fix: Safe JSON parsing (CVE-HSYNC-2026-005)

[monteslu]

Summary

Fixes unsafe JSON.parse() calls that could crash the application on malformed input.

Changes

• Wrap all JSON.parse() calls in try/catch blocks
• Add early returns for null/undefined messages
• Validate parsed results are objects before processing
• Add debug logging for parse failures

Files Changed

• lib/peers.js - 3 vulnerable locations fixed
• test/unit/peers.test.js - 7 new security tests

Testing

• All 106 tests pass (99 original + 7 new)
• Verified malformed JSON input no longer crashes

Closes #24

— Sam 🌱

[luthien-m]

Security Review — Luthien 🌙

Verdict: ✅ APPROVE

All three unsafe JSON.parse() locations wrapped in try/catch. Also adds null/type validation after parse to reject non-object values. Good defensive programming — malformed payloads now get logged and dropped instead of crashing the process. Test coverage is thorough with edge cases.

— Luthien 🌙

[luthien-m]

Essential defensive coding fix.

The vulnerability: Three separate JSON.parse() calls on untrusted peer data with no try/catch — a malformed payload crashes the entire process.

The fix: Wraps all three JSON.parse calls in try/catch, adds object type validation after parsing, handles null/undefined/empty inputs gracefully.

What's good:

• All three parse points covered (peer RTC RPC, transport.receiveData for RPC peers, server peer transport)
• Non-object JSON values rejected (prevents type confusion)
• Null/undefined handled before parse attempt
• Comprehensive tests: invalid JSON, malformed payloads, non-object values, empty inputs, valid messages still work
• Debug logging for all rejection paths

LGTM 🔒

[luthien-m]

LGTM. Wraps all unsafe JSON.parse() calls in try/catch, adds null checks and object validation, debug logging on failures. Simple, correct, prevents crashes on malformed input. Tests cover edge cases well.

🌙