intelowlproject · mlodic · Nov 11, 2024 · Nov 1, 2024 · Nov 1, 2024 · Nov 4, 2024
diff --git a/api_app/analyzers_manager/observable_analyzers/nvd_cve.py b/api_app/analyzers_manager/observable_analyzers/nvd_cve.py
@@ -1,3 +1,5 @@
+import re
+
 import requests
 
 from api_app.analyzers_manager.classes import AnalyzerRunException, ObservableAnalyzer
@@ -7,6 +9,7 @@
 class NVDDetails(ObservableAnalyzer):
     url: str = "https://services.nvd.nist.gov/rest/json/cves/2.0"
     _nvd_api_key: str = None
+    cve_pattern = r"^CVE-\d{4}-\d{4,7}$"
 
     @classmethod
     def update(self) -> bool:
@@ -16,10 +19,19 @@ def run(self):
         headers = {}
         if self._nvd_api_key:
             headers.update({"apiKey": self._nvd_api_key})
-        params = {"cveId": self.observable_name}
+
         try:
+            # Validate if CVE format is correct E.g CVE-2014-1234 or CVE-2022-1234567
+            if not re.match(self.cve_pattern, self.observable_name):
+                raise ValueError(f"Invalid CVE format: {self.observable_name}")
+
+            params = {"cveId": self.observable_name}
             response = requests.get(url=self.url, params=params, headers=headers)
             response.raise_for_status()
+
+        except ValueError as e:
+            raise AnalyzerRunException(e)
+
         except requests.RequestException as e:
             raise AnalyzerRunException(e)