routes/governance.js blindly does JSON.parse(entry.DataString) for every object returned by gObject_list(). That means one malformed or non-proposal object can take down the entire public governance feed for every caller.
Reproduction on current main:
- I stubbed
gObject_list() to return a single entry with DataString: '{not-json'.
POST /govlist returned 500 {"error":"internal"}.- The server log showed the parse failure:
Expected property name or '}' in JSON at position 1.
Why this matters:
sysnode-info consumes this endpoint via src/lib/api.js::fetchGovernanceFeed(), so one bad chain object can blank the governance page instead of degrading gracefully.- The failure is all-or-nothing even though the route could safely skip or quarantine the offending entry.
Suggested fix:
- Parse each object defensively instead of letting one
JSON.parse abort the whole list.
- At minimum, skip invalid entries and log the offending governance hash.
- Even better, gate parsing on the expected proposal object type and preserve the rest of the feed.
Nightglass Audit
routes/governance.jsblindly doesJSON.parse(entry.DataString)for every object returned bygObject_list(). That means one malformed or non-proposal object can take down the entire public governance feed for every caller.Reproduction on current
main:gObject_list()to return a single entry withDataString: '{not-json'.POST /govlistreturned500 {"error":"internal"}.Expected property name or '}' in JSON at position 1.Why this matters:
sysnode-infoconsumes this endpoint viasrc/lib/api.js::fetchGovernanceFeed(), so one bad chain object can blank the governance page instead of degrading gracefully.Suggested fix:
JSON.parseabort the whole list.Nightglass Audit