Merge pull request #1117 from CVEProject/js-1097

Resolves #1097 Prevents datePublic values from being future dates
CVEProject · Aug 21, 2023 · dc5b25f · dc5b25f
2 parents 0d4a7c4 + 68da425
commit dc5b25f
Show file tree

Hide file tree

Showing 6 changed files with 327 additions and 27 deletions.
diff --git a/src/controller/cve.controller/cve.middleware.js b/src/controller/cve.controller/cve.middleware.js
@@ -147,6 +147,28 @@ function validateCveCnaContainerJsonSchema (req, res, next) {
   next()
 }
 
+/**
+ * Checks that datePublic field is not a future date
+ *
+ * @param {String} dateIndex
+ * @returns true
+ * @throws Error
+ */
+function validateDatePublic (dateIndex) {
+  // Check if datePublic is a future date
+  return body(dateIndex).optional({ nullable: true }).custom((datePublic) => {
+    if (datePublicHelper(datePublic)) {
+      return true
+    }
+    throw new Error('datePublic cannot be a future date')
+  })
+}
+
+function datePublicHelper (datePublic) {
+  const currentDate = new Date().toISOString()
+  return currentDate > datePublic
+}
+
 // Organizations in the ADP pilot are generating JSON programatically, and thus
 // informing them about the result of the final validation (against the full
 // CVE Record schema) is currently sufficient.
@@ -163,5 +185,7 @@ module.exports = {
   validateUniqueEnglishEntry,
   hasSingleEnglishEntry,
   validateDescription,
-  validateRejectBody
+  validateRejectBody,
+  validateDatePublic,
+  datePublicHelper
 }
diff --git a/src/controller/cve.controller/index.js b/src/controller/cve.controller/index.js
@@ -4,7 +4,7 @@ const mw = require('../../middleware/middleware')
 const errorMsgs = require('../../middleware/errorMessages')
 const controller = require('./cve.controller')
 const { body, param, query } = require('express-validator')
-const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription } = require('./cve.middleware')
+const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic } = require('./cve.middleware')
 const getConstants = require('../../constants').getConstants
 const CONSTANTS = getConstants()
 const CHOICES = [CONSTANTS.CVE_STATES.REJECTED, CONSTANTS.CVE_STATES.PUBLISHED]
@@ -336,6 +336,7 @@ router.post('/cve/:id',
   // the lang key to check depends on the state, so pass both
   validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
   validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
+  validateDatePublic(['containers.cna.datePublic']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -420,6 +421,7 @@ router.put('/cve/:id',
   // the lang key to check depends on the state, so pass both
   validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
   validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
+  validateDatePublic(['containers.cna.datePublic']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -505,6 +507,7 @@ router.post('/cve/:id/cna',
   validateCveCnaContainerJsonSchema,
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
+  validateDatePublic(['cnaContainer.datePublic']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -591,6 +594,7 @@ router.put('/cve/:id/cna',
   validateCveCnaContainerJsonSchema,
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
+  validateDatePublic(['cnaContainer.datePublic']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -849,6 +853,7 @@ router.put('/cve/:id/adp',
   mw.validateUser,
   mw.onlyAdps,
   validateCveAdpContainerJsonSchema,
+  validateDatePublic(['adpContainer.datePublic']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,

diff --git a/test/integration-tests/constants.js b/test/integration-tests/constants.js
@@ -242,5 +242,12 @@ const testAdp2 = {
 }
 
 module.exports = {
-  headers, nonSecretariatUserHeaders, badNonSecretariatUserHeaders, nonSecretariatUserHeadersWithAdp2, testCve, testCveEdited, testAdp, testAdp2
+  headers,
+  nonSecretariatUserHeaders,
+  badNonSecretariatUserHeaders,
+  nonSecretariatUserHeadersWithAdp2,
+  testCve,
+  testCveEdited,
+  testAdp,
+  testAdp2
 }
diff --git a/test/schemas/5.0/CVE-2017-4024_published.json b/test/schemas/5.0/CVE-2017-4024_published.json
@@ -26,17 +26,17 @@
                     }
                 ],
                 "affected": [
-                        {
-                          "vendor": "u",
-                          "product": "yuyi",
-                          "versions": [
-                              {
-                                  "version": "uuy",
-                                  "status": "affected"
-                              }
-                          ]
-                        }
-                  ],
+                    {
+                        "vendor": "u",
+                        "product": "yuyi",
+                        "versions": [
+                            {
+                                "version": "uuy",
+                                "status": "affected"
+                            }
+                        ]
+                    }
+                ],
                 "providerMetadata": {
                     "orgId": "88c02595-c8f7-4864-a0e7-e09b3e1da691",
                     "shortName": "cisco",
@@ -137,17 +137,17 @@
                 }
             ],
             "affected": [
-              {
-                "vendor": "u",
-                "product": "yuyi",
-                "versions": [
-                    {
-                        "version": "uuy",
-                        "status": "affected"
-                    }
-                ]
-              }
-          ],
+                {
+                    "vendor": "u",
+                    "product": "yuyi",
+                    "versions": [
+                        {
+                            "version": "uuy",
+                            "status": "affected"
+                        }
+                    ]
+                }
+            ],
             "providerMetadata": {
                 "orgId": "88c02595-c8f7-4864-a0e7-e09b3e1da691",
                 "shortName": "cisco",
@@ -230,7 +230,8 @@
             ],
             "source": {
                 "discoverer": "Tom Smith"
-            }
+            },
+            "datePublic": "2022-02-20T00:00:00"
         }
     }
-  }
+}