Skip to content

Commit 51121f9

Browse files
committed
fix: security and reliability fixes for home page and invoice handlers
1 parent e138730 commit 51121f9

7 files changed

Lines changed: 43 additions & 27 deletions

File tree

resources/get-invoice.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
4646
<div class="form-check">
4747
<input class="form-check-input" type="checkbox" id="tosAccepted" name="tosAccepted" value="yes" required>
4848
<label class="form-check-label" for="tosAccepted">
49-
I have read and agree to the <a href="/terms" class="card-link" target="_blank">Terms of Service</a>
49+
I have read and agree to the <a href="/terms" class="card-link" target="_blank" rel="noopener noreferrer">Terms of Service</a>
5050
</label>
5151
</div>
5252
</div>
@@ -60,7 +60,7 @@ <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
6060
</div>
6161
<div class="row d-none" id="powered-by-zebedee">
6262
<div class="d-flex justify-content-center mb-3 mt-4">
63-
<a href="https://zeb.gg/nostr-zbd-quickstart" target="_blank">
63+
<a href="https://zeb.gg/nostr-zbd-quickstart" target="_blank" rel="noopener noreferrer">
6464
<img class="poweredbyzbd-img" src="https://cdn.zebedee.io/an/nostr/poweredbyzbd.png" />
6565
</a>
6666
</div>

resources/index.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ <h1 class="mt-4 mb-2 text-center text-nowrap">{{name}}</h1>
2828
<div class="card-body">
2929
<h5 class="card-title">Nostr Relay</h5>
3030
<p class="card-text">
31-
This is a <a href="https://github.com/nostr-protocol/nostr" target="_blank">Nostr</a> relay.
31+
This is a <a href="https://github.com/nostr-protocol/nostr" target="_blank" rel="noopener noreferrer">Nostr</a> relay.
3232
To use it, connect with a Nostr client using the address below.
3333
</p>
3434
<p class="card-text">

resources/invoices.html

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ <h2 class="text-danger">Invoice expired!</h2>
7474
<div class="row pending d-none">
7575
<div class="col">
7676
<div class="d-flex justify-content-center mb-3">
77-
<button id="sendPaymentBtn" class="btn btn-lg btn-warning d-none" type="submit">Pay with wallet</button>
77+
<button id="sendPaymentBtn" class="btn btn-lg btn-warning d-none" type="button">Pay with wallet</button>
7878
</div>
7979
</div>
8080
</div>
@@ -88,7 +88,7 @@ <h2 class="text-danger">Invoice expired!</h2>
8888
</div>
8989
<div class="row d-none" id="powered-by-zebedee">
9090
<div class="d-flex justify-content-center mb-3 mt-4">
91-
<a href="https://zeb.gg/nostr-zbd-quickstart" target="_blank">
91+
<a href="https://zeb.gg/nostr-zbd-quickstart" target="_blank" rel="noopener noreferrer">
9292
<img class="poweredbyzbd-img" src="https://cdn.zebedee.io/an/nostr/poweredbyzbd.png" />
9393
</a>
9494
</div>
@@ -152,7 +152,7 @@ <h2 class="text-danger">Invoice expired!</h2>
152152
})
153153
}
154154

155-
fallbackTimeout = setTimeout(getInvoiceStatus, getBackoffTime)
155+
fallbackTimeout = setTimeout(getInvoiceStatus, getBackoffTime())
156156

157157
function connect() {
158158
var socket = new WebSocket(relayUrl)

resources/post-invoice.html

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ <h2 class="text-danger">Invoice expired!</h2>
7474
<div class="row pending d-none">
7575
<div class="col">
7676
<div class="d-flex justify-content-center mb-3">
77-
<button id="sendPaymentBtn" class="btn btn-lg btn-warning d-none" type="submit">Pay with wallet</button>
77+
<button id="sendPaymentBtn" class="btn btn-lg btn-warning d-none" type="button">Pay with wallet</button>
7878
</div>
7979
</div>
8080
</div>
@@ -88,7 +88,7 @@ <h2 class="text-danger">Invoice expired!</h2>
8888
</div>
8989
<div class="row d-none" id="powered-by-zebedee">
9090
<div class="d-flex justify-content-center mb-3 mt-4">
91-
<a href="https://zeb.gg/nostr-zbd-quickstart" target="_blank">
91+
<a href="https://zeb.gg/nostr-zbd-quickstart" target="_blank" rel="noopener noreferrer">
9292
<img class="poweredbyzbd-img" src="https://cdn.zebedee.io/an/nostr/poweredbyzbd.png" />
9393
</a>
9494
</div>
@@ -152,7 +152,7 @@ <h2 class="text-danger">Invoice expired!</h2>
152152
})
153153
}
154154

