fix: add graceful error handling for VirusTotal invalid domains (#111)

jaspermayone · github-advanced-security[bot] · claude[bot] · web-flow · commit 75e4d859588e · 2025-06-29T10:25:59.000-04:00
Co-authored-by: Jasper Mayone &lt;jaspermayone@users.noreply.github.com&gt;
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
Co-authored-by: claude[bot] &lt;209825114+claude[bot]@users.noreply.github.com&gt;
diff --git a/src/func/domain/parseData.ts b/src/func/domain/parseData.ts
@@ -47,8 +47,12 @@ export async function parseData(
   } else if (urlScanData.verdicts.overall.malicious === true) {
     verdict = true;
   } else if (
-    virusTotalData.data.attributes.last_analysis_stats.malicious > 0 ||
-    virusTotalData.data.attributes.last_analysis_stats.suspicious > 0
+    virusTotalData &&
+    virusTotalData.data &&
+    virusTotalData.data.attributes &&
+    virusTotalData.data.attributes.last_analysis_stats &&
+    (virusTotalData.data.attributes.last_analysis_stats.malicious > 0 ||
+      virusTotalData.data.attributes.last_analysis_stats.suspicious > 0)
   ) {
     verdict = true;
     // todo: add correct condition for abuseChData
diff --git a/src/services/AbuseCh.ts b/src/services/AbuseCh.ts
@@ -26,7 +26,7 @@ export class AbuseChService {
         }
       );
 
-      let sanitizedDomain = await sanitizeDomain(domain);
+      let sanitizedDomain = sanitizeDomain(domain);
       const dbDomain = await getDbDomain(sanitizedDomain);
 
       // Check if the response is JSON before saving to database
diff --git a/src/services/GoogleSafebrowsing.ts b/src/services/GoogleSafebrowsing.ts
@@ -19,7 +19,7 @@ export class GoogleSafebrowsingService {
     check: async (domain: string) => {
       // metrics.increment("services.googleSafebrowsing.domain.check");
 
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       const response = await axios.post(
         `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${process
diff --git a/src/services/IpQualityScore.ts b/src/services/IpQualityScore.ts
@@ -20,7 +20,7 @@ export class IpQualityScoreService {
     check: async (domain: string) => {
       // metrics.increment("services.ipqualityscore.domain.check");
 
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       const response = await axios.get(
         `https://ipqualityscore.com/api/json/url/${process.env
diff --git a/src/services/PhishReport.ts b/src/services/PhishReport.ts
@@ -19,7 +19,7 @@ export class PhishReportService {
     check: async (domain: string) => {
       // metrics.increment("services.phishreport.domain.check");
 
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       let response = await axios.get(
         `https://phish.report/api/v0/hosting?url=${sanitizedDomain}`,
diff --git a/src/services/SecurityTrails.ts b/src/services/SecurityTrails.ts
@@ -19,7 +19,7 @@ export class SecurityTrailsService {
     check: async (domain: string) => {
       // metrics.increment("services.securitytrails.domain.check");
 
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       const options = {
         method: "GET",
diff --git a/src/services/SinkingYahts.ts b/src/services/SinkingYahts.ts
@@ -18,7 +18,7 @@ export class SinkingYahtsService {
      */
     check: async (domain: string) => {
       // metrics.increment("services.sinkingyahts.domain.check");
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       const response = await axios.get<boolean>(
         `https://phish.sinking.yachts/v2/check/${sanitizedDomain}`,
diff --git a/src/services/UrlScan.ts b/src/services/UrlScan.ts
@@ -18,7 +18,7 @@ export class UrlScanService {
      */
     check: async (domain: string) => {
       // metrics.increment("services.urlscan.domain.check");
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       const checkSearch = await axios.get(
         `https://urlscan.io/api/v1/search/?q=domain:${sanitizedDomain}`,
diff --git a/src/services/VirusTotal.ts b/src/services/VirusTotal.ts
@@ -3,7 +3,7 @@ import { headersWithVirusTotal } from "src/defs/headers";
 import { getDbDomain } from "src/func/db/domain";
 import { axios } from "src/utils/axios";
 import { db } from "src/utils/db";
-import { sanitizeDomain } from "src/utils/sanitizeDomain";
+import { sanitizeDomain, validateDomain, DomainValidationError } from "src/utils/sanitizeDomain";
 
