Fix 404 XSS risk and abstract Content-Type

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: shenald-dev <245350826+shenald-dev@users.noreply.github.com>

Author: shenald-dev

.jules/bolt.md

@@ -157,3 +157,11 @@ Replaced `.json()` calls across `src/index.js` with direct `.send(Buffer)` for p
 2026-04-22 — Pre-stringified static JSON mock structures
 Learning: For highly dynamic JSON API responses containing large static structures, using full-object JSON.stringify() causes significant serialization overhead. Pre-stringifying the static parts and using template literal interpolation for the dynamic fields reduces serialization overhead and improves throughput.
 Action: Pre-stringify large static mock structures during module initialization and assemble the final JSON dynamically using string interpolation instead of `JSON.stringify`.
+
+## 2026-04-24 — Abstract Content-Type and Fix 404 XSS Risk
+
+Learning:
+Setting `res.setHeader('Content-Type', 'application/json; charset=utf-8')` individually in every route handler and error path creates redundant, duplicated code and leaves room for bugs if missed. Additionally, reflecting the requested `req.path` back in the JSON body of a 404 handler without sanitization creates a potential vector for Cross-Site Scripting (XSS) if the client misinterprets the Content-Type.
+
+Action:
+Extracted the `Content-Type` header assignment into a global middleware placed before all routes but after security middleware (helmet/cors) in `src/index.js`. Optimized the 404 handler to return a frozen, precomputed Buffer `ERROR_NOT_FOUND` rather than a dynamic string, and explicitly removed `req.path` from the body to mitigate XSS vulnerabilities and improve throughput.

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.1.22] - 2026-04-24
+### Changed
+* **[Performance & Security]:** Extracted duplicate Content-Type header assignments into a single global middleware, reducing repeated calls. Mitigated potential XSS risk in 404 handler by removing reflected `req.path` and optimized it by replacing dynamic serialization with a precomputed, static Buffer.
+
 ## [1.1.21] - 2026-04-22
 ### Changed
 * **[Performance]:** Pre-stringified static JSON mock structures to reduce serialization overhead during API responses. Zero dead code pruned.

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "one-api",
-  "version": "1.1.21",
+  "version": "1.1.22",
   "description": "One API to rule them all. Unified gateway for 20+ LLM providers. OpenAI-compatible, single binary, zero config.",
   "main": "src/index.js",
   "scripts": {

package.json

@@ -35,9 +35,14 @@ if (process.env.ALLOWED_ORIGINS) {
 }
 app.use(cors(corsOptions));
 
+// Set global JSON Content-Type for all responses to reduce redundant setHeader calls
+app.use((req, res, next) => {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  next();
+});
+
 const HEALTH_RESPONSE = Buffer.from(JSON.stringify({ status: 'ok' }));
 app.get('/health', (req, res) => {
-  res.setHeader('Content-Type', 'application/json; charset=utf-8');
   res.status(200).send(HEALTH_RESPONSE);
 });
 
@@ -106,35 +111,31 @@ const ERROR_MALFORMED_MESSAGE = Buffer.from(JSON.stringify({ error: 'Malformed m
 app.post('/v1/chat/completions', (req, res) => {
   const { model, messages } = req.body || {};
   if (!isValidModel(model)) {
-    res.setHeader('Content-Type', 'application/json; charset=utf-8');
     return res.status(400).send(ERROR_MISSING_MODEL);
   }
   if (!isValidMessagesArray(messages)) {
-    res.setHeader('Content-Type', 'application/json; charset=utf-8');
     return res.status(400).send(ERROR_MISSING_MESSAGES);
   }
   if (messages.length > 1000) {
-    res.setHeader('Content-Type', 'application/json; charset=utf-8');
     return res.status(400).send(ERROR_TOO_MANY_MESSAGES);
   }
 
   for (const msg of messages) {
     if (!isValidMessage(msg)) {
-      res.setHeader('Content-Type', 'application/json; charset=utf-8');
       return res.status(400).send(ERROR_MALFORMED_MESSAGE);
     }
   }
 
   // Mock unified response
   const payload = `{"id":"chatcmpl-${crypto.randomUUID()}","object":"chat.completion","created":${Math.trunc(Date.now() / 1000)},"model":${JSON.stringify(model)},"choices":${MOCK_CHOICES_JSON},"usage":${MOCK_USAGE_JSON}}`;
-  res.setHeader('Content-Type', 'application/json; charset=utf-8');
   res.status(200).send(payload);
 });
 
+const ERROR_NOT_FOUND = Buffer.from(JSON.stringify({ error: 'Not found' }));
+
 // 404 handler — return JSON for unknown routes
 app.use((req, res) => {
-  res.setHeader('Content-Type', 'application/json; charset=utf-8');
-  res.status(404).send(JSON.stringify({ error: 'Not found', path: req.path }));
+  res.status(404).send(ERROR_NOT_FOUND);
 });
 
 const ERROR_INTERNAL_SERVER = Buffer.from(JSON.stringify({ error: 'Internal server error' }));

src/index.js

@@ -146,3 +146,10 @@ test('isValidMessagesArray validation helper', () => {
   assert.strictEqual(isValidMessagesArray(null), false);
   assert.strictEqual(isValidMessagesArray("not an array"), false);
 });
+
+test('404 handler returns proper JSON and does not leak path', async () => {
+  const res = await request(app).get('/some-unknown-path');
+  assert.strictEqual(res.status, 404);
+  assert.strictEqual(res.headers['content-type'], 'application/json; charset=utf-8');
+  assert.deepStrictEqual(res.body, { error: 'Not found' });
+});