Skip to content

Resolves issue #1868, hardens CVE ID modification against unauthenticated org short-name fallback.#1895

Merged
jdaigneau5 merged 2 commits into
devfrom
dr_1868
Jun 30, 2026
Merged

Resolves issue #1868, hardens CVE ID modification against unauthenticated org short-name fallback.#1895
jdaigneau5 merged 2 commits into
devfrom
dr_1868

Conversation

@david-rocca

Copy link
Copy Markdown
Collaborator

Closes Issue #1868

Summary

This PR updates CVE ID modification so modifyCveId requires authenticated request context and no longer falls back to resolving req.ctx.org by short name when unauthenticated.

Important Changes

src/controller/cve-id.controller/cve-id.controller.js

  • Added a fail-closed authentication guard in modifyCveId.
  • Removed the unauthenticated findOneByShortName(req.ctx.org) fallback.

test/unit-tests/cve-id/cveIdUpdateTest.js

  • Added regression coverage proving unauthenticated direct controller calls do not resolve org short names.
  • Updated controller tests to model authenticated middleware context.

test/integration-tests/cve-id/cveIdUpdateTest.js

  • Added route-level coverage that invalid auth is rejected before CVE ID update.

@david-rocca david-rocca linked an issue Jun 30, 2026 that may be closed by this pull request
@jdaigneau5 jdaigneau5 merged commit f153801 into dev Jun 30, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

modifyCveId incorrectly checks req.ctx.authenticated

2 participants