fix: critical and high-severity security fixes

- CRITICAL: DNS rebinding SSRF - pin DNS resolution via request interception
- CRITICAL: XSS in billing success - use data-attribute instead of JS string
- HIGH: Webhook signature bypass - refuse unverified webhooks (500)
- HIGH: Filename header injection - sanitize Content-Disposition filename
- HIGH: Verification code timing attack - use crypto.timingSafeEqual()
- HIGH: Remove duplicate unreachable 404 handler
- HIGH: Add IPv6 unique local (fc00::/7) to SSRF private IP check
- HIGH: Replace console.warn with structured logger

src/routes/billing.ts

@@ -74,7 +74,7 @@ a { color: #4f9; }
 <div class="card">
 <h1>🎉 Welcome to Pro!</h1>
 <p>Your API key:</p>
-<div class="key" style="position:relative">${escapeHtml(keyInfo.key)}<button onclick="navigator.clipboard.writeText('${escapeHtml(keyInfo.key)}');this.textContent='Copied!';setTimeout(()=>this.textContent='Copy',1500)" style="position:absolute;top:8px;right:8px;background:#4f9;color:#0a0a0a;border:none;border-radius:4px;padding:4px 12px;cursor:pointer;font-size:0.8rem;font-family:system-ui">Copy</button></div>
+<div class="key" style="position:relative" data-key="${escapeHtml(keyInfo.key)}">${escapeHtml(keyInfo.key)}<button onclick="navigator.clipboard.writeText(this.parentElement.dataset.key);this.textContent='Copied!';setTimeout(()=>this.textContent='Copy',1500)" style="position:absolute;top:8px;right:8px;background:#4f9;color:#0a0a0a;border:none;border-radius:4px;padding:4px 12px;cursor:pointer;font-size:0.8rem;font-family:system-ui">Copy</button></div>
 <p><strong>Save this key!</strong> It won't be shown again.</p>
 <p>5,000 PDFs/month • All endpoints • Priority support</p>
 <p><a href="/docs">View API docs →</a></p>
@@ -93,15 +93,9 @@ router.post("/webhook", async (req: Request, res: Response) => {
   let event: Stripe.Event;
 
   if (!webhookSecret) {
-    console.warn("⚠️  STRIPE_WEBHOOK_SECRET is not configured — webhook signature verification skipped. Set this in production!");
-    // Parse the body as a raw event without verification
-    try {
-      event = JSON.parse(typeof req.body === "string" ? req.body : req.body.toString()) as Stripe.Event;
-    } catch (err: any) {
-      logger.error({ err }, "Failed to parse webhook body");
-      res.status(400).json({ error: "Invalid payload" });
-      return;
-    }
+    logger.error("STRIPE_WEBHOOK_SECRET is not configured — refusing to process unverified webhooks");
+    res.status(500).json({ error: "Webhook signature verification is not configured" });
+    return;
   } else if (!sig) {
     res.status(400).json({ error: "Missing stripe-signature header" });
     return;
@@ -143,7 +137,7 @@ router.post("/webhook", async (req: Request, res: Response) => {
       }
 
       if (!customerId || !email) {
-        console.warn("checkout.session.completed: missing customerId or email, skipping key provisioning");
+        logger.warn("checkout.session.completed: missing customerId or email, skipping key provisioning");
         break;
       }
 

src/routes/convert.ts

@@ -13,6 +13,10 @@ function isPrivateIP(ip: string): boolean {
   if (ip.toLowerCase().startsWith("fe8") || ip.toLowerCase().startsWith("fe9") ||
       ip.toLowerCase().startsWith("fea") || ip.toLowerCase().startsWith("feb")) return true;
   
+  // IPv6 unique local (fc00::/7)
+  const lower = ip.toLowerCase();
+  if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
+  
   // IPv4-mapped IPv6
   if (ip.startsWith("::ffff:")) ip = ip.slice(7);
   if (!net.isIPv4(ip)) return false;
@@ -27,6 +31,11 @@ function isPrivateIP(ip: string): boolean {
   return false;
 }
 
+function sanitizeFilename(name: string): string {
+  // Strip characters dangerous in Content-Disposition headers
+  return name.replace(/[\x00-\x1f"\\\r\n]/g, "").trim() || "document.pdf";
+}
+
 export const convertRouter = Router();
 
 interface ConvertBody {
@@ -76,7 +85,7 @@ convertRouter.post("/html", async (req: Request & { acquirePdfSlot?: () => Promi
       printBackground: body.printBackground,
     });
 
-    const filename = body.filename || "document.pdf";
+    const filename = sanitizeFilename(body.filename || "document.pdf");
     res.setHeader("Content-Type", "application/pdf");
     res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
     res.send(pdf);
@@ -120,7 +129,7 @@ convertRouter.post("/markdown", async (req: Request & { acquirePdfSlot?: () => P
       printBackground: body.printBackground,
     });
 
-    const filename = body.filename || "document.pdf";
+    const filename = sanitizeFilename(body.filename || "document.pdf");
     res.setHeader("Content-Type", "application/pdf");
     res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
     res.send(pdf);
@@ -162,13 +171,15 @@ convertRouter.post("/url", async (req: Request & { acquirePdfSlot?: () => Promis
       return;
     }
 
-    // DNS lookup to block private/reserved IPs
+    // DNS lookup to block private/reserved IPs + pin resolution to prevent DNS rebinding
+    let resolvedAddress: string;
     try {
       const { address } = await dns.lookup(parsed.hostname);
       if (isPrivateIP(address)) {
         res.status(400).json({ error: "URL resolves to a private/internal IP address" });
         return;
       }
+      resolvedAddress = address;
     } catch {
       res.status(400).json({ error: "DNS lookup failed for URL hostname" });
       return;
@@ -186,9 +197,10 @@ convertRouter.post("/url", async (req: Request & { acquirePdfSlot?: () => Promis
       margin: body.margin,
       printBackground: body.printBackground,
       waitUntil: body.waitUntil,
+      hostResolverRules: `MAP ${parsed.hostname} ${resolvedAddress}`,
     });
 
-    const filename = body.filename || "page.pdf";
+    const filename = sanitizeFilename(body.filename || "page.pdf");
     res.setHeader("Content-Type", "application/pdf");
     res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
     res.send(pdf);