From 34c3319dc49eca8084acb8ef8d35de972580d26a Mon Sep 17 00:00:00 2001 From: Hank Donnay Date: Thu, 9 May 2024 14:10:17 -0500 Subject: [PATCH] cvss: add additional check for malformed input Signed-off-by: Hank Donnay --- toolkit/types/cvss/cvss_v2.go | 8 ++++++++ toolkit/types/cvss/cvss_v2_test.go | 2 ++ toolkit/types/cvss/cvss_v3.go | 8 ++++++++ toolkit/types/cvss/cvss_v4.go | 8 ++++++++ toolkit/types/cvss/cvss_v4_test.go | 1 + 5 files changed, 27 insertions(+) diff --git a/toolkit/types/cvss/cvss_v2.go b/toolkit/types/cvss/cvss_v2.go index 0b4a32521..646dad6c6 100644 --- a/toolkit/types/cvss/cvss_v2.go +++ b/toolkit/types/cvss/cvss_v2.go @@ -1,6 +1,7 @@ package cvss import ( + "bytes" "encoding" "fmt" "strings" @@ -36,6 +37,13 @@ func (v *V2) UnmarshalText(text []byte) error { return fmt.Errorf("cvss v2: %w: missing metric: %q", ErrMalformedVector, V3Metric(m).String()) } } + chk, err := v.MarshalText() + if err != nil { + return fmt.Errorf("cvss v2: %w", err) + } + if !bytes.Equal(chk, text) { + return fmt.Errorf("cvss v2: malformed input") + } return nil } diff --git a/toolkit/types/cvss/cvss_v2_test.go b/toolkit/types/cvss/cvss_v2_test.go index beb6ec01c..97c3564a5 100644 --- a/toolkit/types/cvss/cvss_v2_test.go +++ b/toolkit/types/cvss/cvss_v2_test.go @@ -14,6 +14,8 @@ func TestV2(t *testing.T) { {Vector: "AV:L/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:H/TD:H/CR:M/IR:M/AR:H", Error: false}, {Vector: "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", Error: true}, {Vector: "AV:N/AC:L/Au:N/C:N/I:N", Error: true}, + {Vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H", Error: true}, + {Vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:F", Error: true}, } Error[V2, V2Metric, *V2](t, tcs) }) diff --git a/toolkit/types/cvss/cvss_v3.go b/toolkit/types/cvss/cvss_v3.go index 8c2a56779..f13750d24 100644 --- a/toolkit/types/cvss/cvss_v3.go +++ b/toolkit/types/cvss/cvss_v3.go @@ -1,6 +1,7 @@ package cvss import ( + "bytes" "encoding" "fmt" "strings" @@ -53,6 +54,13 @@ func (v *V3) UnmarshalText(text []byte) error { return fmt.Errorf("cvss v3: %w: missing metric: %q", ErrMalformedVector, V3Metric(m).String()) } } + chk, err := v.MarshalText() + if err != nil { + return fmt.Errorf("cvss v3: %w", err) + } + if !bytes.Equal(chk, text) { + return fmt.Errorf("cvss v3: malformed input") + } return nil } diff --git a/toolkit/types/cvss/cvss_v4.go b/toolkit/types/cvss/cvss_v4.go index 20b165e99..9148c4ecd 100644 --- a/toolkit/types/cvss/cvss_v4.go +++ b/toolkit/types/cvss/cvss_v4.go @@ -1,6 +1,7 @@ package cvss import ( + "bytes" "encoding" "fmt" "strings" @@ -32,6 +33,13 @@ func (v *V4) UnmarshalText(text []byte) error { return fmt.Errorf("cvss v4: %w: missing metric: %q", ErrMalformedVector, V4Metric(m).String()) } } + chk, err := v.MarshalText() + if err != nil { + return fmt.Errorf("cvss v4: %w", err) + } + if !bytes.Equal(chk, text) { + return fmt.Errorf("cvss v4: malformed input") + } return nil } diff --git a/toolkit/types/cvss/cvss_v4_test.go b/toolkit/types/cvss/cvss_v4_test.go index 652eb642a..2f9fc20bc 100644 --- a/toolkit/types/cvss/cvss_v4_test.go +++ b/toolkit/types/cvss/cvss_v4_test.go @@ -20,6 +20,7 @@ func TestV4(t *testing.T) { {Vector: "CVSS:/AV:A/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SA:N/S:X", Error: true}, {Vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/E:X", Error: true}, {Vector: "CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", Error: true}, + {Vector: "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:LN/VI:L/VA:N/SC:N/SI:N/SA:N", Error: true}, } Error[V4, V4Metric, *V4](t, tcs) })