Skip to content

Commit 0e528de

Browse files
jdaigneau5jdaigneau5
authored
Merge pull request #1662 from CVEProject/dev
Update Staging from Dev
2 parents 06e756e + 788b229 commit 0e528de

7 files changed

Lines changed: 190 additions & 9 deletions

File tree

package-lock.json

Lines changed: 38 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/controller/cve.controller/cve.middleware.js

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -178,6 +178,32 @@ function datePublicHelper (datePublic) {
178178
return currentDate > datePublicWithGracePeriod
179179
}
180180

181+
/**
182+
* Checks that timeline.time fields are valid datetime objects.
183+
* This accounts for invalid timezone offsets that aren't handled by the schema.
184+
*
185+
* @param {String} dateIndex
186+
* @returns true
187+
* @throws Error
188+
*/
189+
function validateTimelineDates (dateIndex) {
190+
// Check if datePublic is a future date
191+
return body(dateIndex).isArray().withMessage('Time must be a date string').optional({ nullable: true }).bail().custom((timelineArray) => {
192+
for (const timelineObj of timelineArray) {
193+
const value = new Date(timelineObj.time)
194+
if (!validateTimelineHelper(value)) {
195+
throw new Error(`Invalid date string: ${timelineObj.time} `)
196+
}
197+
}
198+
199+
return true
200+
})
201+
}
202+
203+
function validateTimelineHelper (value) {
204+
return value instanceof Date && !isNaN(value)
205+
}
206+
181207
// Organizations in the ADP pilot are generating JSON programatically, and thus
182208
// informing them about the result of the final validation (against the full
183209
// CVE Record schema) is currently sufficient.
@@ -290,6 +316,7 @@ module.exports = {
290316
validateDescription,
291317
validateRejectBody,
292318
validateDatePublic,
319+
validateTimelineDates,
293320
datePublicHelper,
294321
validatePURL,
295322
purlValidateHelper

src/controller/cve.controller/index.js

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ const mw = require('../../middleware/middleware')
44
const errorMsgs = require('../../middleware/errorMessages')
55
const controller = require('./cve.controller')
66
const { body, param, query } = require('express-validator')
7-
const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic, validatePURL } = require('./cve.middleware')
7+
const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic, validateTimelineDates, validatePURL } = require('./cve.middleware')
88
const getConstants = require('../../constants').getConstants
99
const CONSTANTS = getConstants()
1010
const CHOICES = [CONSTANTS.CVE_STATES.REJECTED, CONSTANTS.CVE_STATES.PUBLISHED]
@@ -499,6 +499,7 @@ router.post('/cve/:id',
499499
validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
500500
validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
501501
validateDatePublic(['containers.cna.datePublic']),
502+
validateTimelineDates(['containers.cna.timeline']),
502503
validatePURL(['containers.cna.affected']),
503504
param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
504505
parseError,
@@ -586,6 +587,7 @@ router.put('/cve/:id',
586587
validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
587588
validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
588589
validateDatePublic(['containers.cna.datePublic']),
590+
validateTimelineDates(['containers.cna.timeline']),
589591
validatePURL(['containers.cna.affected']),
590592
param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
591593
parseError,
@@ -685,6 +687,7 @@ router.post('/cve/:id/cna',
685687
validateUniqueEnglishEntry('cnaContainer.descriptions'),
686688
validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
687689
validateDatePublic(['cnaContainer.datePublic']),
690+
validateTimelineDates(['cnaContainer.timeline']),
688691
validatePURL(['cnaContainer.affected']),
689692
param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
690693
parseError,
@@ -786,6 +789,7 @@ router.put('/cve/:id/cna',
786789
validateUniqueEnglishEntry('cnaContainer.descriptions'),
787790
validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
788791
validateDatePublic(['cnaContainer.datePublic']),
792+
validateTimelineDates(['cnaContainer.timeline']),
789793
validatePURL(['cnaContainer.affected']),
790794
param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
791795
parseError,
@@ -1058,6 +1062,7 @@ router.put('/cve/:id/adp',
10581062
mw.trimJSONWhitespace,
10591063
validateCveAdpContainerJsonSchema,
10601064
validatePURL(['adpContainer.affected']),
1065+
validateTimelineDates(['adpContainer.timeline']),
10611066
param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
10621067
parseError,
10631068
parsePostParams,

0 commit comments

Comments
 (0)