cvss: add additional check for malformed input

Signed-off-by: Hank Donnay <hdonnay@redhat.com>
quay · May 10, 2024 · 34c3319 · 34c3319
1 parent 068edb6
commit 34c3319
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 0 deletions.
diff --git a/toolkit/types/cvss/cvss_v2.go b/toolkit/types/cvss/cvss_v2.go
@@ -1,6 +1,7 @@
 package cvss
 
 import (
+	"bytes"
 	"encoding"
 	"fmt"
 	"strings"
@@ -36,6 +37,13 @@ func (v *V2) UnmarshalText(text []byte) error {
 			return fmt.Errorf("cvss v2: %w: missing metric: %q", ErrMalformedVector, V3Metric(m).String())
 		}
 	}
+	chk, err := v.MarshalText()
+	if err != nil {
+		return fmt.Errorf("cvss v2: %w", err)
+	}
+	if !bytes.Equal(chk, text) {
+		return fmt.Errorf("cvss v2: malformed input")
+	}
 	return nil
 }
 

diff --git a/toolkit/types/cvss/cvss_v2_test.go b/toolkit/types/cvss/cvss_v2_test.go
@@ -14,6 +14,8 @@ func TestV2(t *testing.T) {
 			{Vector: "AV:L/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:H/TD:H/CR:M/IR:M/AR:H", Error: false},
 			{Vector: "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", Error: true},
 			{Vector: "AV:N/AC:L/Au:N/C:N/I:N", Error: true},
+			{Vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H", Error: true},
+			{Vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:F", Error: true},
 		}
 		Error[V2, V2Metric, *V2](t, tcs)
 	})

diff --git a/toolkit/types/cvss/cvss_v3.go b/toolkit/types/cvss/cvss_v3.go
@@ -1,6 +1,7 @@
 package cvss
 
 import (
+	"bytes"
 	"encoding"
 	"fmt"
 	"strings"
@@ -53,6 +54,13 @@ func (v *V3) UnmarshalText(text []byte) error {
 			return fmt.Errorf("cvss v3: %w: missing metric: %q", ErrMalformedVector, V3Metric(m).String())
 		}
 	}
+	chk, err := v.MarshalText()
+	if err != nil {
+		return fmt.Errorf("cvss v3: %w", err)
+	}
+	if !bytes.Equal(chk, text) {
+		return fmt.Errorf("cvss v3: malformed input")
+	}
 	return nil
 }
 

diff --git a/toolkit/types/cvss/cvss_v4.go b/toolkit/types/cvss/cvss_v4.go
@@ -1,6 +1,7 @@
 package cvss
 
 import (
+	"bytes"
 	"encoding"
 	"fmt"
 	"strings"
@@ -32,6 +33,13 @@ func (v *V4) UnmarshalText(text []byte) error {
 			return fmt.Errorf("cvss v4: %w: missing metric: %q", ErrMalformedVector, V4Metric(m).String())
 		}
 	}
+	chk, err := v.MarshalText()
+	if err != nil {
+		return fmt.Errorf("cvss v4: %w", err)
+	}
+	if !bytes.Equal(chk, text) {
+		return fmt.Errorf("cvss v4: malformed input")
+	}
 	return nil
 }
 

diff --git a/toolkit/types/cvss/cvss_v4_test.go b/toolkit/types/cvss/cvss_v4_test.go
@@ -20,6 +20,7 @@ func TestV4(t *testing.T) {
 			{Vector: "CVSS:/AV:A/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SA:N/S:X", Error: true},
 			{Vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/E:X", Error: true},
 			{Vector: "CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", Error: true},
+			{Vector: "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:LN/VI:L/VA:N/SC:N/SI:N/SA:N", Error: true},
 		}
 		Error[V4, V4Metric, *V4](t, tcs)
 	})