From 9b5e26286f3e5d31fb09dfdb19e280de49646dc8 Mon Sep 17 00:00:00 2001 From: "Daigneau, Jeremy T" Date: Tue, 21 Nov 2023 12:47:49 -0500 Subject: [PATCH 1/3] #962 #728 Replaced instances of "escape" with "encodeURI" which encodes a different set of characters. Also removed "decodeEntities" --- package-lock.json | 11 ---- package.json | 3 +- src/controller/cve-id.controller/index.js | 18 +++--- src/controller/cve.controller/index.js | 26 ++++----- src/controller/org.controller/index.js | 56 +++++++++---------- .../org.controller/org.controller.js | 25 ++++----- 6 files changed, 63 insertions(+), 76 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7d86518d..e2b632f0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -21,7 +21,6 @@ "express-rate-limit": "^6.5.2", "express-validator": "^6.14.2", "helmet": "^7.0.0", - "html-entities": "^2.3.3", "jsonschema": "^1.4.0", "JSONStream": "^1.3.5", "kleur": "^4.1.4", @@ -4504,11 +4503,6 @@ "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==", "dev": true }, - "node_modules/html-entities": { - "version": "2.3.3", - "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-2.3.3.tgz", - "integrity": "sha512-DV5Ln36z34NNTDgnz0EWGBLZENelNAtkiFA4kyNOG2tDI6Mz1uSWiq1wAKdyjnJwyDiDO7Fa2SO1CTxPXL8VxA==" - }, "node_modules/html-escaper": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz", @@ -13736,11 +13730,6 @@ "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==", "dev": true }, - "html-entities": { - "version": "2.3.3", - "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-2.3.3.tgz", - "integrity": "sha512-DV5Ln36z34NNTDgnz0EWGBLZENelNAtkiFA4kyNOG2tDI6Mz1uSWiq1wAKdyjnJwyDiDO7Fa2SO1CTxPXL8VxA==" - }, "html-escaper": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz", diff --git a/package.json b/package.json index 03c65c26..e85f8f2b 100644 --- a/package.json +++ b/package.json @@ -39,7 +39,6 @@ "express-rate-limit": "^6.5.2", "express-validator": "^6.14.2", "helmet": "^7.0.0", - "html-entities": "^2.3.3", "jsonschema": "^1.4.0", "JSONStream": "^1.3.5", "kleur": "^4.1.4", @@ -101,4 +100,4 @@ "test:coverage-html": "NODE_ENV=test nyc --reporter=html mocha src/* --recursive --exit || true", "test:scripts": "NODE_ENV=development node-dev src/scripts/templateScript.js" } -} \ No newline at end of file +} diff --git a/src/controller/cve-id.controller/index.js b/src/controller/cve-id.controller/index.js index 23c48eb4..a8cfa7ab 100644 --- a/src/controller/cve-id.controller/index.js +++ b/src/controller/cve-id.controller/index.js @@ -88,12 +88,12 @@ router.get('/cve-id', query().custom((query) => { return mw.validateQueryParameterNames(query, ['page', 'state', 'cve_id_year', 'time_reserved.lt', 'time_reserved.gt', 'time_modified.lt', 'time_modified.gt']) }), query(['page', 'state', 'cve_id_year', 'time_reserved.lt', 'time_reserved.gt', 'time_modified.lt', 'time_modified.gt']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }), - query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.ID_STATES), + query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.ID_STATES), query(['cve_id_year']).optional().isNumeric().matches(/^[0-9]{4}$/), - query(['time_reserved.lt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_reserved.gt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.lt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.gt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_reserved.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_reserved.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), parseError, parseGetParams, controller.CVEID_GET_FILTER) @@ -180,8 +180,8 @@ router.post('/cve-id', query().custom((query) => { return mw.validateQueryParameterNames(query, ['amount', 'batch_type', 'short_name', 'cve_year']) }), query(['amount', 'batch_type', 'short_name', 'cve_year']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), query(['amount']).isInt(), - query(['batch_type']).optional().isString().trim().escape().customSanitizer(val => { return val.toLowerCase() }), - query(['short_name']).isString().trim().escape().