#2024 Add constraints on input data

build.sbt

@@ -174,7 +174,9 @@ lazy val thehiveDto = (project in file("dto"))
     name := "thehive-dto",
     version := thehiveVersion,
     libraryDependencies ++= Seq(
-      aix
+      aix,
+      refined,
+      playRefined
     )
   )
 

cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionOperationSrv.scala

@@ -6,6 +6,7 @@ import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.{EntityIdOrName, InternalError}
 import org.thp.thehive.connector.cortex.models._
 import org.thp.thehive.controllers.v0.Conversion._
+import org.thp.thehive.dto.{Description, String128}
 import org.thp.thehive.dto.v0.InputTask
 import org.thp.thehive.models._
 import org.thp.thehive.services._
@@ -58,7 +59,10 @@ class ActionOperationSrv(
       case CreateTask(title, description) =>
         for {
           case0 <- relatedCase.fold[Try[Case with Entity]](Failure(InternalError("Unable to apply action CreateTask without case")))(Success(_))
-          _     <- caseSrv.createTask(case0, InputTask(title = title, description = Some(description)).toTask)
+          _ <- caseSrv.createTask(
+            case0,
+            InputTask(title = String128("task.title", title), description = Some(Description("task.description", description))).toTask
+          )
         } yield updateOperation(operation)
 
       case AddCustomFields(name, _, value) =>

dto/src/main/scala/org/thp/thehive/dto/package.scala

@@ -0,0 +1,59 @@
+package org.thp.thehive
+
+import eu.timepit.refined.W
+import eu.timepit.refined.api.{RefType, Refined}
+import shapeless.{::, HNil}
+import eu.timepit.refined.predicates.all._
+import org.thp.scalligraph.InvalidFormatAttributeError
+import org.thp.scalligraph.controllers.{FNumber, FString}
+
+package object dto {
+  type Severity    = Int Refined And[Positive, LessEqual[W.`4`.T]]
+  type Tlp         = Int Refined And[NonNegative, LessEqual[W.`3`.T]]
+  type Pap         = Int Refined And[NonNegative, LessEqual[W.`3`.T]]
+  type Color       = String Refined MatchesRegex[W.`"""^#[0-9a-fA-F]{6,6}|$"""`.T]
+  type StringX[N]  = String Refined AllOf[Not[Empty] :: MaxSize[N] :: Not[MatchesRegex[W.`"""[\n\r]"""`.T]] :: HNil]
+  type String16    = StringX[W.`16`.T]
+  type String32    = StringX[W.`32`.T]
+  type String64    = StringX[W.`64`.T]
+  type String128   = StringX[W.`128`.T]
+  type String512   = StringX[W.`512`.T]
+  type Description = String Refined MaxSize[W.`1048576`.T]
+
+  object Severity {
+    def apply(value: Int): Severity =
+      RefType
+        .applyRef[Severity](value)
+        .fold(error => throw InvalidFormatAttributeError("severity", error, Set.empty, FNumber(value.toDouble)), identity)
+  }
+
+  object Tlp {
+    def apply(value: Int): Tlp =
+      RefType.applyRef[Tlp](value).fold(error => throw InvalidFormatAttributeError("tlp", error, Set.empty, FNumber(value.toDouble)), identity)
+  }
+
+  object Pap {
+    def apply(value: Int): Pap =
+      RefType.applyRef[Pap](value).fold(error => throw InvalidFormatAttributeError("pap", error, Set.empty, FNumber(value.toDouble)), identity)
+  }
+
+  object String64 {
+    def apply(name: String, value: String): String64 =
+      RefType.applyRef[String64](value).fold(error => throw InvalidFormatAttributeError(name, error, Set.empty, FString(value)), identity)
+  }
+
+  object String128 {
+    def apply(name: String, value: String): String128 =
+      RefType.applyRef[String128](value).fold(error => throw InvalidFormatAttributeError(name, error, Set.empty, FString(value)), identity)
+  }
+
+  object String512 {
+    def apply(name: String, value: String): String512 =
+      RefType.applyRef[String512](value).fold(error => throw InvalidFormatAttributeError(name, error, Set.empty, FString(value)), identity)
+  }
+
+  object Description {
+    def apply(name: String, value: String): Description =
+      RefType.applyRef[Description](value).fold(error => throw InvalidFormatAttributeError(name, error, Set.empty, FString(value)), identity)
+  }
+}

dto/src/main/scala/org/thp/thehive/dto/v0/Alert.scala

@@ -2,22 +2,24 @@ package org.thp.thehive.dto.v0
 
 import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json._
+import be.venneborg.refined.play.RefinedJsonFormats._
+import org.thp.thehive.dto.{Description, Pap, Severity, String128, String16, String512, Tlp}
 
