CVEProject · david-rocca · Nov 14, 2023 · Sep 21, 2023 · Sep 25, 2023 · Sep 25, 2023
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -38,7 +38,7 @@
         "express-jsonschema": "^1.1.6",
         "express-rate-limit": "^6.5.2",
         "express-validator": "^6.14.2",
-        "helmet": "^3.21.2",
+        "helmet": "^7.0.0",
         "html-entities": "^2.3.3",
         "jsonschema": "^1.4.0",
         "JSONStream": "^1.3.5",

diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js
@@ -588,13 +588,18 @@ async function updateCna (req, res, next) {
       return res.status(400).json(error.invalidCnaContainerJsonSchema(result.errors))
     }
 
-    await cveRepo.updateByCveId(id, cveModel)
-    // change cve id state to publish
-    if (cveId.state === CONSTANTS.CVE_STATES.REJECTED) {
-      result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.PUBLISHED })
-      if (!result) {
-        return res.status(500).json(error.serverError())
+    try {
+      await cveRepo.updateByCveId(id, cveModel)
+      // change cve id state to publish
+      if (cveId.state === CONSTANTS.CVE_STATES.REJECTED) {
+        result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.PUBLISHED })
+
+        if (!result) {
+          return res.status(400).json(error.unableToStoreCveRecord())
+        }
       }
+    } catch (err) {
+      return res.status(400).json(error.unableToStoreCveRecord())
     }
 
     const responseMessage = {

diff --git a/src/middleware/errorMessages.js b/src/middleware/errorMessages.js
@@ -8,7 +8,7 @@ module.exports = {
   ID_MODIFY_STATES: 'Invalid CVE ID state. Valid states are: RESERVED, REJECTED',
   CVE_FILTERED_STATES: 'Invalid record state. Valid states are: PUBLISHED, REJECTED',
   COUNT_ONLY: 'Invalid count_only value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false',
-  TIMESTAMP_FORMAT: "Bad date, or invalid timestamp format: valid format is yyyy-MM-ddTHH:mm:ss or yyyy-MM-ddTHH:mm:ssZZZZ (to use '+' in timezone offset, encode as '%2B)",
+  TIMESTAMP_FORMAT: "Bad date, or invalid timestamp format: valid format is yyyy-MM-ddTHH:mm:ss or yyyy-MM-ddTHH:mm:ssZZ:ZZ (to use '+' in timezone offset, encode as '%2B). ZZ:ZZ (if used) must be between 00:00 and 23:59.",
   CNA_MODIFIED: 'Invalid cna_modified value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false',
   FIRSTNAME_LENGTH: 'Invalid name.first. Name must be between 1 and 100 characters in length.',
   LASTNAME_LENGTH: 'Invalid name.last. Name must be between 1 and 100 characters in length.',

diff --git a/src/utils/utils.js b/src/utils/utils.js
@@ -35,7 +35,7 @@ async function isSecretariat (shortName) {
     })
   }
 
-  return result // org is not secretariat
+  return result
 }
 
 async function isSecretariatUUID (orgUUID) {
@@ -134,7 +134,8 @@ function booleanIsTrue (val) {
 // Sanitizer for dates
 function toDate (val) {
   val = val.toUpperCase()
-  let value = val.match(/^\d{4}-\d{2}-\d{2}T(?:0?[0-9]|1[0-9]|2[0-3]):(?:0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-9]|5[0-9]):(?:0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-9]|5[0-9])(\.\d+)?(|Z|((-|\+)\d{2}:\d{2}))$/)
+  //
+  let value = val.match(/^\d{4}-\d{2}-\d{2}T(?:0?[0-9]|1[0-9]|2[0-3]):(?:0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-9]|5[0-9]):(?:0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-9]|5[0-9])(\.\d+)?(|Z|((-|\+)(?:0[0-2]|1[0-9]|2[0-3]):(?:0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-9]|5[0-9])))$/)
   let result = null
   if (value) {
     const dateStr = value[0]

diff --git a/test/integration-tests/cve/getCveDateTest.js b/test/integration-tests/cve/getCveDateTest.js
@@ -109,5 +109,25 @@ describe('Test time_modified for get CVE', () => {
           expect(res.body.message).to.contain('Parameters were invalid')
         })
     })
+    it('Get CVE should fail if time_modified.gt is given a date with a 24 as a ZZ:ZZ offset', async () => {
+      await chai.request(app)
+        .get('/api/cve?time_modified.gt=2022-01-01T00:00:00-24:00')
+        .set(constants.headers)
+        .then((res, err) => {
+          expect(err).to.be.undefined
+          expect(res).to.have.status(400)
+          expect(res.body.message).to.contain('Parameters were invalid')
+        })
+    })
+    it('Get CVE should fail if time_modified.gt is given a date with an invalid ZZ:ZZ format (missing the colon) but with a valid value (23:00).', async () => {
+      await chai.request(app)
+        .get('/api/cve?time_modified.gt=2022-01-01T00:00:00-2300')
+        .set(constants.headers)
+        .then((res, err) => {
+          expect(err).to.be.undefined
+          expect(res).to.have.status(400)
+          expect(res.body.message).to.contain('Parameters were invalid')
+        })
+    })
   })
 })
diff --git a/test/unit-tests/cve/cveCnaContainerUpdateTest.js b/test/unit-tests/cve/cveCnaContainerUpdateTest.js
@@ -228,7 +228,7 @@ describe('Testing the PUT /cve/:id/cna endpoint in Cve Controller', () => {
         })
     })
 
-    it('should return 500 when fails to update cve id state', (done) => {
+    it('should return 400 when fails to update cve id state', (done) => {
       chai.request(app)
         .put(`/cve-cna-negative-tests/${cveIdPublished5}`)
         .set(cveFixtures.secretariatHeader)
@@ -238,9 +238,9 @@ describe('Testing the PUT /cve/:id/cna endpoint in Cve Controller', () => {
             done(err)
           }
 
-          expect(res).to.have.status(500)
+          expect(res).to.have.status(400)
           expect(res).to.have.property('body').and.to.be.a('object')
-          const errObj = error.serverError()
+          const errObj = error.unableToStoreCveRecord()
           expect(res.body.error).to.equal(errObj.error)
           expect(res.body.message).to.equal(errObj.message)
           done()