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + query(['batch_type']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toLowerCase() }), + query(['short_name']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), query(['cve_year']).isNumeric().matches(/^[0-9]{4}$/), parseError, parsePostParams, @@ -343,8 +343,8 @@ router.put('/cve-id/:id', param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX), query().custom((query) => { return mw.validateQueryParameterNames(query, ['state', 'org']) }), query(['state', 'org']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(MODIFYTARGETS).withMessage(errorMsgs.ID_MODIFY_STATES), - query(['org']).optional().isString().trim().escape(), + query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(MODIFYTARGETS).withMessage(errorMsgs.ID_MODIFY_STATES), + query(['org']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }), parseError, parsePostParams, mw.cnaMustOwnID, diff --git a/src/controller/cve.controller/index.js b/src/controller/cve.controller/index.js index 8c75ddf6..4a1f9cb9 100644 --- a/src/controller/cve.controller/index.js +++ b/src/controller/cve.controller/index.js @@ -159,14 +159,14 @@ router.get('/cve', query().custom((query) => { return mw.validateQueryParameterNames(query, ['page', 'time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name']) }), query(['page', 'time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }), - query(['time_modified.lt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.gt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), + query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), query(['count_only']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.COUNT_ONLY), - query(['assigner_short_name']).optional().isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - query(['assigner']).optional().isString().trim().escape().notEmpty(), + query(['assigner_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + query(['assigner']).optional().isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), query(['cna_modified']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.CNA_MODIFIED), - query(['adp_short_name']).optional().isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + query(['adp_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), parseError, parseGetParams, controller.CVE_GET_FILTERED) @@ -246,15 +246,15 @@ router.get('/cve_cursor', mw.onlySecretariatOrBulkDownload, query().custom((query) => { return mw.validateQueryParameterNames(query, ['time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name', 'next_page', 'previous_page', 'limit']) }), query(['time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name', 'next_page', 'previous_page', 'limit']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - query(['time_modified.lt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.gt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), + query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), query(['count_only']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.COUNT_ONLY), - query(['assigner_short_name']).optional().isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - query(['assigner']).optional().isString().trim().escape().notEmpty(), + query(['assigner_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + query(['assigner']).optional().isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), query(['cna_modified']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.CNA_MODIFIED), - query(['adp_short_name']).optional().isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - query(['limit']).optional().isString().trim().escape().notEmpty().isLength({ min: 1, max: CONSTANTS.PAGINATOR_OPTIONS.limit }), + query(['adp_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + query(['limit']).optional().isString().trim().notEmpty().isLength({ min: 1, max: CONSTANTS.PAGINATOR_OPTIONS.limit }).customSanitizer(val => { return encodeURI(val) }), parseError, parseGetParams, controller.CVE_GET_FILTERED_CURSOR) diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js index 9bec6464..735c9faa 100644 --- a/src/controller/org.controller/index.js +++ b/src/controller/org.controller/index.js @@ -157,8 +157,8 @@ router.post('/org', */ mw.validateUser, mw.onlySecretariat, - body(['short_name']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - body(['name']).isString().trim().escape().notEmpty(), + body(['short_name']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + body(['name']).isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), body(['authority.active_roles']).optional() .custom(isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -234,7 +234,7 @@ router.get('/org/:identifier', } */ mw.validateUser, - param(['identifier']).isString().trim().escape(), + param(['identifier']).isString().trim().customSanitizer(val => { return encodeURI(val) }), parseError, parseGetParams, controller.ORG_SINGLE) @@ -312,10 +312,10 @@ router.put('/org/:shortname', mw.onlySecretariat, query().custom((query) => { return mw.validateQueryParameterNames(query, ['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']) }), query(['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - param(['shortname']).isString().trim().escape().