1>
 <p>Your API key:</p>
-<div class="key" onclick="navigator.clipboard.writeText('${keyInfo.key}')" title="Click to copy">${keyInfo.key}</div>
+<div class="key" onclick="navigator.clipboard.writeText('${escapeHtml(keyInfo.key)}')" title="Click to copy">${escapeHtml(keyInfo.key)}</div>
 <p><strong>Save this key!</strong> It won't be shown again.</p>
 <p>10,000 PDFs/month • All endpoints • Priority support</p>
 <p><a href="/docs">View API docs →</a></p>
@@ -87,16 +91,17 @@ router.post("/webhook", async (req: Request, res: Response) => {
 
   let event: Stripe.Event;
 
-  if (webhookSecret && sig) {
-    try {
-      event = getStripe().webhooks.constructEvent(req.body, sig, webhookSecret);
-    } catch (err: any) {
-      console.error("Webhook signature verification failed:", err.message);
-      res.status(400).json({ error: "Invalid signature" });
-      return;
-    }
-  } else {
-    event = req.body as Stripe.Event;
+  if (!webhookSecret || !sig) {
+    res.status(400).json({ error: "Missing webhook secret or signature" });
+    return;
+  }
+
+  try {
+    event = getStripe().webhooks.constructEvent(req.body, sig, webhookSecret);
+  } catch (err: any) {
+    console.error("Webhook signature verification failed:", err.message);
+    res.status(400).json({ error: "Invalid signature" });
+    return;
   }
 
   switch (event.type) {