|
function createCtxAndReqUUID (req, res, next) { |
|
const CONSTANTS = getConstants() |
|
|
|
try { |
|
req.ctx = { |
|
authenticated: false, |
|
uuid: uuid.v4(), |
|
org: req.header(CONSTANTS.AUTH_HEADERS.ORG), |
|
orgUUID: null, |
|
user: req.header(CONSTANTS.AUTH_HEADERS.USER), |
|
userUUID: null, |
|
key: req.header(CONSTANTS.AUTH_HEADERS.KEY), |
This function has no limits on the lengths of strings returned by req.header apart from the limits built into Express. A client can send thousands of characters in CVE-API-USER and that will be logged by:
|
logger.info({ uuid: req.ctx.uuid, message: 'Authenticating user: ' + user }) // userUUID may be null if user does not exist |
or
|
logger.info({ uuid: req.ctx.uuid, message: 'Authenticating user: ' + user }) // userUUID may be null if user does not exist |
Instead, CVE-API-USER could be limited to the maximum valid username length.
cve-services/src/middleware/middleware.js
Lines 23 to 34 in a2b6860
This function has no limits on the lengths of strings returned by req.header apart from the limits built into Express. A client can send thousands of characters in CVE-API-USER and that will be logged by:
cve-services/src/middleware/middleware.js
Line 129 in a2b6860
or
cve-services/src/middleware/middleware.js
Line 61 in a2b6860
Instead, CVE-API-USER could be limited to the maximum valid username length.