Added packageUrl.js, created middleware function utilizing this package and custom code to syntatically validate PURLs

Author: jdaigneau5

package-lock.json

@@ -27,10 +27,10 @@
         "standard": "^16.0.3"
     },
     "dependencies": {
-        "bson": "^6.10.1",
         "ajv": "^8.6.2",
         "ajv-formats": "^2.1.1",
         "argon2": "^0.41.1",
+        "bson": "^6.10.1",
         "config": "^3.3.6",
         "cors": "^2.8.5",
         "crypto-random-string": "^3.3.1",
@@ -50,6 +50,7 @@
         "mongoose-aggregate-paginate-v2": "1.0.6",
         "morgan": "^1.9.1",
         "node-dev": "^7.4.3",
+        "packageurl-js": "^2.0.1",
         "prompt-sync": "^4.2.0",
         "replace-in-file": "6.3.5",
         "replace-json-property": "^1.8.0",
@@ -60,7 +61,11 @@
         "winston": "^3.2.1",
         "yamljs": "^0.3.0"
     },
-    "overrides": { "mongo-cursor-pagination": { "bson": "^6.10.1" } },
+    "overrides": {
+        "mongo-cursor-pagination": {
+            "bson": "^6.10.1"
+        }
+    },
     "apidoc": {
         "name": "CVE-Services",
         "version": "0.0.0",
@@ -103,4 +108,4 @@
         "test:coverage-html": "NODE_ENV=test nyc --reporter=html mocha src/* --recursive --exit || true",
         "test:scripts": "NODE_ENV=development node-dev src/scripts/templateScript.js"
     }
-}
+}

package.json

@@ -1,3 +1,4 @@
+const { PackageURL } = require('packageurl-js')
 const { body, validationResult } = require('express-validator')
 const errors = require('./error')
 const error = new errors.CveControllerError()
@@ -184,6 +185,69 @@ function validateCveAdpContainerJsonSchema (req, res, next) {
   next()
 }
 
+// PURL validator middleware
+function validatePURL (pURLIndex) {
+  return body(pURLIndex).optional({ nullable: true }).bail().custom((affected) => {
+    for (const affObj of affected) {
+      const purlStr = affObj.packageURL
+      let purlObj
+      let parsedPurlArray
+      // Passes first validation check if PackageURL can build a PURL from the string
+      try {
+        // PURL class from PackageURL
+        purlObj = PackageURL.fromString(purlStr)
+        // PURL string broken up by component and store in array. Used for additional validation
+        parsedPurlArray = PackageURL.parseString(purlStr)
+        console.log(purlObj)
+        console.log(parsedPurlArray)
+        // console.log(PackageURL.fromString(purlObj.toString()))
+      } catch (e) {
+        throw new Error(e.message)
+      }
+
+      // PURL's with versions are not allowed
+      if (purlObj.version !== undefined) {
+        throw new Error('The PURL version component is currently not supported by the CVE schema')
+      }
+
+      // PackageURL does not properly account for certain Subpath situations
+      // so adding additional validation to account for them
+      if (purlObj.subpath !== undefined) {
+        // Checks if any subpaths contain invalid characters
+        // Subpaths cannot be '.' or '..'
+        const parsedSubpaths = subpathHelper(parsedPurlArray[5])
+
+        console.log(parsedSubpaths)
+
+        if (parsedSubpaths.includes('..') || parsedSubpaths.includes('.')) {
+          throw new Error("Subpaths cannot be '.' or '..' ")
+        }
+
+        if (parsedSubpaths.includes('')) {
+          throw new Error("Subpaths cannot be empty or contain only a '/' ")
+        }
+      }
+    }
+    return true
+  }
+  )
+}
+
+// Parses subpaths into array, stripping leading and trailing '/'
+function subpathHelper (subpathStr) {
+  // remove leading and trailing '/'s
+  if (subpathStr[0] === '/') {
+    subpathStr = subpathStr.slice(1)
+  }
+
+  if (subpathStr[subpathStr.length - 1] === '/') {
+    subpathStr = subpathStr.slice(0, subpathStr.length - 1)
+  }
+
+  const parsedSubpaths = subpathStr.split('/')
+  return parsedSubpaths
+}
+
 module.exports = {
   parseGetParams,
   parsePostParams,
@@ -195,5 +259,6 @@ module.exports = {
   validateDescription,
   validateRejectBody,
   validateDatePublic,
-  datePublicHelper
+  datePublicHelper,
+  validatePURL
 }