fix(domain-fronting): guard fallback JSON extraction

CaptainMirage · web-flow · commit 2e2ea4f3f06b · 2026-05-16T16:22:57.000+03:00
Reject malformed fallback relay responses where JSON brace positions are inverted instead of slicing with invalid bounds.
diff --git a/src/domain_fronter.rs b/src/domain_fronter.rs
@@ -3036,6 +3036,12 @@ impl DomainFronter {
             let end = text.rfind('}').ok_or_else(|| {
                 FronterError::BadResponse("no json end in tunnel response".into())
             })?;
+            if start > end {
+                return Err(FronterError::BadResponse(format!(
+                    "no valid json object in: {}",
+                    &text.chars().take(200).collect::<String>()
+                )));
+            }
             &text[start..=end]
         };
         Ok(serde_json::from_str(json_str)?)
@@ -3204,6 +3210,12 @@ impl DomainFronter {
             let end = text.rfind('}').ok_or_else(|| {
                 FronterError::BadResponse("no json end in batch response".into())
             })?;
+            if start > end {
+                return Err(FronterError::BadResponse(format!(
+                    "no valid json object in: {}",
+                    &text.chars().take(200).collect::<String>()
+                )));
+            }
             &text[start..=end]
         };
         // Don't log payload content. Batch responses carry base64-encoded
@@ -4580,6 +4592,12 @@ fn parse_relay_json(body: &[u8]) -> Result<Vec<u8>, FronterError> {
                         &text.chars().take(200).collect::<String>()
                     ))
                 })?;
+                if start > end {
+                    return Err(FronterError::BadResponse(format!(
+                        "no valid json object in: {}",
+                        &text.chars().take(200).collect::<String>()
+                    )));
+                }
                 serde_json::from_str(&text[start..=end])?
             }
         }