 import java.util.Date
 
 case class InputAlert(
-    `type`: String,
-    source: String,
-    sourceRef: String,
-    externalLink: Option[String],
-    title: String,
-    description: String,
-    severity: Option[Int] = None,
+    `type`: String16,
+    source: String16,
+    sourceRef: String128,
+    externalLink: Option[String512],
+    title: String512,
+    description: Description,
+    severity: Option[Severity] = None,
     date: Option[Date] = None,
-    tags: Set[String] = Set.empty,
+    tags: Set[String128] = Set.empty,
     flag: Option[Boolean] = None,
-    tlp: Option[Int] = None,
-    pap: Option[Int] = None,
+    tlp: Option[Tlp] = None,
+    pap: Option[Pap] = None,
     @WithParser(InputCustomFieldValue.parser)
     customFields: Seq[InputCustomFieldValue] = Nil
 )

dto/src/main/scala/org/thp/thehive/dto/v0/Attachment.scala

@@ -1,8 +1,10 @@
 package org.thp.thehive.dto.v0
 
+import org.thp.thehive.dto.String128
 import play.api.libs.json.{Json, OFormat, Writes}
+import be.venneborg.refined.play.RefinedJsonFormats._
 
-case class InputAttachment(name: String, contentType: String, id: String)
+case class InputAttachment(name: String128, contentType: String128, id: String128)
 
 object InputAttachment {
   implicit val writes: Writes[InputAttachment] = Json.writes[InputAttachment]

dto/src/main/scala/org/thp/thehive/dto/v0/Case.scala

@@ -4,20 +4,22 @@ import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json._
 
 import java.util.Date
+import be.venneborg.refined.play.RefinedJsonFormats._
+import org.thp.thehive.dto.{Description, Pap, Severity, String128, String16, String512, Tlp}
 
 case class InputCase(
-    title: String,
-    description: String,
-    severity: Option[Int] = None,
+    title: String512,
+    description: Description,
+    severity: Option[Severity] = None,
     startDate: Option[Date] = None,
     endDate: Option[Date] = None,
-    tags: Set[String] = Set.empty,
+    tags: Set[String128] = Set.empty,
     flag: Option[Boolean] = None,
-    tlp: Option[Int] = None,
-    pap: Option[Int] = None,
-    status: Option[String] = None,
-    summary: Option[String] = None,
-    user: Option[String] = None,
+    tlp: Option[Tlp] = None,
+    pap: Option[Pap] = None,
+    status: Option[String16] = None,
+    summary: Option[Description] = None,
+    user: Option[String128] = None,
     @WithParser(InputCustomFieldValue.parser)
     customFields: Seq[InputCustomFieldValue] = Nil
 )

dto/src/main/scala/org/thp/thehive/dto/v0/CaseTemplate.scala

@@ -1,21 +1,23 @@
 package org.thp.thehive.dto.v0
 
 import org.thp.scalligraph.controllers.WithParser
+import org.thp.thehive.dto.{Description, Pap, Severity, String128, String64, Tlp}
 import play.api.libs.json.{JsObject, Json, OFormat, OWrites}
 
 import java.util.Date
+import be.venneborg.refined.play.RefinedJsonFormats._
 
 case class InputCaseTemplate(
-    name: String,
-    displayName: Option[String],
-    titlePrefix: Option[String],
-    description: Option[String],
-    severity: Option[Int] = None,
-    tags: Set[String] = Set.empty,
+    name: String64,
+    displayName: Option[String64],
+    titlePrefix: Option[String64],
+    description: Option[Description],
+    severity: Option[Severity] = None,
+    tags: Set[String128] = Set.empty,
     flag: Option[Boolean] = None,
-    tlp: Option[Int] = None,
-    pap: Option[Int] = None,
-    summary: Option[String] = None,
+    tlp: Option[Tlp] = None,
+    pap: Option[Pap] = None,
+    summary: Option[Description] = None,
     tasks: Seq[InputTask] = Nil,
     @WithParser(InputCustomFieldValue.parser)
     customFields: Seq[InputCustomFieldValue] = Nil

dto/src/main/scala/org/thp/thehive/dto/v0/CustomFieldValue.scala

@@ -4,9 +4,11 @@ import org.scalactic.Accumulation._
 import org.scalactic._
 import org.thp.scalligraph.controllers.{FNull, _}
 import org.thp.scalligraph.{AttributeError, InvalidFormatAttributeError}
+import org.thp.thehive.dto.{Description, String16, String64}
 import play.api.libs.json._
 
 import java.util.Date
+import be.venneborg.refined.play.RefinedJsonFormats._
 
 case class OutputCustomField(
     id: String,
@@ -22,43 +24,43 @@ object OutputCustomField {
   implicit val format: OFormat[OutputCustomField] = Json.format[OutputCustomField]
 }
 
