Skip to content

createCtxAndReqUUID can place very long strings in req.ctx #1869

Description

@ElectricNroff

function createCtxAndReqUUID (req, res, next) {
const CONSTANTS = getConstants()
try {
req.ctx = {
authenticated: false,
uuid: uuid.v4(),
org: req.header(CONSTANTS.AUTH_HEADERS.ORG),
orgUUID: null,
user: req.header(CONSTANTS.AUTH_HEADERS.USER),
userUUID: null,
key: req.header(CONSTANTS.AUTH_HEADERS.KEY),

This function has no limits on the lengths of strings returned by req.header apart from the limits built into Express. A client can send thousands of characters in CVE-API-USER and that will be logged by:
logger.info({ uuid: req.ctx.uuid, message: 'Authenticating user: ' + user }) // userUUID may be null if user does not exist

or
logger.info({ uuid: req.ctx.uuid, message: 'Authenticating user: ' + user }) // userUUID may be null if user does not exist

Instead, CVE-API-USER could be limited to the maximum valid username length.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions