openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: critical and high-severity security fixes
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m52s
Details

Browse source 
- CRITICAL: DNS rebinding SSRF - pin DNS resolution via request interception
- CRITICAL: XSS in billing success - use data-attribute instead of JS string
- HIGH: Webhook signature bypass - refuse unverified webhooks (500)
- HIGH: Filename header injection - sanitize Content-Disposition filename
- HIGH: Verification code timing attack - use crypto.timingSafeEqual()
- HIGH: Remove duplicate unreachable 404 handler
- HIGH: Add IPv6 unique local (fc00::/7) to SSRF private IP check
- HIGH: Replace console.warn with structured logger
This commit is contained in:
OpenClaw 2026-02-16 18:56:14 +00:00
parent a01fbb0357
commit 8a86e34f91
6 changed files with 62 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/routes/convert.ts
View file

@ -13,6 +13,10 @@ function isPrivateIP(ip: string): boolean {
if (ip.toLowerCase().startsWith("fe8") || ip.toLowerCase().startsWith("fe9") ||
ip.toLowerCase().startsWith("fea") || ip.toLowerCase().startsWith("feb")) return true;
// IPv6 unique local (fc00::/7)
const lower = ip.toLowerCase();
if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
// IPv4-mapped IPv6
if (ip.startsWith("::ffff:")) ip = ip.slice(7);
if (!net.isIPv4(ip)) return false;
@ -27,6 +31,11 @@ function isPrivateIP(ip: string): boolean {
return false;
}
function sanitizeFilename(name: string): string {
// Strip characters dangerous in Content-Disposition headers
return name.replace(/[\x00-\x1f"\\\r\n]/g, "").trim() || "document.pdf";
}
export const convertRouter = Router();
interface ConvertBody {
@ -76,7 +85,7 @@ convertRouter.post("/html", async (req: Request & { acquirePdfSlot?: () => Promi
printBackground: body.printBackground,
});
const filename = body.filename || "document.pdf";
const filename = sanitizeFilename(body.filename || "document.pdf");
res.setHeader("Content-Type", "application/pdf");
res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
res.send(pdf);
@ -120,7 +129,7 @@ convertRouter.post("/markdown", async (req: Request & { acquirePdfSlot?: () => P
printBackground: body.printBackground,
});
const filename = body.filename || "document.pdf";
const filename = sanitizeFilename(body.filename || "document.pdf");
res.setHeader("Content-Type", "application/pdf");
res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
res.send(pdf);
@ -162,13 +171,15 @@ convertRouter.post("/url", async (req: Request & { acquirePdfSlot?: () => Promis
return;
}
// DNS lookup to block private/reserved IPs
// DNS lookup to block private/reserved IPs + pin resolution to prevent DNS rebinding
let resolvedAddress: string;
try {
const { address } = await dns.lookup(parsed.hostname);
if (isPrivateIP(address)) {
res.status(400).json({ error: "URL resolves to a private/internal IP address" });
return;
}
resolvedAddress = address;
} catch {
res.status(400).json({ error: "DNS lookup failed for URL hostname" });
return;
@ -186,9 +197,10 @@ convertRouter.post("/url", async (req: Request & { acquirePdfSlot?: () => Promis
margin: body.margin,
printBackground: body.printBackground,
waitUntil: body.waitUntil,
hostResolverRules: `MAP ${parsed.hostname} ${resolvedAddress}`,
});
const filename = body.filename || "page.pdf";
const filename = sanitizeFilename(body.filename || "page.pdf");
res.setHeader("Content-Type", "application/pdf");
res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
res.send(pdf);