From 19fdcf86e807ce2db27486d1c40bda23ad8b7366 Mon Sep 17 00:00:00 2001 From: superbuggy Date: Tue, 10 Sep 2024 08:45:42 -0400 Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Enforce=20specified=20orde?= =?UTF-8?q?ring?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cvss40.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/cvss40.js b/cvss40.js index 0446859..7d4940b 100644 --- a/cvss40.js +++ b/cvss40.js @@ -396,12 +396,15 @@ class Vector { return lookup; }, {}); + const metricsEntries = Object.entries(metricsLookup); + const requiredMetrics = Object.keys(Vector.METRICS.BASE); if (!requiredMetrics.every(metricType => metricType in metricsLookup)) { throw new Error(`Invalid CVSS v4.0 vector: Missing required metrics in \`${vector}\``); } + if (metrics.length > Object.keys(metricsLookup).length) { throw new Error(`Invalid CVSS v4.0 vector: Duplicated metric types in \`${vector}\``); } @@ -413,9 +416,9 @@ class Vector { throw new Error(`Invalid CVSS v4.0 vector: Unknown/excessive metric types in \`${vector}\``); } - for (let [metricType, metricValue] of Object.entries(metricsLookup)) { + for (let [metricType, metricValue] of metricsEntries) { - if (!metricType in Vector.ALL_METRICS) { + if ( !(metricType in Vector.ALL_METRICS) ) { throw new Error(`Invalid CVSS v4.0 vector: Unknown metric \`${metricType}\` in \`${vector}\``); } @@ -425,6 +428,11 @@ class Vector { } } + const utilizedMetricTypes = Object.keys(Vector.ALL_METRICS).filter(metricType => metricType in metricsLookup); + if (metricsEntries.some(([metricType], index) => utilizedMetricTypes[index] !== metricType)) { + throw new Error(`Invalid CVSS v4.0 vector: Metrics are in wrong order \`${vector}\``); + } + return true; }