From 822387bcdde6205f1ebfec0198df0cf6f42bf3cc Mon Sep 17 00:00:00 2001
From: Aman Kumar <aman.kumar@contentstack.com>
Date: Thu, 10 Apr 2025 16:18:45 +0530
Subject: [PATCH] feat: sanitize error & response body

---
 package-lock.json |  4 ++--
 package.json      |  2 +-
 src/core.ts       | 20 ++++++++++++++++++--
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a181fe0..f35732b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@contentstack/webhook-listener",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "@contentstack/webhook-listener",
-      "version": "1.0.6",
+      "version": "1.0.7",
       "license": "MIT",
       "dependencies": {
         "basic-auth": "^2.0.1",
diff --git a/package.json b/package.json
index a818107..247085c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@contentstack/webhook-listener",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "HTTP web server that listens to Contentstack webhooks. This is part of Contentstack DataSync",
   "main": "./dist",
   "types": "./typings",
diff --git a/src/core.ts b/src/core.ts
index 1874609..100691a 100644
--- a/src/core.ts
+++ b/src/core.ts
@@ -28,6 +28,8 @@ const requestHandler = (request, response) => {
 
   log.info(`Request recived, '${request.method} : ${request.url}'`);
   debug('_config', _config);
+  // Explicitly remove or override the X-Powered-By header
+  response.setHeader('X-Powered-By', ''); 
   return Promise.resolve().then(() => {
     // Should be a POST call.
     if (request.method && request.method !== 'POST') {
@@ -152,14 +154,28 @@ const requestHandler = (request, response) => {
     response.setHeader('Content-Type', 'application/json');
     response.statusCode = value.statusCode;
     response.statusMessage = value.statusMessage;
-    response.end(JSON.stringify(value.body));
+    // Example: Return only safe fields
+    const safeBody = {
+      data: value.body?.data || value?.body || null
+    };
+
+    response.end(JSON.stringify(safeBody));
     return;
   }).catch((error) => {
     debug('Error', error);
+    const safeError = {
+      statusCode: error.statusCode || 500,
+      statusMessage: error.statusMessage || 'Internal Server Error',
+      body: typeof error.body === 'string' 
+      ? error.body 
+      : (typeof error.body === 'object' && error.body !== null
+          ? JSON.stringify(error.body)
+          : 'An unexpected error occurred.'),    
+    };
     response.setHeader('Content-Type', 'application/json');
     response.statusCode = error.statusCode;
     response.statusMessage = error.statusMessage;
-    response.end(JSON.stringify({ error: { message: error.body } }));
+    response.end(JSON.stringify({ error: { message: safeError.body } }));
     return;
   });
 };