customRoutes/publishcve.js - security-vulnogram - Git at Google

 const express = require('express');
 const protected = express.Router();
 const conf = require('../config/conf');
 const csurf = require('csurf');
 var request = require('request');
 const email = require('./email.js');
 const asf =  require('../custom/asf.js');
 var csrfProtection = csurf();
 var textUtil = require('../public/js/util.js');

 // We have to duplicate this from custom/cve5/asfpreload.js
 global.getProductListNoVendor = function getProductListNoVendor(c) {
     var lines = [];
     for (var affected of c.containers.cna.affected) {
         lines.push(affected.product);
     }
     return lines.join(", ");
 }

 // Is the PMC allowed to do a live CVE.org push?
 // Currently only if you are in security group or if you're listed in the config,
 // or if the config allows all (*) but you're not listed as an exception

 function allowedtopushlive(pmcsiamin, specificpmc) {
     if (pmcsiamin.includes(conf.admingroupname)) {
         return true;
     }
     if (!pmcsiamin.includes(specificpmc)) {
         return false; // they're messing with the form
     }
     return false;
     // This isn't implemented yet
     //
     if (conf.pmcstrustedascna.includes("*")) {
         if (conf.pmcstrustedascna.includes("-"+specificpmc)) {
             return false;
         }
         return true;
     }
     if (conf.pmcstrustedascna.includes(specificpmc)) {
         return true;
     }
     return false;
 }

 function getCveIdState(cveid, cb) {
     var opt = {
         'method' : 'GET',
         'url': conf.cveapiurl+'/cve-id/'+ cveid,
         'json': true,
         'headers': conf.cveapiheaders,
     };
     try {
         request(opt, (error, response, body) => {
             if (error) {
                 console.warn(error);
                 cb("");
             } else {
                 cb(body.state);
             }
         });
     } catch (error) {
         console.warn(error);
         cb("");
     }
 }

 function publishCve(cveid, isupdate, container, cb) {
     var opt = {
         'method' : 'POST',
         'url': conf.cveapiurl+'/cve/'+ cveid +"/cna",
         'json': {"cnaContainer": container},
         'headers': conf.cveapiheaders,
     };
     if (isupdate) {
         opt['method'] = "PUT";
     }
     try {
         request(opt, (error, response, body) => {
             if (error) {
                 console.warn(error);
                 cb(error);
             } else if (body.error) {
                 console.warn(body.error);
                 cb(body.message);
             } else {
                 console.log(body.message);
                 cb();
             }
         });
     } catch (error) {
         console.warn(error);
         cb(error);
     }
 }

 protected.post('/', csrfProtection, async function(req,res) {
     var q = {};
     var opts = {"idpath":"body.cveMetadata.cveId"};
     console.log("publishcve", req.body.cve);
     q[opts.idpath] = req.body.cve;
     let Document = res.locals.docs.cve5.Document;
     var doc = await Document.findOne(q);
     if (!doc) {
         res.json({"body": req.body.cve+" not found"});
         res.end();
         return;
     }

     // We now have a loaded document for the given CVE ID

     var cvepmcowner  = doc.body.CNA_private.owner;
     if (!allowedtopushlive(req.user.pmcs,cvepmcowner)) {
         res.json({"body":"Sorry the PMC "+cvepmcowner+" has no push rights"});
         res.end();
         return true;
     }

     // We now know that the user trying to push it is allowed to do so
     j = textUtil.reduceJSON(doc.body);

     // We now have the document the same as the CVE-JSON tab had

     if (doc.body.CNA_private.state != "PUBLIC" && doc.body.CNA_private.state != "READY" ) {
         res.json({"body":req.body.cve+" is not in state PUBLIC or READY"});
         res.end();
         return true;
     }

     // We now have something we're allowed to push

     // portal.js does a getCveId(j.cveMetadata.cveId) and looks at the state so we know if
     // we're doing a first push or an update push

     var lateststate = await new Promise( res => { getCveIdState(req.body.cve, res)})
     //console.log("According to cve.org "+req.body.cve+" is state "+lateststate);

     if (j.cveMetadata.state == "PUBLISHED") {
         var isupdate = (lateststate != "RESERVED")
         var result = await new Promise( res => { publishCve(j.cveMetadata.cveId, isupdate, j.containers.cna, res)})
         if (!result) {
             res.json({"body":"Push to cve.org success."});

             var s2 = email.sendemail({"to":"security@apache.org",
                                       "subject":j.cveMetadata.cveId+" was pushed to cve.org",
                                       "text":"push by "+req.user.username+" success",
                                      }).then( (x) => {  console.log("sent CVE push mail "+x);});
         } else {
             res.json({"body":"Push to cve.org failed. "+result});

             var s2 = email.sendemail({"to":"security@apache.org",
                                       "subject":j.cveMetadata.cveId+" failed push to cve.org",
                                       "text":"push by "+req.user.username+" failed "+result,
                                      }).then( (x) => {  console.log("sent CVE push failed mail "+x);});