 /**
  * A service that provides access to the VirusTotal service for checking and reporting domains.
@@ -19,7 +19,18 @@ export class VirusTotalService {
     check: async (domain: string) => {
       try {
         // metrics.increment("services.virustotal.domain.check");
-        const sanitizedDomain = await sanitizeDomain(domain);
+        const sanitizedDomain = sanitizeDomain(domain);
+        
+        // Validate domain before making API call
+        try {
+          await validateDomain(sanitizedDomain);
+        } catch (error) {
+          if (error instanceof DomainValidationError) {
+            console.warn(`VirusTotal: Skipping invalid domain "${domain}": ${error.message}`);
+            return null;
+          }
+          throw error;
+        }
 
         const response = await axios.get(
           `https://www.virustotal.com/api/v3/domains/${sanitizedDomain}`,
@@ -39,9 +50,8 @@ export class VirusTotalService {
 
         return data;
       } catch (error) {
-        // Log the error but don't throw
-        // FIXME: this is terrible practice, handle ratelimits better after issue addressed.
-        // console.error(`VirusTotal API error for domain ${domain}:`, error);
+        // Log the error for transparency, but don't throw to prevent crashes
+        console.warn(`VirusTotal API error for domain "${domain}":`, error instanceof Error ? error.message : error);
         return null;
       }
     },
@@ -54,7 +64,18 @@ export class VirusTotalService {
      */
     report: async (domain: string) => {
       // metrics.increment("services.virustotal.domain.report");
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
+      
+      // Validate domain before making API call
+      try {
+        await validateDomain(sanitizedDomain);
+      } catch (error) {
+        if (error instanceof DomainValidationError) {
+          console.warn(`VirusTotal: Skipping report for invalid domain "${domain}": ${error.message}`);
+          return;
+        }
+        throw error;
+      }
 
       const commentData = {
         data: {
diff --git a/src/services/Walshy.ts b/src/services/Walshy.ts
@@ -18,7 +18,7 @@ export class WalshyService {
      */
     check: async (domain: string) => {
       // metrics.increment("services.walshy.domain.check");
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       const response = await axios.post<{
         badDomain: boolean;
@@ -49,7 +49,7 @@ export class WalshyService {
     report: async (domain: string) => {
       // metrics.increment("services.walshy.domain.report");
 
-      const sanitizedDomain = await sanitizeDomain(domain);
+      const sanitizedDomain = sanitizeDomain(domain);
 
       const response = await axios.post(
         `https://bad-domains.walshy.dev/report`,
diff --git a/src/utils/sanitizeDomain.ts b/src/utils/sanitizeDomain.ts
@@ -1,3 +1,5 @@
+import { promises as dns } from 'dns';
+
 const MAX_DOMAIN_LENGTH = 253; // Maximum length of a domain name
 const DOMAIN_REGEX = /^(?!:\/\/)(?:[a-zA-Z0-9-]{1,63}\.)+[a-zA-Z]{2,63}$/;
 
@@ -7,7 +9,7 @@ class DomainValidationError extends Error {
     this.name = "DomainValidationError";
   }
 }
-const validateDomain = (domain: string): boolean => {
+const validateDomain = async (domain: string): Promise<boolean> => {
   // Check domain length
   if (!domain || domain.length > MAX_DOMAIN_LENGTH) {
     throw new DomainValidationError(
@@ -29,6 +31,13 @@ const validateDomain = (domain: string): boolean => {
     throw new DomainValidationError("Domain cannot contain URL components");
   }
 
+  // Perform DNS lookup to verify domain exists
+  try {
+    await dns.resolve(domain);
+  } catch (error) {
+    throw new DomainValidationError(`Domain does not resolve: ${domain}`);
+  }
+
   return true;
 };
 

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ export class AbuseChService {`
`26`	`26`	`}`
`27`	`27`	`);`
`28`	`28`
`29`		`- let sanitizedDomain = await sanitizeDomain(domain);`
	`29`	`+ let sanitizedDomain = sanitizeDomain(domain);`
`30`	`30`	`const dbDomain = await getDbDomain(sanitizedDomain);`
`31`	`31`
`32`	`32`	`// Check if the response is JSON before saving to database`