500 Internal Server Error for createUser with toString
ElectricNroff opened this issue · 0 comments
By combining the findings of the #609 and #1158 issues, it's possible to trigger a 500 error if one is allowed to create users. In other words, unlike in the #1158 issue, it is not necessary to be an ADP to redefine a toString() method.
For example,
curl -X POST \
-H "CVE-API-ORG: ..." \
-H "CVE-API-USER: ..." \
-H "CVE-API-KEY: ..." \
-d 'username=bob&authority.active_roles[toString]=true' \
https://cveawg-test.mitre.org/api/org/Mickey%20Mouse/user
results in:
HTTP/1.1 500 Internal Server Error
{"error":"SERVICE_NOT_AVAILABLE","message":"This service appears to not be available."}
Alternatively, this body can be used:
-d 'username=bob&authority.active_roles[][toString]=true'
This is specific to certain method names such as toString. If, for example, xyString is used instead, then the error message is:
{"error":"BAD_INPUT","message":"Parameters were invalid","details":[{"msg":"Parameter must be a one-dimensional array of strings","param":"authority.active_roles","location":"body"},{"msg":"User role does not exist.","param":"authority.active_roles","location":"body"}]}
In other words, a client user, by placing "toString" within a POST /org/{shortname}/user API call, can interfere with the server's ability to execute this code:
cve-services/src/middleware/middleware.js
Lines 428 to 435 in 8b51241
(As far as I know, authority.active_roles[toString]=true fails with TypeError: val.toString is not a function whereas authority.active_roles[][toString]=true fails with TypeError: k.toString is not a function)