         }
         res.end();
         return true;
     } else { // Rejected
         res.json({"body":"Push is authorised for you, but 'reject cve' not yet implemented."});
         res.end();
         return true;
     }
 });

 module.exports = {
     protected: protected
 };
	const express = require('express');
	const protected = express.Router();
	const conf = require('../config/conf');
	const csurf = require('csurf');
	var request = require('request');
	const email = require('./email.js');
	const asf = require('../custom/asf.js');
	var csrfProtection = csurf();
	var textUtil = require('../public/js/util.js');

	// We have to duplicate this from custom/cve5/asfpreload.js
	global.getProductListNoVendor = function getProductListNoVendor(c) {
	var lines = [];
	for (var affected of c.containers.cna.affected) {
	lines.push(affected.product);
	}
	return lines.join(", ");
	}

	// Is the PMC allowed to do a live CVE.org push?
	// Currently only if you are in security group or if you're listed in the config,
	// or if the config allows all (*) but you're not listed as an exception

	function allowedtopushlive(pmcsiamin, specificpmc) {
	if (pmcsiamin.includes(conf.admingroupname)) {
	return true;
	}
	if (!pmcsiamin.includes(specificpmc)) {
	return false; // they're messing with the form
	}
	return false;
	// This isn't implemented yet
	//
	if (conf.pmcstrustedascna.includes("*")) {
	if (conf.pmcstrustedascna.includes("-"+specificpmc)) {
	return false;
	}
	return true;
	}
	if (conf.pmcstrustedascna.includes(specificpmc)) {
	return true;
	}
	return false;
	}

	function getCveIdState(cveid, cb) {
	var opt = {
	'method' : 'GET',
	'url': conf.cveapiurl+'/cve-id/'+ cveid,
	'json': true,
	'headers': conf.cveapiheaders,
	};
	try {
	request(opt, (error, response, body) => {
	if (error) {
	console.warn(error);
	cb("");
	} else {
	cb(body.state);
	}
	});
	} catch (error) {
	console.warn(error);
	cb("");
	}
	}

	function publishCve(cveid, isupdate, container, cb) {
	var opt = {
	'method' : 'POST',
	'url': conf.cveapiurl+'/cve/'+ cveid +"/cna",
	'json': {"cnaContainer": container},
	'headers': conf.cveapiheaders,
	};
	if (isupdate) {
	opt['method'] = "PUT";
	}
	try {
	request(opt, (error, response, body) => {
	if (error) {
	console.warn(error);
	cb(error);
	} else if (body.error) {
	console.warn(body.error);
	cb(body.message);
	} else {
	console.log(body.message);
	cb();
	}
	});
	} catch (error) {
	console.warn(error);
	cb(error);
	}
	}

	protected.post('/', csrfProtection, async function(req,res) {
	var q = {};
	var opts = {"idpath":"body.cveMetadata.cveId"};
	console.log("publishcve", req.body.cve);
	q[opts.idpath] = req.body.cve;
	let Document = res.locals.docs.cve5.Document;
	var doc = await Document.findOne(q);
	if (!doc) {
	res.json({"body": req.body.cve+" not found"});
	res.end();
	return;
	}

	// We now have a loaded document for the given CVE ID

	var cvepmcowner = doc.body.CNA_private.owner;
	if (!allowedtopushlive(req.user.pmcs,cvepmcowner)) {
	res.json({"body":"Sorry the PMC "+cvepmcowner+" has no push rights"});
	res.end();
	return true;
	}

	// We now know that the user trying to push it is allowed to do so
	j = textUtil.reduceJSON(doc.body);

	// We now have the document the same as the CVE-JSON tab had

	if (doc.body.CNA_private.state != "PUBLIC" && doc.body.CNA_private.state != "READY" ) {
	res.json({"body":req.body.cve+" is not in state PUBLIC or READY"});
	res.end();
	return true;
	}

	// We now have something we're allowed to push

	// portal.js does a getCveId(j.cveMetadata.cveId) and looks at the state so we know if
	// we're doing a first push or an update push

	var lateststate = await new Promise( res => { getCveIdState(req.body.cve, res)})
	//console.log("According to cve.org "+req.body.cve+" is state "+lateststate);

	if (j.cveMetadata.state == "PUBLISHED") {
	var isupdate = (lateststate != "RESERVED")
	var result = await new Promise( res => { publishCve(j.cveMetadata.cveId, isupdate, j.containers.cna, res)})
	if (!result) {
	res.json({"body":"Push to cve.org success."});

	var s2 = email.sendemail({"to":"security@apache.org",
	"subject":j.cveMetadata.cveId+" was pushed to cve.org",
	"text":"push by "+req.user.username+" success",
	}).then( (x) => { console.log("sent CVE push mail "+x);});
	} else {
	res.json({"body":"Push to cve.org failed. "+result});

	var s2 = email.sendemail({"to":"security@apache.org",
	"subject":j.cveMetadata.cveId+" failed push to cve.org",
	"text":"push by "+req.user.username+" failed "+result,
	}).then( (x) => { console.log("sent CVE push failed mail "+x);});

	}
	res.end();
	return true;
	} else { // Rejected
	res.json({"body":"Push is authorised for you, but 'reject cve' not yet implemented."});
	res.end();
	return true;
	}
	});

	module.exports = {
	protected: protected
	};