diff --git a/datadump/pre-population/cve-ids-range.json b/datadump/pre-population/cve-ids-range.json index 5e82185b..ed66b3ec 100644 --- a/datadump/pre-population/cve-ids-range.json +++ b/datadump/pre-population/cve-ids-range.json @@ -1,363 +1,363 @@ [ { - "cve_year": 1999, - "ranges": { - "priority": { - "top_id": 5000, - "start": 5000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 1999, + "ranges": { + "priority": { + "top_id": 5000, + "start": 5000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2000, - "ranges": { - "priority": { - "top_id": 5000, - "start": 5000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2000, + "ranges": { + "priority": { + "top_id": 5000, + "start": 5000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2001, - "ranges": { - "priority": { - "top_id": 5000, - "start": 5000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2001, + "ranges": { + "priority": { + "top_id": 5000, + "start": 5000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2002, - "ranges": { - "priority": { - "top_id": 5000, - "start": 5000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2002, + "ranges": { + "priority": { + "top_id": 5000, + "start": 5000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2003, - "ranges": { - "priority": { - "top_id": 5000, - "start": 5000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2003, + "ranges": { + "priority": { + "top_id": 5000, + "start": 5000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2004, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2004, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2005, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2005, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2006, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2006, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2007, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2007, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2008, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2008, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2009, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2009, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2010, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2010, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2011, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2011, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2012, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2012, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2013, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2013, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2014, - "ranges": { - "priority": { - "top_id": 125000, - "start": 125000, - "end": 125000 - }, - "general": { - "top_id": 125000, - "start": 125000, - "end": 450000 - } - } + "cve_year": 2014, + "ranges": { + "priority": { + "top_id": 125000, + "start": 125000, + "end": 125000 + }, + "general": { + "top_id": 125000, + "start": 125000, + "end": 450000 + } + } }, { - "cve_year": 2015, - "ranges": { - "priority": { - "top_id": 10000, - "start": 10000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 999999 - } - } + "cve_year": 2015, + "ranges": { + "priority": { + "top_id": 10000, + "start": 10000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 999999 + } + } }, { - "cve_year": 2016, - "ranges": { - "priority": { - "top_id": 15000, - "start": 15000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 550000 - } - } + "cve_year": 2016, + "ranges": { + "priority": { + "top_id": 15000, + "start": 15000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 550000 + } + } }, { - "cve_year": 2017, - "ranges": { - "priority": { - "top_id": 20000, - "start": 20000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 999999 - } - } + "cve_year": 2017, + "ranges": { + "priority": { + "top_id": 20000, + "start": 20000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 999999 + } + } }, { - "cve_year": 2018, - "ranges": { - "priority": { - "top_id": 25000, - "start": 25000, - "end": 25000 - }, - "general": { - "top_id": 25000, - "start": 25000, - "end": 550000 - } - } + "cve_year": 2018, + "ranges": { + "priority": { + "top_id": 25000, + "start": 25000, + "end": 25000 + }, + "general": { + "top_id": 25000, + "start": 25000, + "end": 550000 + } + } }, { - "cve_year": 2019, - "ranges": { - "priority": { - "top_id": 25000, - "start": 25000, - "end": 25000 - }, - "general": { - "top_id": 25000, - "start": 25000, - "end": 999999 - } - } + "cve_year": 2019, + "ranges": { + "priority": { + "top_id": 25000, + "start": 25000, + "end": 25000 + }, + "general": { + "top_id": 25000, + "start": 25000, + "end": 999999 + } + } }, { - "cve_year": 2020, - "ranges": { - "priority": { - "top_id": 35000, - "start": 35000, - "end": 35000 - }, - "general": { - "top_id": 35000, - "start": 35000, - "end": 50000000 - } - } + "cve_year": 2020, + "ranges": { + "priority": { + "top_id": 35000, + "start": 35000, + "end": 35000 + }, + "general": { + "top_id": 35000, + "start": 35000, + "end": 50000000 + } + } }, { - "cve_year": 2021, - "ranges": { - "priority": { - "top_id": 3000, - "start": 3000, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2021, + "ranges": { + "priority": { + "top_id": 3000, + "start": 3000, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { - "cve_year": 2022, - "ranges": { - "priority": { - "top_id": 0, - "start": 0, - "end": 20000 - }, - "general": { - "top_id": 20000, - "start": 20000, - "end": 50000000 - } - } + "cve_year": 2022, + "ranges": { + "priority": { + "top_id": 0, + "start": 0, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } }, { "cve_year": 2023, @@ -373,6 +373,20 @@ "end": 50000000 } } - } - ] - \ No newline at end of file + }, + { + "cve_year": 2024, + "ranges": { + "priority": { + "top_id": 0, + "start": 0, + "end": 20000 + }, + "general": { + "top_id": 20000, + "start": 20000, + "end": 50000000 + } + } + } +] \ No newline at end of file diff --git a/schemas/cve/create-full-cve-record-request.json b/schemas/cve/create-full-cve-record-request.json index c7cfe0b7..7d1122e5 100644 --- a/schemas/cve/create-full-cve-record-request.json +++ b/schemas/cve/create-full-cve-record-request.json @@ -200,7 +200,7 @@ "dataType": { "type": "string" }, - "dateVersion": { + "dataVersion": { "type": "string" } } diff --git a/schemas/cve/get-cve-record-response.json b/schemas/cve/get-cve-record-response.json index 8891b759..74f0ecef 100644 --- a/schemas/cve/get-cve-record-response.json +++ b/schemas/cve/get-cve-record-response.json @@ -134,8 +134,8 @@ "dataType": { "type": "string" }, - "dateVersion": { - "type": "integer" + "dataVersion": { + "type": "string" } } } \ No newline at end of file diff --git a/src/controller/cve.controller/cve.middleware.js b/src/controller/cve.controller/cve.middleware.js index 7aa6a295..d1aabf80 100644 --- a/src/controller/cve.controller/cve.middleware.js +++ b/src/controller/cve.controller/cve.middleware.js @@ -149,6 +149,8 @@ function validateCveCnaContainerJsonSchema (req, res, next) { /** * Checks that datePublic field is not a future date + * Note: As of 01/10/24, this is not utilized. Further discussion is needed to agree on an + * implementation that will be less disruptive but still prevents invalid data. * * @param {String} dateIndex * @returns true @@ -156,7 +158,7 @@ function validateCveCnaContainerJsonSchema (req, res, next) { */ function validateDatePublic (dateIndex) { // Check if datePublic is a future date - return body(dateIndex).optional({ nullable: true }).custom((datePublic) => { + return body(dateIndex).isString().withMessage('DatePublic must be a date string').optional({ nullable: true }).bail().custom((datePublic) => { if (datePublicHelper(datePublic)) { return true } diff --git a/src/controller/cve.controller/index.js b/src/controller/cve.controller/index.js index a2a9cb95..307d0bff 100644 --- a/src/controller/cve.controller/index.js +++ b/src/controller/cve.controller/index.js @@ -4,7 +4,7 @@ const mw = require('../../middleware/middleware') const errorMsgs = require('../../middleware/errorMessages') const controller = require('./cve.controller') const { body, param, query } = require('express-validator') -const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic } = require('./cve.middleware') +const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription } = require('./cve.middleware') const getConstants = require('../../constants').getConstants const CONSTANTS = getConstants() const CHOICES = [CONSTANTS.CVE_STATES.REJECTED, CONSTANTS.CVE_STATES.PUBLISHED] @@ -442,7 +442,6 @@ router.post('/cve/:id', // the lang key to check depends on the state, so pass both validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']), validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']), - validateDatePublic(['containers.cna.datePublic']), param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX), parseError, parsePostParams, @@ -527,7 +526,6 @@ router.put('/cve/:id', // the lang key to check depends on the state, so pass both validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']), validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']), - validateDatePublic(['containers.cna.datePublic']), param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX), parseError, parsePostParams, @@ -613,7 +611,6 @@ router.post('/cve/:id/cna', validateCveCnaContainerJsonSchema, validateUniqueEnglishEntry('cnaContainer.descriptions'), validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']), - validateDatePublic(['cnaContainer.datePublic']), param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX), parseError, parsePostParams, @@ -700,7 +697,6 @@ router.put('/cve/:id/cna', validateCveCnaContainerJsonSchema, validateUniqueEnglishEntry('cnaContainer.descriptions'), validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']), - validateDatePublic(['cnaContainer.datePublic']), param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX), parseError, parsePostParams, @@ -959,7 +955,6 @@ router.put('/cve/:id/adp', mw.validateUser, mw.onlyAdps, validateCveAdpContainerJsonSchema, - validateDatePublic(['adpContainer.datePublic']), param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX), parseError, parsePostParams, diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js index 1c94e1b5..15a160a6 100644 --- a/src/controller/org.controller/index.js +++ b/src/controller/org.controller/index.js @@ -558,6 +558,7 @@ router.post('/org/:shortname/user', body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH), body(['authority.active_roles']).optional() .custom(mw.isFlatStringArray) + .bail() .customSanitizer(toUpperCaseArray) .custom(isUserRole), parseError, @@ -726,12 +727,13 @@ router.put('/org/:shortname/user/:username', query(['active']).optional().isBoolean({ loose: true }), query(['new_username']).optional().isString().trim().notEmpty().custom(isValidUsername), query(['org_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH), - body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH), - body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH), - body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH), + query(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH), + query(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH), + query(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH), + query(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH), query(['active_roles.add']).optional().toArray() .custom(isFlatStringArray) + .bail() .customSanitizer(toUpperCaseArray) .custom(isUserRole).withMessage(errorMsgs.USER_ROLES), query(['active_roles.remove']).optional().toArray() diff --git a/test/integration-tests/user/updateUserTest.js b/test/integration-tests/user/updateUserTest.js index f25d55f7..493a1be0 100644 --- a/test/integration-tests/user/updateUserTest.js +++ b/test/integration-tests/user/updateUserTest.js @@ -29,5 +29,41 @@ describe('Testing Edit user endpoint', () => { expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') }) }) + it('Should not allow a first name of more than 100 characters', async () => { + await chai.request(app) + .put('/api/org/win_5/user/jasminesmith@win_5.com?name.first=1:1234567,2:1234567,3:1234567,4:1234567,5:1234567,6:1234567,7:1234567,8:1234567,9:1234567,10:1234567,11:1234567') + .set(constants.nonSecretariatUserHeaders) + .then((res, err) => { + expect(res).to.have.status(400) + expect(res.body.error).to.contain('BAD_INPUT') + }) + }) + it('Should not allow a middle name of more than 100 characters', async () => { + await chai.request(app) + .put('/api/org/win_5/user/jasminesmith@win_5.com?name.middle=1:1234567,2:1234567,3:1234567,4:1234567,5:1234567,6:1234567,7:1234567,8:1234567,9:1234567,10:1234567,11:1234567') + .set(constants.nonSecretariatUserHeaders) + .then((res, err) => { + expect(res).to.have.status(400) + expect(res.body.error).to.contain('BAD_INPUT') + }) + }) + it('Should not allow a last name of more than 100 characters', async () => { + await chai.request(app) + .put('/api/org/win_5/user/jasminesmith@win_5.com?name.last=1:1234567,2:1234567,3:1234567,4:1234567,5:1234567,6:1234567,7:1234567,8:1234567,9:1234567,10:1234567,11:1234567') + .set(constants.nonSecretariatUserHeaders) + .then((res, err) => { + expect(res).to.have.status(400) + expect(res.body.error).to.contain('BAD_INPUT') + }) + }) + it('Should not allow a suffix of more than 100 characters', async () => { + await chai.request(app) + .put('/api/org/win_5/user/jasminesmith@win_5.com?name.suffix=1:1234567,2:1234567,3:1234567,4:1234567,5:1234567,6:1234567,7:1234567,8:1234567,9:1234567,10:1234567,11:1234567') + .set(constants.nonSecretariatUserHeaders) + .then((res, err) => { + expect(res).to.have.status(400) + expect(res.body.error).to.contain('BAD_INPUT') + }) + }) }) })