Express customSanitizer needs error catching and validity checks

[sei-vsarvepalli]

Requirements for Contributing a Bug Fix

Identify the Bug

#609 seems to be an ongoing issue that can happen in a few scenarios.

Description of the Change

Every customsantizier for validating and publishing the roles array will

    .customSanitizer(val => {
	try {
	    return val.map(x => { return x.toUpperCase() })
	} catch(err) {
	    return false
	}
    }).custom(val => {
	if (val) {
	    return isOrgRole(val)
	}
	return Promise.reject('Value should be an array of valid roles')
    })

Alternate Designs

Do not use customSanitizer method at all, just use the isOrgRole and isUserRole and use the native toUpperCase method while adding/managing roles.

OR

Use the customSanitizer as it is done tin the toDate method in

cve-services/src/controller/cve-id.controller/cve-id.middleware.js

Lines 19 to 34 in 888b07d

	function toDate (val) {
	let value = val.match(/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(|Z|((-|\+|\s)\d{2}:\d{2}))$/)
	let result
	if (value) {
	value[0] = value[0].replace(' ', '+') // Re-add literal '+' which was stripped
	result = new Date(value[0])
	} else {
	value = val.match(/^\d{4}-\d{2}-\d{2}$/)
	if (value) {
	result = new Date(`${value[0]}T00:00:00.000+00:00`)
	} else {
	result = null
	}
	}
	return result
	}

Possible Drawbacks

None I can think of.

Verification Process

Testing with a local instance with fuzzing input for active_roles

Release Notes

This release fixes bug #609 which can lead to unexpected 500 errors and revealing the lack of input validation.

[david-rocca]

Hello, this PR has been marked as Stale.

If you would like this PR to still be considered, please rebase / update it to work with the latest changes. If no updates are made within 30 days, this PR will be closed.

Thanks