155-
fallbackTimeout = setTimeout(getInvoiceStatus, getBackoffTime)
155+
fallbackTimeout = setTimeout(getInvoiceStatus, getBackoffTime())
156156

157157
function connect() {
158158
var socket = new WebSocket(relayUrl)

src/handlers/request-handlers/get-privacy-request-handler.ts

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,15 @@ import { createSettings as settings } from '../../factories/settings-factory'
66
export const getPrivacyRequestHandler = (_req: Request, res: Response, next: NextFunction) => {
77
const { info: { name } } = settings()
88

9-
const page = readFileSync('./resources/privacy.html', 'utf8')
10-
.replaceAll('{{name}}', name)
11-
.replaceAll('{{nonce}}', res.locals.nonce)
9+
let page: string
10+
try {
11+
page = readFileSync('./resources/privacy.html', 'utf8')
12+
.replaceAll('{{name}}', name)
13+
.replaceAll('{{nonce}}', res.locals.nonce)
14+
} catch (err) {
15+
next(err)
16+
return
17+
}
1218

1319
res.status(200).setHeader('content-type', 'text/html; charset=utf8').send(page)
14-
next()
1520
}

src/handlers/request-handlers/get-terms-request-handler.ts

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,15 @@ import { createSettings as settings } from '../../factories/settings-factory'
88
export const getTermsRequestHandler = (_req: Request, res: Response, next: NextFunction) => {
99
const { info: { name } } = settings()
1010

11-
const page = readFileSync('./resources/terms.html', 'utf8')
12-
.replaceAll('{{name}}', name)
13-
.replaceAll('{{nonce}}', res.locals.nonce)
11+
let page: string
12+
try {
13+
page = readFileSync('./resources/terms.html', 'utf8')
14+
.replaceAll('{{name}}', name)
15+
.replaceAll('{{nonce}}', res.locals.nonce)
16+
} catch (err) {
17+
next(err)
18+
return
19+
}
1420

1521
res.status(200).setHeader('content-type', 'text/html; charset=utf8').send(page)
16-
next()
1722
}

src/handlers/request-handlers/root-request-handler.ts

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -74,21 +74,27 @@ export const rootRequestHandler = (request: Request, response: Response, next: N
7474
return
7575
}
7676

77-
const admissionFeeEnabled = pathEq(['payments', 'feeSchedules', 'admission', '0', 'enabled'], true, settings)
77+
const admissionFeeEnabled = pathEq(['payments', 'enabled'], true, settings)
78+
&& pathEq(['payments', 'feeSchedules', 'admission', '0', 'enabled'], true, settings)
7879
const admissionFee = path<FeeSchedule>(['payments', 'feeSchedules', 'admission', '0'], settings)
7980
const amount = admissionFeeEnabled && admissionFee
8081
? (BigInt(admissionFee.amount) / 1000n).toString()
8182
: '0'
8283

83-
const page = readFileSync('./resources/index.html', 'utf8')
84-
.replaceAll('{{name}}', settings.info.name)
85-
.replaceAll('{{description}}', settings.info.description ?? '')
86-
.replaceAll('{{relay_url}}', settings.info.relay_url)
87-
.replaceAll('{{amount}}', amount)
88-
.replaceAll('{{payments_section_class}}', admissionFeeEnabled ? '' : 'd-none')
89-
.replaceAll('{{no_payments_section_class}}', admissionFeeEnabled ? 'd-none' : '')
90-
.replaceAll('{{nonce}}', response.locals.nonce)
84+
let page: string
85+
try {
86+
page = readFileSync('./resources/index.html', 'utf8')
87+
.replaceAll('{{name}}', settings.info.name)
88+
.replaceAll('{{description}}', settings.info.description ?? '')
89+
.replaceAll('{{relay_url}}', settings.info.relay_url)
90+
.replaceAll('{{amount}}', amount)
91+
.replaceAll('{{payments_section_class}}', admissionFeeEnabled ? '' : 'd-none')
92+
.replaceAll('{{no_payments_section_class}}', admissionFeeEnabled ? 'd-none' : '')
93+
.replaceAll('{{nonce}}', response.locals.nonce)
94+
} catch (err) {
95+
next(err)
96+
return
97+
}
9198

9299
response.status(200).setHeader('content-type', 'text/html; charset=utf8').send(page)
93-
next()
94100
}

0 commit comments

Comments
 (0)