500 Internal Server Error for createUser with toString

[ElectricNroff]

By combining the findings of the #609 and #1158 issues, it's possible to trigger a 500 error if one is allowed to create users. In other words, unlike in the #1158 issue, it is not necessary to be an ADP to redefine a toString() method.

For example,

curl -X POST \
-H "CVE-API-ORG: ..." \
-H "CVE-API-USER: ..." \
-H "CVE-API-KEY: ..." \
-d 'username=bob&authority.active_roles[toString]=true' \
https://cveawg-test.mitre.org/api/org/Mickey%20Mouse/user

results in:

HTTP/1.1 500 Internal Server Error

{"error":"SERVICE_NOT_AVAILABLE","message":"This service appears to not be available."}

Alternatively, this body can be used:

-d 'username=bob&authority.active_roles[][toString]=true'

This is specific to certain method names such as toString. If, for example, xyString is used instead, then the error message is:

{"error":"BAD_INPUT","message":"Parameters were invalid","details":[{"msg":"Parameter must be a one-dimensional array of strings","param":"authority.active_roles","location":"body"},{"msg":"User role does not exist.","param":"authority.active_roles","location":"body"}]}

In other words, a client user, by placing "toString" within a POST /org/{shortname}/user API call, can interfere with the server's ability to execute this code:

cve-services/src/middleware/middleware.js

Lines 428 to 435 in 8b51241

	return val.toString().toUpperCase()
	}
	const newArr = val.map(k => {
	if (Array.isArray(k)) {
	return toUpperCaseArray(k)
	} else {
	return k.toString().toUpperCase()

(As far as I know, authority.active_roles[toString]=true fails with TypeError: val.toString is not a function whereas authority.active_roles[][toString]=true fails with TypeError: k.toString is not a function)