Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unhelpful error message for x_\u0000 #803

Closed
ElectricNroff opened this issue Jul 29, 2022 · 1 comment
Closed

Unhelpful error message for x_\u0000 #803

ElectricNroff opened this issue Jul 29, 2022 · 1 comment
Assignees
@david-rocca

Comments

@ElectricNroff
Copy link
Contributor

This is similar to the #608 issue.

Sending

{"cnaContainer": {  "x_\u0000": true,
                    "affected": [{"product": "p","vendor": "v",
                    "versions": [
                        {
                            "version": "1.2",
                            "status": "affected"
                        }
                    ]}],"descriptions": [ {"lang": "en", "value":
                                           "v p 1.2 is insecure."}],
                  "problemTypes": [{"descriptions": [{
                      "description": "insecurity", "lang": "en"}]}],
                  "references": [{"url": "https://example.com"}]}}

to the POST /cve/{id}/cna endpoint results in

{"error":"SERVICE_NOT_AVAILABLE","message":"This service appears to not be available."}

with this in err.stack in errorHandler in src/middleware/middleware.js:

{"error":"BAD_REQUEST","message":"Error: key x_\u0000 must not contain null bytes
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:914:17)
    at serializeObject (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:347:18)
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:947:17)
    at serializeObject (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:347:18)
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:947:17)
    at serializeObject (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:347:18)
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:947:17)
    at serializeObject (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:347:18)
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:947:17)
    at serializeObject (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:347:18)
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:947:17)
    at serializeObject (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:347:18)
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:729:17)
    at serializeObject (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:347:18)
    at serializeInto (/home/node/app/node_modules/bson/lib/bson/parser/serializer.js:947:17)
    at BSON.serialize (/home/node/app/node_modules/bson/lib/bson/bson.js:64:28)"}

Something similar to the #608 solution might be used, e.g.,

if (err.stack && err.stack.includes('must not contain null bytes')) {

...

err.message = 'JSON document must not have a field name containing the U+0000 character.'
@david-rocca david-rocca self-assigned this Jul 31, 2023
@david-rocca
Copy link
Collaborator

While attempting to re-create this, I found that the change made to fix #846 does a generic try catch which stops JS from writing out the stack trace. In addition the following message is displayed: "A problem occurred while saving the CVE Record, ensure field names in x_ objects do not start with $"

I am going to add "or include a null byte" to the error message and then also implement a test for the $ and the null byte scenarios.

david-rocca added a commit that referenced this issue Jul 31, 2023
@david-rocca
#803 Created test to cover the two edge cases mentioned in ticket
b40fa55
david-rocca added a commit that referenced this issue Jul 31, 2023
@david-rocca
#803 Updated non-related test that is dependent on the number of cves…
6a4278d 
… in the test set. Note has been made to remove that requirement
david-rocca added a commit that referenced this issue Jul 31, 2023
@david-rocca
#803 Udpated error message to be more clear about the null bytes.
f715c86
@david-rocca david-rocca mentioned this issue Jul 31, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@david-rocca david-rocca

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@david-rocca @ElectricNroff