JSON document from a client can redefine what toString() means on the server

[ElectricNroff]

cve-services/src/controller/cve.controller/index.js

Lines 961 to 962 in 8b51241

	validateCveAdpContainerJsonSchema,
	validateDatePublic(['adpContainer.datePublic']),

does not restrict the data type of the adpContainer.datePublic value, and thus any ADP can provide a JSON document that forces type coercion, and can also provide a JSON document that redefines the meaning of a JavaScript toString() method.

For example, a client can make a PUT /cve/{id}/adp request with a boolean where a string is expected:

{"adpContainer":{"datePublic":true}}

Here, type coercion for

cve-services/src/controller/cve.controller/cve.middleware.js

Line 169 in 8b51241

return currentDate > datePublic

causes datePublic to be later than the current date, and thus the request gets an error message of:

"msg":"datePublic cannot be a future date","param":"adpContainer.datePublic"

By contrast, if the PUT /cve/{id}/adp request uses an empty array where a string is expected:

{"adpContainer":{"datePublic":[]}}

then the type coercion causes datePublic to be earlier than the current date, and the request processing proceeds until it ultimately gives the user an error message of:

{"error":"BAD_ADP_JSON","message":"The ADP data does not comply with the JSON schema."

A PUT /cve/{id}/adp request can also set datePublic to an object that has a toString property:

{"adpContainer":{"datePublic":{"toString":true}}}

Here, the user gets an error message of:

{"error":"BAD_INPUT","message":"Parameters were invalid","details":[{"msg":"Cannot convert object to primitive value","param":"adpContainer.datePublic","location":"body"}]}

In other words, because the user-supplied JSON document has interfered with the meaning of toString (which would have been used during type coercion), it is not possible to complete the type coercion, and thus a "Cannot convert object" message is produced. This only occurs for certain method names such as toString. For example, if the JSON document instead has xyString:

{"adpContainer":{"datePublic":{"xyString":true}}}

then type coercion is successful, datePublic is considered to be later than the current date, and the user gets:

"msg":"datePublic cannot be a future date"

In general, it does not seem especially safe to let a client user redefine what toString means. One workaround would be to add a check before line 962 above that ensures that datePublic, if present, has the string data type. Another workaround would be to change validateCveAdpContainerJsonSchema so that it validates the entire user-supplied JSON document (i.e., if it validates, then datePublic must have been a string). A third workaround would be to check for datePublic after the full CVE Record is validated but before writing to the database, i.e., here:

cve-services/src/controller/cve.controller/cve.controller.js

Lines 833 to 835 in 8b51241

	}
	await cveRepo.updateByCveId(id, cveModel)

[jdaigneau5]

Resolved by #1160

[jdaigneau5]

reopening for discussion