When an indicator score is set to 1000000, the object does not load properly and the system hangs

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform

https://opencti.io

Other

6.38k stars 943 forks source link

When an indicator score is set to 1000000, the object does not load properly and the system hangs #6715

Open Lhorus6 opened 6 months ago

Lhorus6 commented 6 months ago

Description

We don't have any check on indicator/observable score. I mean that we can set 1000000 as the score (should be between 0 and 100).

It may cause problems. For example, if we set up an indicator with a score of 1000000, the indicator does not load properly and the system hangs.

Environment

OCTI 6.0.9

Reproducible Steps

Steps to create the smallest reproducible scenario:

Create an indicator with a score of 1000000 / 100
Try to open this Indicator

Expected Output

Prevent users from setting a score not between 0 and 100 (on observable and indicator)

aHenryJard commented 6 months ago

What is the expected behavior if a connector creates and indicator with a score out of 0-100 ? Drop it or fix the score to nearest 0 or 100 ?

Jipegien commented 6 months ago

To my knowledge, no control implemented. Ideally, a score should not be out of 0-100.

Lhorus6 commented 6 months ago

IMO, @aHenryJard :

If score < 0 -> set to 0
If score > 100 -> set to 100

labo-flg commented 6 months ago

We can set a @constraint(min:0, max: 100) in the Input type graphql side, for creation. Frontend can be easily updated so the input has similar constraint in the UI

Note this won't prevent bad values on API update as our fieldPatch mutation is uncontrolled (payload is Any!). If we want to address this last case, I think we need to implement attribute constraints at the schema level + validation of these constraints on updateEntity / updateRelationship. This is not trivial as you can imagine, but not very complex.