Merge pull request #71 from snoopysecurity/fix-crashes

snoopysecurity · web-flow · commit b40cfef69b99 · 2026-01-20T16:10:54.000Z
fix: prevent crashes from app scanners
diff --git a/controllers/notebook.js b/controllers/notebook.js
@@ -84,25 +84,27 @@ module.exports = {
     });
   },
   get_release: (req, res) => {
+    try {
+      var uservalue = decodeURI(req.params.release.toString())
+      var xpath_result = xpath.evaluate(
+        "//config/*[local-name(.)='release' and //config//release/text()='" + uservalue + "']",            // xpathExpression
+        doc,                        // contextNode
+        null,                       // namespaceResolver
+        xpath.XPathResult.ANY_TYPE, // resultType
+        null                        // result
+      )
+      
+      var result = [];
+      node = xpath_result.iterateNext();
+      while (node) {
+          result.push(node.toString());
+          node = xpath_result.iterateNext();
+      }
 
-    var uservalue = decodeURI(req.params.release.toString())
-    var xpath_result = xpath.evaluate(
-      "//config/*[local-name(.)='release' and //config//release/text()='" + uservalue + "']",            // xpathExpression
-      doc,                        // contextNode
-      null,                       // namespaceResolver
-      xpath.XPathResult.ANY_TYPE, // resultType
-      null                        // result
-    )
-    
-    var result = [];
-    node = xpath_result.iterateNext();
-    while (node) {
-        result.push(node.toString());
-        node = xpath_result.iterateNext();
+      res.send(result.toString());
+    } catch (e) {
+      res.status(500).send("Error processing request");
     }
-
-    res.send(result.toString());
-    
   },
   create_a_note: async (req, res) => {
     res = set_cors(req, res)
diff --git a/controllers/passphrase.js b/controllers/passphrase.js
@@ -90,8 +90,13 @@ const options = {
           return res.status(500).send(err.message);
       }
 
-      const payload = Buffer.from(req.body.data, 'base64');
-      const data = serialize.unserialize(payload.toString());
+      let data;
+      try {
+        const payload = Buffer.from(req.body.data, 'base64');
+        data = serialize.unserialize(payload.toString());
+      } catch (e) {
+        return res.status(400).send("Invalid data");
+      }
   
       if (data) {
         const myDoc = new PDFDocument({ bufferPages: true });
diff --git a/rpc_server.js b/rpc_server.js
@@ -3,6 +3,11 @@ var needle = require('needle');
 
 // Creates an XML-RPC server to listen to XML-RPC method calls
 var server = xmlrpc.createServer({ port: process.env.XML_RPC_PORT, path: '/xmlrpc' })
+
+server.on('error', function (err) {
+  console.error('XML-RPC Server Error:', err);
+})
+
 // Handle methods not found
 server.on('NotFound', function (method, params) {
   console.log('Method ' + method + ' does not exist');
@@ -45,4 +50,3 @@ server.on('dvws.CheckUptime', function (err, params, callback) {
 })
 
 console.log(`🚀 XML-RPC server listening on port ${process.env.XML_RPC_PORT}`)
-
