Merge pull request #43 from 0llirocks/add-validation

0llirocks · web-flow · commit d3d10c91ad0d · 2024-08-04T18:24:09.000+02:00
Add validation
diff --git a/lib/cvss_suite/cvss_31_and_before.rb b/lib/cvss_suite/cvss_31_and_before.rb
@@ -27,11 +27,10 @@ def initialize(vector)
     # Returns if CVSS vector is valid.
     def valid?
       if @amount_of_properties >= required_amount_of_properties
-        base = @base.valid?
-        temporal = @base.valid? && @temporal&.valid?
-        environmental = @base.valid? && @environmental&.valid?
-        full = @base.valid? && @temporal&.valid? && @environmental&.valid?
-        base || temporal || environmental || full
+        entered_keys = @properties.collect { |p| p[:name] }
+        return false if (entered_keys - allowed_abbreviations).size.positive?
+
+        check_metrics_validity
       else
         false
       end
@@ -46,5 +45,17 @@ def overall_score
 
       base_score
     end
+
+    private
+
+    def allowed_abbreviations
+      @base.properties.collect(&:abbreviation) +
+        @temporal.properties.collect(&:abbreviation) +
+        @environmental.properties.collect(&:abbreviation)
+    end
+
+    def check_metrics_validity
+      @base.valid? && @temporal&.valid? && @environmental&.valid?
+    end
   end
 end
diff --git a/lib/cvss_suite/cvss_metric.rb b/lib/cvss_suite/cvss_metric.rb
@@ -44,7 +44,7 @@ def extract_selected_values_from(selected_properties)
         end
         property&.set_selected_value selected_property[:selected]
       end
-      @properties.reject(&:valid?).each(&:set_default_value)
+      @properties.select(&:non_selected?).each(&:set_default_value)
     end
   end
 end
diff --git a/lib/cvss_suite/cvss_property.rb b/lib/cvss_suite/cvss_property.rb
@@ -58,7 +58,7 @@ def selected_value
     # Returns true if the property is valid.
 
     def valid?
-      !@selected_value.nil?
+      !@selected_value.nil? && @property[:values].map { |p| p[:abbreviation] }.include?(@selected_value[:abbreviation])
     end
 
     ##
@@ -76,6 +76,9 @@ def set_selected_value(selected_value)
         value[:selected] = selected_value.eql?(value[:abbreviation])
       end
       @selected_value = values.detect { |value| value[:selected] }
+      return unless @selected_value.nil?
+
+      @selected_value = { abbreviation: selected_value }
     end
 
     ##
@@ -84,8 +87,16 @@ def set_selected_value(selected_value)
     def set_default_value
       values.each do |value|
         value[:selected] = value[:abbreviation].eql?('X')
+        value[:selected] ||= value[:abbreviation].eql?('ND')
       end
       @selected_value = values.detect { |value| value[:selected] }
     end
+
+    ##
+    # Returns whether a selected_value is set
+
+    def non_selected?
+      @selected_value.nil?
+    end
   end
 end
diff --git a/spec/cvss2/cvss2_spec.rb b/spec/cvss2/cvss2_spec.rb
@@ -23,6 +23,16 @@
   let(:invalid_cvss2) { CvssSuite.new('AV:N/AC:P/C:P/AV:U/RL:OF/RC:C') }
   let(:invalid_cvss2_parenthesis_closed) { CvssSuite.new('(AV:N/AC:L/Au:N/C:P/I:P/A:P') }
   let(:invalid_cvss2_parenthesis) { CvssSuite.new('(AV:N/AC:L/Au:N()/C:P/I:P/A:P') }
+  let(:invalid_cvss2_missing_metric) { CvssSuite.new('AV:N/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C') }
+  let(:invalid_cvss2_multiple_metrics) { CvssSuite.new('AV:N/AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C') }
+  let(:invalid_cvss2_additional_fields) do
+    CvssSuite.new('AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C/Extra/')
+  end
+  let(:invalid_cvss2_additional_fields_missing_temporal) do
+    CvssSuite.new('AV:N/AC:L/Au:N/C:P/I:P/A:P/RL:OF/RC:C/Extra/')
+  end
+  let(:invalid_cvss2_extra_slash) { CvssSuite.new('AV:N//AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C') }
+  let(:invalid_cvss2_wrong_value) { CvssSuite.new('AV:N/AC:L/Au:N/C:P/I:P/A:P/E:R/RL:OF/RC:C') }
 
   describe 'valid cvss2' do
     subject { valid_cvss2 }
@@ -90,6 +100,42 @@
     it_behaves_like 'a invalid cvss vector with version', 2
   end
 
