Skip to content

Commit 3688c7c

Browse files
david-roccadavid-rocca
authored
Merge pull request #1432 from CVEProject/emathew/1401-registryOrg-admin-error
Resolves issue 1401, Validates the request body for registryOrg POST request
2 parents 49d5566 + 7833e87 commit 3688c7c

3 files changed

Lines changed: 87 additions & 9 deletions

File tree

src/controller/registry-org.controller/index.js

Lines changed: 64 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ const errorMsgs = require('../../middleware/errorMessages')
55
const { body, param, query } = require('express-validator')
66
const controller = require('./registry-org.controller')
77
const { parseGetParams, parsePostParams, parseDeleteParams, parseError, isOrgRole } = require('./registry-org.middleware')
8-
const { toUpperCaseArray, isFlatStringArray } = require('../../middleware/middleware')
8+
const { toUpperCaseArray, toLowerCaseArray, isFlatStringArray } = require('../../middleware/middleware')
99
const getConstants = require('../../constants').getConstants
1010
const CONSTANTS = getConstants()
1111

@@ -71,7 +71,7 @@ router.get('/registryOrg',
7171
query().custom((query) => { return mw.validateQueryParameterNames(query, ['page']) }),
7272
query(['page']).custom((val) => { return mw.containsNoInvalidCharacters(val) }),
7373
query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }),
74-
// parseError,
74+
parseError,
7575
parseGetParams,
7676
controller.ALL_ORGS
7777
)
@@ -141,7 +141,7 @@ router.get('/registryOrg/:identifier',
141141
mw.validateUser,
142142
mw.onlySecretariat,
143143
param(['identifier']).isString().trim(),
144-
// parseError,
144+
parseError,
145145
parseGetParams,
146146
controller.SINGLE_ORG
147147
)
@@ -214,14 +214,38 @@ router.post('/registryOrg',
214214
mw.onlySecretariat,
215215
body(['short_name']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
216216
body(['long_name']).isString().trim().notEmpty(),
217+
body(['cve_program_org_function']).isString().trim().default('CNA'),
218+
body(['root_or_tlr']).default(false).isBoolean(),
219+
body(['oversees']).default([]).isArray(),
220+
body(
221+
[
222+
'charter_or_scope',
223+
'disclosure_policy',
224+
'product_list',
225+
'reports_to',
226+
'contact_info.poc',
227+
'contact_info.poc_email',
228+
'contact_info.poc_phone',
229+
'contact_info.org_email',
230+
'contact_info.website'
231+
])
232+
.default('')
233+
.isString(),
217234
body(['authority.active_roles']).optional()
218235
.custom(isFlatStringArray)
219236
.customSanitizer(toUpperCaseArray)
220237
.custom(isOrgRole),
221238
body(['soft_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
222239
body(['hard_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
223-
// TODO: more validation needed?
224-
// parseError,
240+
body(['contact_info.additional_contact_users']).optional()
241+
.custom(isFlatStringArray),
242+
body(['contact_info.admins']).optional()
243+
.custom(isFlatStringArray),
244+
body(['aliases']).optional()
245+
.custom(isFlatStringArray)
246+
.customSanitizer(toLowerCaseArray),
247+
// TO-DO: validate users here once implemented
248+
parseError,
225249
parsePostParams,
226250
controller.CREATE_ORG
227251
)
@@ -307,8 +331,40 @@ router.put('/registryOrg/:shortname',
307331
mw.validateUser,
308332
mw.onlySecretariat,
309333
param(['shortname']).isString().trim(),
310-
// TODO: do more validation here
311-
// parseError,
334+
body(['short_name']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
335+
body(['long_name']).isString().trim().notEmpty(),
336+
body(['cve_program_org_function']).isString().trim().default('CNA'),
337+
body(['root_or_tlr']).default(false).isBoolean(),
338+
body(['oversees']).default([]).isArray(),
339+
body(
340+
[
341+
'charter_or_scope',
342+
'disclosure_policy',
343+
'product_list',
344+
'reports_to',
345+
'contact_info.poc',
346+
'contact_info.poc_email',
347+
'contact_info.poc_phone',
348+
'contact_info.org_email',
349+
'contact_info.website'
350+
])
351+
.default('')
352+
.isString(),
353+
body(['authority.active_roles']).optional()
354+
.custom(isFlatStringArray)
355+
.customSanitizer(toUpperCaseArray)
356+
.custom(isOrgRole),
357+
body(['soft_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
358+
body(['hard_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
359+
body(['contact_info.additional_contact_users']).optional()
360+
.custom(isFlatStringArray),
361+
body(['contact_info.admins']).optional()
362+
.custom(isFlatStringArray),
363+
body(['aliases']).optional()
364+
.custom(isFlatStringArray)
365+
.customSanitizer(toLowerCaseArray),
366+
// TO-DO: validate users here once implemented
367+
parseError,
312368
parsePostParams,
313369
parseGetParams,
314370
controller.UPDATE_ORG
@@ -380,7 +436,7 @@ router.delete('/registryOrg/:identifier',
380436
// TODO: permissions
381437
mw.onlySecretariat,
382438
param(['identifier']).isString().trim(),
383-
// parseError,
439+
parseError,
384440
parseDeleteParams,
385441
controller.DELETE_ORG
386442
)

src/controller/registry-org.controller/registry-org.controller.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@ async function createOrg (req, res, next) {
9898
} else if (k === 'short_name') {
9999
newOrg.short_name = body[k]
100100
} else if (k === 'aliases') {
101-
newOrg.aliases = [...new Set(body[k].active_roles)]
101+
newOrg.aliases = [...new Set(body[k])]
102102
} else if (k === 'cve_program_org_function') {
103103
newOrg.cve_program_org_function = body[k]
104104
} else if (k === 'authority') {

src/middleware/middleware.js

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -533,6 +533,27 @@ function toUpperCaseArray (val) {
533533
return newArr
534534
}
535535

536+
/**
537+
* Recursively casts to strings and lower-cases all items in array
538+
*
539+
* @param {Array} val
540+
*/
541+
function toLowerCaseArray (val) {
542+
if (!Array.isArray(val)) {
543+
return val.toString().toLowerCase()
544+
}
545+
546+
const newArr = val.map(k => {
547+
if (Array.isArray(k)) {
548+
return toLowerCaseArray(k)
549+
} else {
550+
return k.toString().toLowerCase()
551+
}
552+
})
553+
554+
return newArr
555+
}
556+
536557
// Check for the invalid characters <, >, and "
537558
function containsNoInvalidCharacters (val) {
538559
const invalidCharacterList = ['<', '>', '"']
@@ -568,6 +589,7 @@ module.exports = {
568589
isFlatStringArray,
569590
isCveProgramOrgMembershipObject,
570591
toUpperCaseArray,
592+
toLowerCaseArray,
571593
containsNoInvalidCharacters,
572594
trimJSONWhitespace
573595
}

0 commit comments

Comments
 (0)