containsNoInvalidCharacters uses .includes on invalid data type

[ElectricNroff]

cve-services/src/middleware/middleware.js

Lines 443 to 447 in 97b00ab

	function containsNoInvalidCharacters (val) {
	const invalidCharacterList = ['<', '>', '"']
	if (val) {
	for (const invalidCharacter of invalidCharacterList) {
	if (val.includes(invalidCharacter)) {

There is currently no guarantee that val is a string when this is called. For example, val may be an object such that val.includes is not defined:

curl -g -X PUT \
-H "CVE-API-ORG: ..." \
-H "CVE-API-USER: ..." \
-H "CVE-API-KEY: ..." \
'https://cveawg-test.mitre.org/api/org/Mickey%20Mouse/user/minnie?active_roles.add[a]=b'

results in:

{"error":"BAD_INPUT","message":"Parameters were invalid","details":[{"msg":"val.includes is not a function"

Another example is a PUT of:

https://cveawg-test.mitre.org/api/org/Mickey%20Mouse/user/minnie?active_roles.add[500]=ADMIN

which fails with:

{"error":"BAD_INPUT","message":"Parameters were invalid","details":[{"msg":"val.includes is not a function"

even though an analogous request with a smaller array index succeeds:

https://cveawg-test.mitre.org/api/org/Mickey%20Mouse/user/minnie?active_roles.add[5]=ADMIN

"message":"minnie was successfully updated." ... "authority":{"active_roles":["ADMIN"]}