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - query(['new_short_name']).optional().isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + query(['new_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), query(['id_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA), - query(['name']).optional().isString().trim().escape().notEmpty(), + query(['name']).optional().isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), query(['active_roles.add']).optional().toArray() .custom(isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -394,7 +394,7 @@ router.get('/org/:shortname/id_quota', } */ mw.validateUser, - param(['shortname']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), parseError, parseGetParams, controller.ORG_ID_QUOTA) @@ -466,7 +466,7 @@ router.get('/org/:shortname/users', } */ mw.validateUser, - param(['shortname']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }), parseError, parseGetParams, @@ -548,14 +548,14 @@ router.post('/org/:shortname/user', mw.validateUser, mw.onlySecretariatOrAdmin, mw.onlyOrgWithPartnerRole, - param(['shortname']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - body(['username']).isString().trim().escape().notEmpty().custom(isValidUsername), - body(['org_uuid']).optional().isString().trim().escape(), - body(['uuid']).optional().isString().trim().escape(), - body(['name.first']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH), - body(['name.last']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH), - body(['name.middle']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH), - body(['name.suffix']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + body(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), + body(['org_uuid']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }), + body(['uuid']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }), + body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), + body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), + body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), + body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH).customSanitizer(val => { return encodeURI(val) }), body(['authority.active_roles']).optional() .custom(mw.isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -631,8 +631,8 @@ router.get('/org/:shortname/user/:username', } */ mw.validateUser, - param(['shortname']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - param(['username']).isString().trim().escape().notEmpty().custom(isValidUsername), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + param(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), parseError, parseGetParams, controller.USER_SINGLE) @@ -721,15 +721,15 @@ router.put('/org/:shortname/user/:username', }), query(['active', 'new_username', 'org_short_name', 'name.first', 'name.last', 'name.middle', 'name.suffix', 'active_roles.add', 'active_roles.remove']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - param(['shortname']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - param(['username']).isString().trim().escape().notEmpty().custom(isValidUsername), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + param(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), query(['active']).optional().isBoolean({ loose: true }), - query(['new_username']).optional().isString().trim().escape().notEmpty().custom(isValidUsername), - query(['org_short_name']).optional().isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - body(['name.first']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH), - body(['name.last']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH), - body(['name.middle']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH), - body(['name.suffix']).optional().isString().trim().escape().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH), + query(['new_username']).optional().isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), + query(['org_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), + body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), + body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), + body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH).customSanitizer(val => { return encodeURI(val) }), query(['active_roles.add']).optional().toArray() .custom(isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -811,8 +811,8 @@ router.put('/org/:shortname/user/:username/reset_secret', */ mw.validateUser, mw.onlyOrgWithPartnerRole, - param(['shortname']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - param(['username']).isString().trim().escape().notEmpty().custom(isValidUsername), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + param(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), parseError, parsePostParams, controller.USER_RESET_SECRET) diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js index 62e38fe3..e60c76a5 100644 --- a/src/controller/org.controller/org.controller.js +++ b/src/controller/org.controller/org.controller.js @@ -9,7 +9,6 @@ const uuid = require('uuid') const errors = require('./error') const error = new errors.OrgControllerError() const validateUUID = require('uuid').validate -const decodeEntities = require('html-entities').decode const booleanIsTrue = require('../../utils/utils').booleanIsTrue /** @@ -246,11 +245,11 @@ async function createOrg (req, res, next) { switch (key) { case 'short_name': - newOrg.short_name = decodeEntities(req.ctx.body.short_name) + newOrg.short_name = req.ctx.body.short_name break case 'name': - newOrg.name = decodeEntities(req.ctx.body.name) + newOrg.name = req.ctx.body.name break case 'authority': @@ -342,10 +341,10 @@ async function updateOrg (req, res, next) { const key = k.toLowerCase() if (key === 'new_short_name') { - newOrg.short_name = decodeEntities(req.ctx.query.new_short_name) + newOrg.short_name = req.ctx.query.new_short_name agt = setAggregateOrgObj({ short_name: newOrg.short_name }) } else if (key === 'name') { - newOrg.name = decodeEntities(req.ctx.query.name) + newOrg.name = req.ctx.query.name } else if (key === 'id_quota') { newOrg.policies.id_quota = req.ctx.query.id_quota } else if (key === 'active_roles.add') { @@ -462,16 +461,16 @@ async function createUser (req, res, next) { } } else if (key === 'name') { if (req.ctx.body.name.first) { - newUser.name.first = decodeEntities(req.ctx.body.name.first) + newUser.name.first = req.ctx.body.name.first } if (req.ctx.body.name.last) { - newUser.name.last = decodeEntities(req.ctx.body.name.last) + newUser.name.last = req.ctx.body.name.last } if (req.ctx.body.name.middle) { - newUser.name.middle = decodeEntities(req.ctx.body.name.middle) + newUser.name.middle = req.ctx.body.name.middle } if (req.ctx.body.name.suffix) { - newUser.name.suffix = decodeEntities(req.ctx.body.name.suffix) + newUser.name.suffix = req.ctx.body.name.suffix } } else if (key === 'org_uuid') { return res.status(400).json(error.uuidProvided('org')) @@ -599,13 +598,13 @@ async function updateUser (req, res, next) { return res.status(403).json(error.notAllowedToChangeOrganization()) } } else if (key === 'name.first') { - newUser.name.first = decodeEntities(req.ctx.query['name.first']) + newUser.name.first = req.ctx.query['name.first'] } else if (key === 'name.last') { - newUser.name.last = decodeEntities(req.ctx.query['name.last']) + newUser.name.last = req.ctx.query['name.last'] } else if (key === 'name.middle') { - newUser.name.middle = decodeEntities(req.ctx.query['name.middle']) + newUser.name.middle = req.ctx.query['name.middle'] } else if (key === 'name.suffix') { - newUser.name.suffix = decodeEntities(req.ctx.query['name.suffix']) + newUser.name.suffix = req.ctx.query['name.suffix'] } else if (key === 'active') { newUser.active = booleanIsTrue(req.ctx.query.active) changesRequirePrivilegedRole = true From bef1c6218fc534423f0ccbf118f9f33919df371b Mon Sep 17 00:00:00 2001 From: "Daigneau, Jeremy T" Date: Tue, 21 Nov 2023 14:12:06 -0500 Subject: [PATCH 2/3] #962 removed encodeURI, we don't want to encode whitespace --- src/controller/cve-id.controller/index.js | 18 ++++---- src/controller/cve.controller/index.js | 26 +++++------ src/controller/org.controller/index.js | 56 +++++++++++------------ test/integration-tests/constants.js | 17 ++++++- test/integration-tests/org/postOrgTest.js | 44 ++++++++++++++++++ 5 files changed, 110 insertions(+), 51 deletions(-) create mode 100644 test/integration-tests/org/postOrgTest.js diff --git a/src/controller/cve-id.controller/index.js b/src/controller/cve-id.controller/index.js index a8cfa7ab..0ab114d0 100644 --- a/src/controller/cve-id.controller/index.js +++ b/src/controller/cve-id.controller/index.js @@ -88,12 +88,12 @@ router.get('/cve-id', query().custom((query) => { return mw.validateQueryParameterNames(query, ['page', 'state', 'cve_id_year', 'time_reserved.lt', 'time_reserved.gt', 'time_modified.lt', 'time_modified.gt']) }), query(['page', 'state', 'cve_id_year', 'time_reserved.lt', 'time_reserved.gt', 'time_modified.lt', 'time_modified.gt']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }), - query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.ID_STATES), + query(['state']).optional().isString().trim().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.ID_STATES), query(['cve_id_year']).optional().isNumeric().matches(/^[0-9]{4}$/), - query(['time_reserved.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_reserved.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_reserved.lt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_reserved.gt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), parseError, parseGetParams, controller.CVEID_GET_FILTER) @@ -180,8 +180,8 @@ router.post('/cve-id', query().custom((query) => { return mw.validateQueryParameterNames(query, ['amount', 'batch_type', 'short_name', 'cve_year']) }), query(['amount', 'batch_type', 'short_name', 'cve_year']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), query(['amount']).isInt(), - query(['batch_type']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toLowerCase() }), - query(['short_name']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + query(['batch_type']).optional().isString().trim().customSanitizer(val => { return val.toLowerCase() }), + query(['short_name']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), query(['cve_year']).isNumeric().matches(/^[0-9]{4}$/), parseError, parsePostParams, @@ -343,8 +343,8 @@ router.put('/cve-id/:id', param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX), query().custom((query) => { return mw.validateQueryParameterNames(query, ['state', 'org']) }), query(['state', 'org']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(MODIFYTARGETS).withMessage(errorMsgs.ID_MODIFY_STATES), - query(['org']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }), + query(['state']).optional().isString().trim().customSanitizer(val => { return val.toUpperCase() }).isIn(MODIFYTARGETS).withMessage(errorMsgs.ID_MODIFY_STATES), + query(['org']).optional().isString().trim(), parseError, parsePostParams, mw.cnaMustOwnID, diff --git a/src/controller/cve.controller/index.js b/src/controller/cve.controller/index.js index 4a1f9cb9..eba11d17 100644 --- a/src/controller/cve.controller/index.js +++ b/src/controller/cve.controller/index.js @@ -159,14 +159,14 @@ router.get('/cve', query().custom((query) => { return mw.validateQueryParameterNames(query, ['page', 'time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name']) }), query(['page', 'time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }), - query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), + query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['state']).optional().isString().trim().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), query(['count_only']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.COUNT_ONLY), - query(['assigner_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - query(['assigner']).optional().isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), + query(['assigner_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + query(['assigner']).optional().isString().trim().notEmpty(), query(['cna_modified']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.CNA_MODIFIED), - query(['adp_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + query(['adp_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), parseError, parseGetParams, controller.CVE_GET_FILTERED) @@ -246,15 +246,15 @@ router.get('/cve_cursor', mw.onlySecretariatOrBulkDownload, query().custom((query) => { return mw.validateQueryParameterNames(query, ['time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name', 'next_page', 'previous_page', 'limit']) }), query(['time_modified.lt', 'time_modified.gt', 'state', 'count_only', 'assigner_short_name', 'assigner', 'cna_modified', 'adp_short_name', 'next_page', 'previous_page', 'limit']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), - query(['state']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }).customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), + query(['time_modified.lt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['time_modified.gt']).optional().isString().trim().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT), + query(['state']).optional().isString().trim().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES), query(['count_only']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.COUNT_ONLY), - query(['assigner_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - query(['assigner']).optional().isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), + query(['assigner_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + query(['assigner']).optional().isString().trim().notEmpty(), query(['cna_modified']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.CNA_MODIFIED), - query(['adp_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - query(['limit']).optional().isString().trim().notEmpty().isLength({ min: 1, max: CONSTANTS.PAGINATOR_OPTIONS.limit }).customSanitizer(val => { return encodeURI(val) }), + query(['adp_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + query(['limit']).optional().isString().trim().notEmpty().isLength({ min: 1, max: CONSTANTS.PAGINATOR_OPTIONS.limit }), parseError, parseGetParams, controller.CVE_GET_FILTERED_CURSOR) diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js