Merge pull request #60 from GarrettVD/cpe-exceptions

Add CPE exceptions + double encoding support
SpiderLabs · Nov 6, 2018 · d324083 · d324083
2 parents d6fbbd7 + cd81893
commit d324083
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 2 deletions.
diff --git a/config/cpe_exceptions.yml b/config/cpe_exceptions.yml
@@ -0,0 +1 @@
+- joomla:joomla\!
diff --git a/lib/cve_server/app.rb b/lib/cve_server/app.rb
@@ -23,6 +23,9 @@ class App < Sinatra::Base
     end
 
     get '/v1/cpe/:cpe_str' do |cpe_str|
+      if params.has_key?('double_encoded_fields') && params['double_encoded_fields']
+        cpe_str = URI.decode(URI.decode(cpe_str))
+      end
       # Multiple cpes were included
       if cpe_str.include?(",")
         bad_request unless valid_cpes?(cpe_str)
@@ -43,6 +46,9 @@ class App < Sinatra::Base
     end
 
     get '/v1/cpe_with_version/:cpe_str' do |cpe_str|
+      if params.has_key?('double_encoded_fields') && params['double_encoded_fields']
+        cpe_str = URI.decode(URI.decode(cpe_str))
+      end
       # Multiple cpes were included
       if cpe_str.include?(",")
         bad_request unless valid_cpes_with_version?(cpe_str)

diff --git a/lib/cve_server/config.rb b/lib/cve_server/config.rb
@@ -31,6 +31,14 @@ def raw_data_path
       end
     end
 
+    def cpe_exceptions
+      begin
+        YAML.load_file(File.join(root, 'config', 'cpe_exceptions.yml')) || []
+      rescue Errno::ENOENT
+        []
+      end
+    end
+
     private
 
     def db_settings

diff --git a/lib/cve_server/cve.rb b/lib/cve_server/cve.rb
@@ -19,7 +19,7 @@ def self.all_cpes_equal(cpes)
     end
 
     def self.all_cpe_equal(cpe)
-      all(cpes: /^#{cpe}$/i).collect do |h|
+      all(cpes: /^#{Regexp.escape(cpe)}$/i).collect do |h|
         h['id']
       end.uniq.sort
     end
@@ -31,7 +31,7 @@ def self.all_cpes_with_version_equal(cpes)
     end
 
     def self.all_cpe_with_version_equal(cpe)
-      all(cpes_with_version: /^#{cpe}$/i).collect do |h|
+      all(cpes_with_version: /^#{Regexp.escape(cpe)}$/i).collect do |h|
         h['id']
       end.uniq.sort
     end

diff --git a/lib/cve_server/helper.rb b/lib/cve_server/helper.rb
@@ -1,3 +1,5 @@
+require 'cve_server/config'
+
 module CVEServer
   module Helper
     module_function
@@ -8,6 +10,8 @@ def valid_cve?(cve)
     end
 
     def valid_cpe?(cpe)
+      config = CVEServer::Config.new
+      return true if config.cpe_exceptions.include? cpe
       cpe.match(/^[a-z0-9_\%\~\.\-]+\:[a-z0-9_\%\~\.\-]+$/i)
     end