+  describe 'invalid cvss2 with missing base metric' do
+    subject { invalid_cvss2_missing_metric }
+
+    it_behaves_like 'a invalid cvss vector with version', 2
+  end
+
+  describe 'invalid cvss2 with multiple base metrics' do
+    subject { invalid_cvss2_multiple_metrics }
+
+    it_behaves_like 'a invalid cvss vector with version', 2
+  end
+
+  describe 'invalid cvss2 with additional fields' do
+    subject { invalid_cvss2_additional_fields }
+
+    it_behaves_like 'a invalid cvss vector with version', 2
+  end
+
+  describe 'invalid cvss2 with additional fields missing temporal' do
+    subject { invalid_cvss2_additional_fields_missing_temporal }
+
+    it_behaves_like 'a invalid cvss vector with version', 2
+  end
+
+  describe 'invalid cvss2 with extra slash' do
+    subject { invalid_cvss2_extra_slash }
+
+    it_behaves_like 'a invalid cvss vector with version', 2
+  end
+
+  describe 'invalid cvss2 with wrong value for Exploit Code Maturity (E)' do
+    subject { invalid_cvss2_wrong_value }
+
+    it_behaves_like 'a invalid cvss vector with version', 2
+  end
+
   # Severity tests https://nvd.nist.gov/vuln-metrics/cvss
   # v2 Severity High: 7.0 - 10.0
   describe 'valid cvss2_severity_high' do
diff --git a/spec/cvss3/cvss3_spec.rb b/spec/cvss3/cvss3_spec.rb
@@ -40,6 +40,14 @@
   let(:invalid_cvss3_not_defined) { CvssSuite.new('CVSS:3.0/AV:X/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H') }
   let(:invalid_cvss3_missing_metric) { CvssSuite.new('CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L') }
   let(:invalid_cvss3_multiple_metrics) { CvssSuite.new('CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/A:L') }
+  let(:invalid_cvss3_additional_fields) do
+    CvssSuite.new('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C/Extra/')
+  end
+  let(:invalid_cvss3_additional_fields_missing_temporal) do
+    CvssSuite.new('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/Extra/')
+  end
+  let(:invalid_cvss3_extra_slash) { CvssSuite.new('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N//I:N/A:H/E:P/RL:U/RC:C/') }
+  let(:invalid_cvss3_wrong_value) { CvssSuite.new('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:R/RL:U/RC:C') }
 
   describe 'valid cvss3' do
     subject { valid_cvss3 }
@@ -155,6 +163,30 @@
     it_behaves_like 'a invalid cvss vector with version', 3.0
   end
 
+  describe 'invalid cvss3 with additional fields' do
+    subject { invalid_cvss3_additional_fields }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.0
+  end
+
+  describe 'invalid cvss3 with additional fields missing temporal' do
+    subject { invalid_cvss3_additional_fields_missing_temporal }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.0
+  end
+
+  describe 'invalid cvss3 with extra slash' do
+    subject { invalid_cvss3_extra_slash }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.0
+  end
+
+  describe 'invalid cvss3 with wrong value for Exploit Code Maturity (E)' do
+    subject { invalid_cvss3_wrong_value }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.0
+  end
+
   describe 'correct vector' do
     [
       ['CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L', 'CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L'],
diff --git a/spec/cvss31/cvss31_spec.rb b/spec/cvss31/cvss31_spec.rb
@@ -39,6 +39,14 @@
   let(:invalid_cvss31_not_defined) { CvssSuite.new('CVSS:3.1/AV:X/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H') }
   let(:invalid_cvss31_missing_metric) { CvssSuite.new('CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L') }
   let(:invalid_cvss31_multiple_metrics) { CvssSuite.new('CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/A:L') }
+  let(:invalid_cvss31_additional_fields) do
+    CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C/Extra/')
+  end
+  let(:invalid_cvss31_additional_fields_missing_temporal) do
+    CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/Extra/')
+  end
+  let(:invalid_cvss31_extra_slash) { CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N//I:N/A:H/E:P/RL:U/RC:C/') }
+  let(:invalid_cvss31_wrong_value) { CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:R/RL:U/RC:C') }
 
   describe 'valid cvss31' do
     subject { valid_cvss31 }
@@ -154,6 +162,30 @@
     it_behaves_like 'a invalid cvss vector with version', 3.1
   end
 
+  describe 'invalid cvss31 with additional fields' do
+    subject { invalid_cvss31_additional_fields }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.1
+  end
+
+  describe 'invalid cvss31 with additional fields missing temporal' do
+    subject { invalid_cvss31_additional_fields_missing_temporal }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.1
+  end
+
+  describe 'invalid cvss31 with extra slash' do
+    subject { invalid_cvss31_extra_slash }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.1
+  end
+
+  describe 'invalid cvss31 with wrong value for Exploit Code Maturity (E)' do
+    subject { invalid_cvss31_wrong_value }
+
+    it_behaves_like 'a invalid cvss vector with version', 3.1
+  end
+
   describe 'correct vector' do
     [
       ['CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L', 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L'],