index 735c9faa..1c94e1b5 100644 --- a/src/controller/org.controller/index.js +++ b/src/controller/org.controller/index.js @@ -157,8 +157,8 @@ router.post('/org', */ mw.validateUser, mw.onlySecretariat, - body(['short_name']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - body(['name']).isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), + body(['short_name']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + body(['name']).isString().trim().notEmpty(), body(['authority.active_roles']).optional() .custom(isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -234,7 +234,7 @@ router.get('/org/:identifier', } */ mw.validateUser, - param(['identifier']).isString().trim().customSanitizer(val => { return encodeURI(val) }), + param(['identifier']).isString().trim(), parseError, parseGetParams, controller.ORG_SINGLE) @@ -312,10 +312,10 @@ router.put('/org/:shortname', mw.onlySecretariat, query().custom((query) => { return mw.validateQueryParameterNames(query, ['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']) }), query(['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - query(['new_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + query(['new_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), query(['id_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA), - query(['name']).optional().isString().trim().notEmpty().customSanitizer(val => { return encodeURI(val) }), + query(['name']).optional().isString().trim().notEmpty(), query(['active_roles.add']).optional().toArray() .custom(isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -394,7 +394,7 @@ router.get('/org/:shortname/id_quota', } */ mw.validateUser, - param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), parseError, parseGetParams, controller.ORG_ID_QUOTA) @@ -466,7 +466,7 @@ router.get('/org/:shortname/users', } */ mw.validateUser, - param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }), parseError, parseGetParams, @@ -548,14 +548,14 @@ router.post('/org/:shortname/user', mw.validateUser, mw.onlySecretariatOrAdmin, mw.onlyOrgWithPartnerRole, - param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - body(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), - body(['org_uuid']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }), - body(['uuid']).optional().isString().trim().customSanitizer(val => { return encodeURI(val) }), - body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), - body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), - body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), - body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH).customSanitizer(val => { return encodeURI(val) }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + body(['username']).isString().trim().notEmpty().custom(isValidUsername), + body(['org_uuid']).optional().isString().trim(), + body(['uuid']).optional().isString().trim(), + body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH), + body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH), + body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH), + body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH), body(['authority.active_roles']).optional() .custom(mw.isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -631,8 +631,8 @@ router.get('/org/:shortname/user/:username', } */ mw.validateUser, - param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - param(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + param(['username']).isString().trim().notEmpty().custom(isValidUsername), parseError, parseGetParams, controller.USER_SINGLE) @@ -721,15 +721,15 @@ router.put('/org/:shortname/user/:username', }), query(['active', 'new_username', 'org_short_name', 'name.first', 'name.last', 'name.middle', 'name.suffix', 'active_roles.add', 'active_roles.remove']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), - param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - param(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + param(['username']).isString().trim().notEmpty().custom(isValidUsername), query(['active']).optional().isBoolean({ loose: true }), - query(['new_username']).optional().isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), - query(['org_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), - body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), - body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH).customSanitizer(val => { return encodeURI(val) }), - body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH).customSanitizer(val => { return