CVE identifier length check

rlxdev · rlxdev · commit 841b45ceba73 · 2025-03-20T12:47:05.000-04:00
diff --git a/src/components/cveRecordSearchModule.vue b/src/components/cveRecordSearchModule.vue
@@ -19,17 +19,17 @@
     <div class="field has-addons mt-1">
       <p class="control">
         <span v-if="websiteEnv !== 'prd'" class="select cve-search-selector">
-          <select v-model="searchType">
+          <select v-model="searchType" @input="searchTypeSwap">
             <option>Search CVE List</option>
             <option>Find a Test CVE Record/ID (Legacy)</option>
           </select>
         </span>
       </p>
       <p class="control is-expanded">
-        <input v-if="searchTypeBoolean" v-model.trim="queryString" @keyup="onKeyUp"
-          @keyup.enter="validate" type="text" class="input cve-id-input is-expanded"
+        <input v-if="searchTypeBoolean" v-model.trim="queryString"
+          @input="onInputChange" @keyup.enter="validate" type="text" class="input cve-id-input is-expanded"
           placeholder="Enter keywords (e.g.: CVE ID, sql injection, etc.)" />
-        <input v-else v-model.trim="cveId" @keyup="onKeyUp" @keyup.enter="validate"
+        <input v-else v-model.trim="cveId" @input="onInputChange" @keyup.enter="validate"
           type="text" class="input cve-id-input" placeholder="Enter CVE ID (CVE-YYYY-NNNN)" />
       </p>
       <p class="control">
@@ -65,7 +65,11 @@ import { useGenericGlobalsStore } from '@/stores/genericGlobals';
 const cveIdRegex = /^CVE\p{Pd}(?<year>\d{4})\p{Pd}(?<id>\d{4,})$/iu;
 const wordRegex = /^[a-z0-9 ]+$/i;
 
-const cveStartYear = 1999;
+// This is the current maximum supported length of the "suffix" portion of
+// the CVE ID.  The schema defines a suffix length up to 19, but code in
+// other modules only supports what's defined here.
+
+const maxCveIdSuffix = 7;
 
 let cveListSearchStore = useCveListSearchStore();
 const route = useRoute();
@@ -80,8 +84,9 @@ let cveRecordStore = usecveRecordStore();
 let searchType = ref('Search CVE List');
 let cveId = cveRecordStore.cveId;
 
-// this seems redundant, but it fixes an edge case.
-// if a user searches for a particular field, then on the results page flips the toggle, THEN refreshes without searching, this will keep the correct helper text showing.
+// this seems redundant, but it fixes an edge case. if a user searches for a
+// particular field, then on the results page flips the toggle, THEN refreshes
+// without searching, this will keep the correct helper text showing.
 let searchTypeBoolean = computed(() => {
   return searchType.value == 'Search CVE List' ? true : false;
 });
@@ -120,7 +125,8 @@ function showHelpMessage(helpText) {
 }
 
 function startSearch() {
-  // We only want to flip the search item _When we actually do a search_ otherwise we should default back to what we were on a page refresh
+  // We only want to flip the search item _When we actually do a search_
+  // otherwise we should default back to what we were on a page refresh
   if (searchTypeBoolean.value) {
     cveGenericGlobalsStore.setUseSearch(true);
     cveGenericGlobalsStore.setCurrentServicesUrl(`https://${import.meta.env.VITE_CVE_SERVICES_BASE_URL}`)
@@ -132,8 +138,8 @@ function startSearch() {
   if (cveGenericGlobalsStore.useSearch) {
       cveListSearchStore.$reset();
       cveListSearchStore.query = queryString.value;
-      if (route.name != 'SearchResults' || !route.query?.query
-          || (route.query.query != cveListSearchStore.query)) {
+      if (route?.name !== 'SearchResults' || !route.query?.query
+          || (route.query.query !== cveListSearchStore.query)) {
 
         router.push({name: 'SearchResults',
                      query: {query: cveListSearchStore.query}});
@@ -148,32 +154,39 @@ function startSearch() {
 
 function validateQueryString() {
 
-  const contentMessage = 'Enter words of alphanumeric characters OR a single CVD ID (CVE-YYYY-NNNN).';
+  const contentMessage = 'Enter words of alphanumeric characters OR a single CVE ID (CVE-YYYY-NNNN).';
   const isSearch = searchTypeBoolean.value;
   const searchValue = isSearch ? queryString.value : cveId;
 
