From 222a2a096c0058a0cf2dc62e6c6475d298ffe88b Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Tue, 3 May 2022 15:48:04 -0400 Subject: [PATCH] Express customSanitizer needs error catching and safety checks --- src/controller/org.controller/index.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js index 190de4b8e..d680efbe8 100644 --- a/src/controller/org.controller/index.js +++ b/src/controller/org.controller/index.js @@ -155,7 +155,7 @@ router.post('/org', body(['short_name']).isString().trim().escape().notEmpty(), body(['name']).isString().trim().escape().notEmpty(), body(['uuid']).optional().isString().trim().escape(), - body(['authority.active_roles']).optional().customSanitizer(val => { return val.map(x => { return x.toUpperCase() }) }).custom(val => { return isOrgRole(val) }), + body(['authority.active_roles']).optional().customSanitizer(val => { try { return val.map(x => { return x.toUpperCase() }) } catch(err) { return false } }).custom(val => { if (val) { return isOrgRole(val) } return Promise.reject('Value should be an array of valid roles')}), body(['policies.id_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage('The id_quota does not comply with CVE id quota limitations.'), parseError, parsePostParams, @@ -307,9 +307,9 @@ router.put('/org/:shortname', query(['id_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage('The id_quota does not comply with CVE id quota limitations.'), query(['name']).optional().isString().trim().escape().notEmpty(), query(['active_roles.add']).optional().toArray(), - query(['active_roles.add']).optional().customSanitizer(val => { return val.map(x => { return x.toUpperCase() }) }).custom(val => { return isOrgRole(val) }), + query(['active_roles.add']).optional().customSanitizer(val => { try { return val.map(x => { return x.toUpperCase() }) } catch(err) { return false } }).custom(val => { if (val) { return isOrgRole(val) } return Promise.reject('Value should be an array of valid roles')}), query(['active_roles.remove']).optional().toArray(), - query(['active_roles.remove']).optional().customSanitizer(val => { return val.map(x => { return x.toUpperCase() }) }).custom(val => { return isOrgRole(val) }), + query(['active_roles.remove']).optional().customSanitizer(val => { try { return val.map(x => { return x.toUpperCase() }) } catch(err) { return false } }).custom(val => { if (val) { return isOrgRole(val) } return Promise.reject('Value should be an array of valid roles')},) parseError, parsePostParams, controller.ORG_UPDATE_SINGLE) @@ -541,7 +541,7 @@ router.post('/org/:shortname/user', body(['name.last']).optional().isString().trim().escape(), body(['name.middle']).optional().isString().trim().escape(), body(['name.suffix']).optional().isString().trim().escape(), - body(['authority.active_roles']).optional().customSanitizer(val => { return val.map(x => { return x.toUpperCase() }) }).custom(val => { return isUserRole(val) }), + body(['authority.active_roles']).optional().customSanitizer(val => { try { return val.map(x => { return x.toUpperCase() }) } catch(err) { return false } }).custom(val => { if (val) { return isUserRole(val) } return Promise.reject('Value should be an array of valid roles')}), parseError, parsePostParams, controller.USER_CREATE_SINGLE) @@ -706,9 +706,9 @@ router.put('/org/:shortname/user/:username', query(['name.middle']).optional().isString().trim().escape(), query(['name.suffix']).optional().isString().trim().escape(), query(['active_roles.add']).optional().toArray(), - query(['active_roles.add']).optional().customSanitizer(val => { return val.map(x => { return x.toUpperCase() }) }).custom(val => { return isUserRole(val) }), + query(['active_roles.add']).optional().customSanitizer(val => { try { return val.map(x => { return x.toUpperCase() }) } catch(err) { return false } }).custom(val => { if (val) { return isUserRole(val) } return Promise.reject('Value should be an array of valid roles')}), query(['active_roles.remove']).optional().toArray(), - query(['active_roles.remove']).optional().customSanitizer(val => { return val.map(x => { return x.toUpperCase() }) }).custom(val => { return isUserRole(val) }), + query(['active_roles.remove']).optional().customSanitizer(val => { try { return val.map(x => { return x.toUpperCase() }) } catch(err) { return false } }).custom(val => { if (val) { return isUserRole(val) } return Promise.reject('Value should be an array of valid roles')}), parseError, parsePostParams, controller.USER_UPDATE_SINGLE)