encodeURI(val) }), + query(['new_username']).optional().isString().trim().notEmpty().custom(isValidUsername), + query(['org_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH), + body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH), + body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH), + body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH), query(['active_roles.add']).optional().toArray() .custom(isFlatStringArray) .customSanitizer(toUpperCaseArray) @@ -811,8 +811,8 @@ router.put('/org/:shortname/user/:username/reset_secret', */ mw.validateUser, mw.onlyOrgWithPartnerRole, - param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }).customSanitizer(val => { return encodeURI(val) }), - param(['username']).isString().trim().notEmpty().custom(isValidUsername).customSanitizer(val => { return encodeURI(val) }), + param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), + param(['username']).isString().trim().notEmpty().custom(isValidUsername), parseError, parsePostParams, controller.USER_RESET_SECRET) diff --git a/test/integration-tests/constants.js b/test/integration-tests/constants.js index 4b8b954b..8eba9fe3 100644 --- a/test/integration-tests/constants.js +++ b/test/integration-tests/constants.js @@ -241,6 +241,20 @@ const testAdp2 = { } } +const testOrg = { + + short_name: 'test_org', + name: 'Test Organization', + authority: { + active_roles: [ + 'CNA' + ] + }, + policies: { + id_quota: 100000 + } +} + module.exports = { headers, nonSecretariatUserHeaders, @@ -249,5 +263,6 @@ module.exports = { testCve, testCveEdited, testAdp, - testAdp2 + testAdp2, + testOrg } diff --git a/test/integration-tests/org/postOrgTest.js b/test/integration-tests/org/postOrgTest.js new file mode 100644 index 00000000..34697e28 --- /dev/null +++ b/test/integration-tests/org/postOrgTest.js @@ -0,0 +1,44 @@ +/* eslint-disable no-unused-expressions */ +const chai = require('chai') +chai.use(require('chai-http')) +const expect = chai.expect + +const constants = require('../constants.js') +const app = require('../../../src/index.js') + +describe('Testing Org post endpoint', () => { + context('Positive Tests', () => { + it('Allows creation of org', async () => { + await chai.request(app) + .post('/api/org') + .set({ ...constants.headers }) + .send(constants.testOrg) + .then((res, err) => { + expect(err).to.be.undefined + expect(res).to.have.status(200) + + expect(res.body).to.haveOwnProperty('message') + expect(res.body.message).to.equal(constants.testOrg.short_name + ' organization was successfully created.') + + expect(res.body).to.haveOwnProperty('created') + + expect(res.body.created).to.haveOwnProperty('name') + expect(res.body.created.name).to.equal(constants.testOrg.name) + + expect(res.body.created).to.haveOwnProperty('short_name') + expect(res.body.created.short_name).to.equal(constants.testOrg.short_name) + + expect(res.body.created).to.haveOwnProperty('UUID') + + expect(res.body.created).to.haveOwnProperty('policies') + expect(res.body.created.policies).to.deep.equal(constants.testOrg.policies) + + expect(res.body.created).to.haveOwnProperty('authority') + expect(res.body.created.authority).to.deep.equal(constants.testOrg.authority) + }) + }) + }) + context('Negitive Test', () => { + + }) +}) From 15fa2b62842862382ce5f69c41bf3355e301da35 Mon Sep 17 00:00:00 2001 From: "Daigneau, Jeremy T" Date: Tue, 21 Nov 2023 14:59:12 -0500 Subject: [PATCH 3/3] #962 added negative org creation test --- test/integration-tests/constants.js | 17 ++++++++++++++++- test/integration-tests/org/postOrgTest.js | 12 ++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/test/integration-tests/constants.js b/test/integration-tests/constants.js index 8eba9fe3..6aab5359 100644 --- a/test/integration-tests/constants.js +++ b/test/integration-tests/constants.js @@ -255,6 +255,20 @@ const testOrg = { } } +const existingOrg = { + + short_name: 'win_5', + name: 'Test Organization', + authority: { + active_roles: [ + 'CNA' + ] + }, + policies: { + id_quota: 100000 + } +} + module.exports = { headers, nonSecretariatUserHeaders, @@ -264,5 +278,6 @@ module.exports = { testCveEdited, testAdp, testAdp2, - testOrg + testOrg, + existingOrg } diff --git a/test/integration-tests/org/postOrgTest.js b/test/integration-tests/org/postOrgTest.js index 34697e28..08517dd3 100644 --- a/test/integration-tests/org/postOrgTest.js +++ b/test/integration-tests/org/postOrgTest.js @@ -39,6 +39,18 @@ describe('Testing Org post endpoint', () => { }) }) context('Negitive Test', () => { + it('Should fail to create an org that already exists ', async () => { + await chai.request(app) + .post('/api/org') + .set({ ...constants.headers }) + .send(constants.existingOrg) + .then((res, err) => { + expect(err).to.be.undefined + expect(res).to.have.status(400) + expect(res.body).to.haveOwnProperty('error') + expect(res.body.error).to.equal('ORG_EXISTS') + }) + }) }) })