+  // The previous search value is only used in determining whether to enable
+  // the search (see its usage in onInputChange() below).
+
   prevSearchValue.value = searchValue;
   cveListSearchStore.isSearchButtonDisabled = true;
   showHelpMessage('');
 
   if (!searchValue)
     return !cveListSearchStore.isSearchButtonDisabled;
 
-  const cveIdMatch = cveIdRegex.exec(searchValue)
+  const cveIdMatch = cveIdRegex.exec(searchValue);
+  let cveIdValid = false;
 
   if (cveIdMatch) {
-    const year = parseInt(cveIdMatch.groups.year);
+    // The search string is a CVE ID.  Re-assemble the components, making sure
+    // "normal" dashes are used to separate the components.
+
+    const year = cveIdMatch.groups.year;
     const id = cveIdMatch.groups.id;
-    const currentYear = new Date().getFullYear();
+    const normalizedCveId = `CVE-${year}-${id}`;
 
-    if (cveStartYear <= year && year <= currentYear) {
-      const normalizedCveId = `CVE-${year}-${id}`;
+    if (id.length <= maxCveIdSuffix) {
+      cveIdValid = true;
       if (isSearch)
         queryString.value = normalizedCveId;
       else
         cveId = normalizedCveId;
     } else {
-      showHelpMessage(`CVE ID year must be within ${cveStartYear}-${currentYear}`);
+      showHelpMessage(`Invalid CVE ID "${normalizedCveId}" - identifier out of range`);
     }
   }
 
@@ -189,7 +202,7 @@ function validateQueryString() {
       // The provided search string is good.
       cveListSearchStore.isSearchButtonDisabled = false;
     }
-  } else if (cveIdMatch) {
+  } else if (cveIdValid) {
 
     // Legacy Find by CVE ID and it's in the correct format.
     cveListSearchStore.isSearchButtonDisabled = false;
@@ -203,17 +216,38 @@ function validateQueryString() {
   return !cveListSearchStore.isSearchButtonDisabled;
 }
 
-function onKeyUp() {
-  if (cveListSearchStore.isSearchButtonDisabled) {
+function onInputChange() {
+  // This function is called when the search string changes.  The only purpose
+  // is to clear the way for the search if there's a value (it's not empty)
+  // and it's not the same as a "bad" value used in the previous search.
+  // As long as this is the case, we enable the search, which will then check
+  // the validity of the search string when initiated.
+
     const isSearch = searchTypeBoolean.value;
     const searchValue = isSearch ? queryString.value : cveId;
 
+  if (cveListSearchStore.isSearchButtonDisabled) {
     if (prevSearchValue.value !== searchValue)
       cveListSearchStore.isSearchButtonDisabled = false;
+  } else if (!searchValue.length) {
+    // This handles the case when the user clears the input field following
+    // a successful search, possibly by using the delete button or selecting
+    // the input and cutting via the keyboard.  It makes the state consistent
+    // with when the page starts with nothing in the input field.
+
+    cveListSearchStore.isSearchButtonDisabled = true;
   }
 }
 
 function validate() {
+  // This function is called when initiating a search.  It's invoked as a result
+  // of one of these user actions:
+  //
+  //    - pressing enter in the input field.
+  //    - clicking the Search/Find button.
+  //    - entering the search URL.
+  //
+  // Provided the search string is valid, the search is started.
 
   if (validateQueryString()) {
     try {
@@ -222,11 +256,31 @@ function validate() {
     } finally {
       cveListSearchStore.isSearchButtonDisabled = false;
     }
-  } else if (route.name != 'home' || route?.query) {
+  } else if (route?.name != 'home' || route?.query) {
+    // The query string is not valid and the route indicates that the URL
+    // is most likely associated with a previous valid search.  The user
+    // has initiated another search that is unrelated to the URL being
+    // displayed (e.g., cve.org/CVERecord/SearchResults?query=CVE-2020-0001).
+    // Rather than display a URL that is not associated with the
+    // current search, reset it to the home route.
+
     router.push({name: 'home', query: {}});
   }
 }
 
+function searchTypeSwap() {
+
+  // This function is used only when there's an option menu present that
+  // allows for using the "legacy" find, which does NOT apply to the
+  // production website.  When a switch is made in the type of search, this
+  // function resets the previous search value and removes the URL that's
+  // applicable to the other search type.
+
+  prevSearchValue.value = '';
+
+  router.push({name: 'home', query: {}});
+}
+
 const websiteEnv = computed(() => {
   return import.meta.env.VITE_WEBSITE_ENVIRONMENT;
 });