-case class InputCustomFieldValue(name: String, value: Option[Any], order: Option[Int])
+case class InputCustomFieldValue(name: String64, value: Option[Any], order: Option[Int])
 
 object InputCustomFieldValue {
 
-  def getStringCustomField(name: String, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
+  def getStringCustomField(name: String64, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
     obj.get("string") match {
       case FUndefined     => None
       case FNull          => Some(Good(InputCustomFieldValue(name, None, obj.getNumber("order").map(_.toInt))))
       case FString(value) => Some(Good(InputCustomFieldValue(name, Some(value), obj.getNumber("order").map(_.toInt))))
       case other          => Some(Bad(One(InvalidFormatAttributeError(s"customField.$name.string", "string", Set.empty, other))))
     }
 
-  def getIntegerCustomField(name: String, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
+  def getIntegerCustomField(name: String64, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
     obj.get("integer") match {
       case FUndefined     => None
       case FNull          => Some(Good(InputCustomFieldValue(name, None, obj.getNumber("order").map(_.toInt))))
       case FNumber(value) => Some(Good(InputCustomFieldValue(name, Some(value.toInt), obj.getNumber("order").map(_.toInt))))
       case other          => Some(Bad(One(InvalidFormatAttributeError(s"customField.$name.integer", "integer", Set.empty, other))))
     }
 
-  def getFloatCustomField(name: String, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
+  def getFloatCustomField(name: String64, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
     obj.get("float") match {
       case FUndefined     => None
       case FNull          => Some(Good(InputCustomFieldValue(name, None, obj.getNumber("order").map(_.toInt))))
-      case FNumber(value) => Some(Good(InputCustomFieldValue(name, Some(value.toDouble), obj.getNumber("order").map(_.toInt))))
+      case FNumber(value) => Some(Good(InputCustomFieldValue(name, Some(value), obj.getNumber("order").map(_.toInt))))
       case other          => Some(Bad(One(InvalidFormatAttributeError(s"customField.$name.float", "float", Set.empty, other))))
     }
 
-  def getDateCustomField(name: String, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
+  def getDateCustomField(name: String64, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
     obj.get("date") match {
       case FUndefined     => None
       case FNull          => Some(Good(InputCustomFieldValue(name, None, obj.getNumber("order").map(_.toInt))))
       case FNumber(value) => Some(Good(InputCustomFieldValue(name, Some(new Date(value.toLong)), obj.getNumber("order").map(_.toInt))))
       case other          => Some(Bad(One(InvalidFormatAttributeError(s"customField.$name.date", "date", Set.empty, other))))
     }
 
-  def getBooleanCustomField(name: String, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
+  def getBooleanCustomField(name: String64, obj: FObject): Option[Or[InputCustomFieldValue, Every[AttributeError]]] =
     obj.get("boolean") match {
       case FUndefined      => None
       case FNull           => Some(Good(InputCustomFieldValue(name, None, obj.getNumber("order").map(_.toInt))))
@@ -71,18 +73,18 @@ object InputCustomFieldValue {
       fields
         .toSeq
         .validatedBy {
-          case (name, FString(value))   => Good(InputCustomFieldValue(name, Some(value), None))
-          case (name, FNumber(value))   => Good(InputCustomFieldValue(name, Some(value), None))
-          case (name, FBoolean(value))  => Good(InputCustomFieldValue(name, Some(value), None))
-          case (name, FAny(value :: _)) => Good(InputCustomFieldValue(name, Some(value), None))
-          case (name, FNull)            => Good(InputCustomFieldValue(name, None, None))
+          case (name, FString(value))   => Good(InputCustomFieldValue(String64("customFieldValue.name", name), Some(value), None))
+          case (name, FNumber(value))   => Good(InputCustomFieldValue(String64("customFieldValue.name", name), Some(value), None))
+          case (name, FBoolean(value))  => Good(InputCustomFieldValue(String64("customFieldValue.name", name), Some(value), None))
+          case (name, FAny(value :: _)) => Good(InputCustomFieldValue(String64("customFieldValue.name", name), Some(value), None))
+          case (name, FNull)            => Good(InputCustomFieldValue(String64("customFieldValue.name", name), None, None))
           case (name, obj: FObject) =>
-            getStringCustomField(name, obj) orElse
-              getIntegerCustomField(name, obj) orElse
-              getFloatCustomField(name, obj) orElse
-              getDateCustomField(name, obj) orElse
-              getBooleanCustomField(name, obj) getOrElse
-              Good(InputCustomFieldValue(name, None, None))
+            getStringCustomField(String64("customFieldValue.name", name), obj) orElse
+              getIntegerCustomField(String64("customFieldValue.name", name), obj) orElse
+              getFloatCustomField(String64("customFieldValue.name", name), obj) orElse
+              getDateCustomField(String64("customFieldValue.name", name), obj) orElse
+              getBooleanCustomField(String64("customFieldValue.name", name), obj) getOrElse
+              Good(InputCustomFieldValue(String64("customFieldValue.name", name), None, None))
           case (name, other) =>
             Bad(
               One(
@@ -95,26 +97,26 @@ object InputCustomFieldValue {
   }
 
