fix: critical and high-severity security fixes
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m52s
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m52s
- CRITICAL: DNS rebinding SSRF - pin DNS resolution via request interception - CRITICAL: XSS in billing success - use data-attribute instead of JS string - HIGH: Webhook signature bypass - refuse unverified webhooks (500) - HIGH: Filename header injection - sanitize Content-Disposition filename - HIGH: Verification code timing attack - use crypto.timingSafeEqual() - HIGH: Remove duplicate unreachable 404 handler - HIGH: Add IPv6 unique local (fc00::/7) to SSRF private IP check - HIGH: Replace console.warn with structured logger
This commit is contained in:
OpenClaw
parent
a01fbb0357
commit
8a86e34f91
6 changed files with 62 additions and 39 deletions
|
|
@ -74,7 +74,7 @@ a { color: #4f9; }
|
|||
<div class="card">
|
||||
<h1>🎉 Welcome to Pro!</h1>
|
||||
<p>Your API key:</p>
|
||||
<div class="key" style="position:relative">${escapeHtml(keyInfo.key)}<button onclick="navigator.clipboard.writeText('${escapeHtml(keyInfo.key)}');this.textContent='Copied!';setTimeout(()=>this.textContent='Copy',1500)" style="position:absolute;top:8px;right:8px;background:#4f9;color:#0a0a0a;border:none;border-radius:4px;padding:4px 12px;cursor:pointer;font-size:0.8rem;font-family:system-ui">Copy</button></div>
|
||||
<div class="key" style="position:relative" data-key="${escapeHtml(keyInfo.key)}">${escapeHtml(keyInfo.key)}<button onclick="navigator.clipboard.writeText(this.parentElement.dataset.key);this.textContent='Copied!';setTimeout(()=>this.textContent='Copy',1500)" style="position:absolute;top:8px;right:8px;background:#4f9;color:#0a0a0a;border:none;border-radius:4px;padding:4px 12px;cursor:pointer;font-size:0.8rem;font-family:system-ui">Copy</button></div>
|
||||
<p><strong>Save this key!</strong> It won't be shown again.</p>
|
||||
<p>5,000 PDFs/month • All endpoints • Priority support</p>
|
||||
<p><a href="/docs">View API docs →</a></p>
|
||||
|
|
@ -93,15 +93,9 @@ router.post("/webhook", async (req: Request, res: Response) => {
|
|||
let event: Stripe.Event;
|
||||
|
||||
if (!webhookSecret) {
|
||||
console.warn("⚠️ STRIPE_WEBHOOK_SECRET is not configured — webhook signature verification skipped. Set this in production!");
|
||||
// Parse the body as a raw event without verification
|
||||
try {
|
||||
event = JSON.parse(typeof req.body === "string" ? req.body : req.body.toString()) as Stripe.Event;
|
||||
} catch (err: any) {
|
||||
logger.error({ err }, "Failed to parse webhook body");
|
||||
res.status(400).json({ error: "Invalid payload" });
|
||||
return;
|
||||
}
|
||||
logger.error("STRIPE_WEBHOOK_SECRET is not configured — refusing to process unverified webhooks");
|
||||
res.status(500).json({ error: "Webhook signature verification is not configured" });
|
||||
return;
|
||||
} else if (!sig) {
|
||||
res.status(400).json({ error: "Missing stripe-signature header" });
|
||||
return;
|
||||
|
|
@ -143,7 +137,7 @@ router.post("/webhook", async (req: Request, res: Response) => {
|
|||
}
|
||||
|
||||
if (!customerId || !email) {
|
||||
console.warn("checkout.session.completed: missing customerId or email, skipping key provisioning");
|
||||
logger.warn("checkout.session.completed: missing customerId or email, skipping key provisioning");
|
||||
break;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue