From 02a521aca040e88584e521bef23c11f729a2bf74 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Fri, 17 Apr 2026 12:50:49 -0400 Subject: [PATCH 1/2] Issue Active/Inactive user management fix #64 --- CHANGELOG.md | 10 +++++++--- cveClientlib.js | 41 ++++++++++++++++++++++++++++------------- 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97a4a71..dec0a5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,14 @@ # cveClient Changelog +## Version 1.0.25 — 2026-03-28 +- Bug: Bug fix in `cveClientLib.js` where query params such {active: false} will not work due to weak coercion +- Updated `cveClientLib.js` to version 1.0.26, should support npm usage as well. + ## Version 1.0.24 — 2026-03-28 -- Security: Fixed XSS vulnerability — use `.text()` instead of `.html()` for CVE ID in modal title -- Security: Prevent plaintext API key storage and harden encryption key handling -- Security: Added prototype pollution protection to `queryParser` and removed sensitive logging +- Security: Fixed XSS vulnerability — use `.text()` instead of `.html()` for CVE ID in modal title CVE-2026-35466 +- Security: Prevent plaintext API key storage and harden encryption key handling CVE-2026-35467 +- Security: Added prototype pollution protection to `queryParser` and removed sensitive logging CVE-2026-35466 - Updated SweetAlert2 from 11.4.9 to 11.26.24 - Made schema references version-agnostic with automatic schema version detection - Added ADP (Authorized Data Publisher) read and delete support diff --git a/cveClientlib.js b/cveClientlib.js index 4fcca59..d522c04 100644 --- a/cveClientlib.js +++ b/cveClientlib.js @@ -5,7 +5,30 @@ class cveClient { this.key = key; this.url = url; this.user_path = "/org/" + this.org + "/user/" + this.user; - this._version = "1.0.25"; + this._version = "1.0.26"; + } + /* Safely build query string */ + _buildQuery(qvars) { + if (!qvars) return ""; + + const params = new URLSearchParams(); + + Object.entries(qvars).forEach(([key, val]) => { + /* Skip only null/undefined */ + if (val == null) return; + /* Handle arrays (common in APIs) */ + if (Array.isArray(val)) { + val.forEach(v => { + if (v != null) params.append(key, String(v)); + }); + return; + } + + /* Normalize everything else */ + params.append(key, String(val)); + }); + + return params.toString(); } /* PUT /cve/{id}/adp — the only ADP endpoint per CVE Services API spec See https://cveawg.mitre.org/api-docs/ */ @@ -139,21 +162,13 @@ class cveClient { if(!opts) { opts = {method:'GET'}; } - if(qvars) { - var qstr = new URLSearchParams(); - Object.keys(qvars).forEach(function(x) { - /* Remove empty values in query_string - strange issue #11 when changing user's information - see https://github.com/CERTCC/cveClient/issues/11 - */ - if(qvars[x] != "") - qstr.append(x,qvars[x]); - }); - url.search = qstr.toString(); + const qs = this._buildQuery(qvars); + if (qs) { + url.search = qs; } if(!('headers' in opts)) opts.headers = {}; - opts.headers = Object.assign({},opts.headers, + opts.headers = Object.assign({}, opts.headers || {}, {'CVE-API-KEY': this.key, 'CVE-API-ORG': this.org, 'CVE-API-USER': this.user }); From 61218b36cee95fdc41e400014c8e98bfafde00d1 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Fri, 17 Apr 2026 12:53:57 -0400 Subject: [PATCH 2/2] spelling error in clientlib --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dec0a5e..7213b75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # cveClient Changelog ## Version 1.0.25 — 2026-03-28 -- Bug: Bug fix in `cveClientLib.js` where query params such {active: false} will not work due to weak coercion -- Updated `cveClientLib.js` to version 1.0.26, should support npm usage as well. +- Bug: Bug fix in `cveClientlib.js` where query params such {active: false} will not work due to weak coercion +- Updated `cveClientlib.js` to version 1.0.26, should support npm usage as well. ## Version 1.0.24 — 2026-03-28