   implicit val writes: Writes[Seq[InputCustomFieldValue]] = Writes[Seq[InputCustomFieldValue]] { icfv =>
-    val fields = icfv.map {
-      case InputCustomFieldValue(name, Some(s: String), _)  => name -> JsString(s)
-      case InputCustomFieldValue(name, Some(l: Long), _)    => name -> JsNumber(l)
-      case InputCustomFieldValue(name, Some(d: Double), _)  => name -> JsNumber(d)
-      case InputCustomFieldValue(name, Some(i: Integer), _) => name -> JsNumber(i.toLong)
-      case InputCustomFieldValue(name, Some(f: Float), _)   => name -> JsNumber(f.toDouble)
-      case InputCustomFieldValue(name, Some(b: Boolean), _) => name -> JsBoolean(b)
-      case InputCustomFieldValue(name, Some(d: Date), _)    => name -> JsNumber(d.getTime)
-      case InputCustomFieldValue(name, None, _)             => name -> JsNull
+    val fields: Seq[(String, JsValue)] = icfv.map {
+      case InputCustomFieldValue(name, Some(s: String), _)  => name.value -> JsString(s)
+      case InputCustomFieldValue(name, Some(l: Long), _)    => name.value -> JsNumber(l)
+      case InputCustomFieldValue(name, Some(d: Double), _)  => name.value -> JsNumber(d)
+      case InputCustomFieldValue(name, Some(i: Integer), _) => name.value -> JsNumber(i.toLong)
+      case InputCustomFieldValue(name, Some(f: Float), _)   => name.value -> JsNumber(f.toDouble)
+      case InputCustomFieldValue(name, Some(b: Boolean), _) => name.value -> JsBoolean(b)
+      case InputCustomFieldValue(name, Some(d: Date), _)    => name.value -> JsNumber(d.getTime)
+      case InputCustomFieldValue(name, None, _)             => name.value -> JsNull
       case InputCustomFieldValue(name, other, _)            => sys.error(s"The custom field $name has invalid value: $other (${other.getClass})")
     }
     JsObject(fields)
   }
 }
 
 case class InputCustomField(
-    name: String,
-    description: String,
-    `type`: String,
-    reference: String,
+    name: String64,
+    description: Description,
+    `type`: String16,
+    reference: String64,
     mandatory: Option[Boolean],
     options: Seq[JsValue] = Nil
 )

dto/src/main/scala/org/thp/thehive/dto/v0/Dashboard.scala

@@ -1,10 +1,17 @@
 package org.thp.thehive.dto.v0
 
+import org.thp.thehive.dto.{Description, String16, String512}
 import play.api.libs.json.{Json, OFormat, OWrites}
 
 import java.util.Date
+import be.venneborg.refined.play.RefinedJsonFormats._
 
-case class InputDashboard(title: String, description: String, status: String, definition: String)
+case class InputDashboard(
+    title: String512,
+    description: Description,
+    status: String16,
+    definition: Description
+)
 
 object InputDashboard {
   implicit val writes: OWrites[InputDashboard] = Json.writes[InputDashboard]

dto/src/main/scala/org/thp/thehive/dto/v0/Log.scala

@@ -1,11 +1,16 @@
 package org.thp.thehive.dto.v0
 
 import org.thp.scalligraph.controllers.FFile
+import org.thp.thehive.dto.Description
 import play.api.libs.json.{Json, OFormat}
 
 import java.util.Date
 
-case class InputLog(message: String, startDate: Option[Date] = None, attachment: Option[FFile] = None)
+case class InputLog(
+    message: Description,
+    startDate: Option[Date] = None,
+    attachment: Option[FFile] = None
+)
 
 case class OutputLog(
     _id: String,