honeymoose
/
hapi-fhir
mirror of https://github.com/hapifhir/hapi-fhir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Address github security report (#3492)

This commit is contained in:
James Agnew 2022-03-25 07:41:48 -04:00 committed by GitHub
parent 34eb47aba6
commit 23cb65af25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/RestfulResponse.java
View File

@ -33,7 +33,7 @@ public abstract class RestfulResponse<T extends RequestDetails> implements IRest
private IIdType myOperationResourceId;
private IPrimitiveType<Date> myOperationResourceLastUpdated;
private Map<String, List<String>> theHeaders = new HashMap<>();
private final Map<String, List<String>> myHeaders = new HashMap<>();
private T theRequestDetails;
public RestfulResponse(T requestDetails) {
@ -51,7 +51,7 @@ public abstract class RestfulResponse<T extends RequestDetails> implements IRest
*/
@Override
public Map<String, List<String>> getHeaders() {
return theHeaders;
return myHeaders;
}
/**

10
hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/servlet/ServletRestfulResponse.java
View File

@ -24,6 +24,7 @@ import ca.uhn.fhir.rest.api.Constants;
import ca.uhn.fhir.rest.api.MethodOutcome;
import ca.uhn.fhir.rest.api.server.ParseAction;
import ca.uhn.fhir.rest.server.RestfulResponse;
import org.apache.commons.lang3.StringUtils;
import org.hl7.fhir.instance.model.api.IBaseBinary;
import javax.servlet.ServletOutputStream;
@ -80,9 +81,12 @@ public class ServletRestfulResponse extends RestfulResponse<ServletRequestDetail
HttpServletResponse theHttpResponse = getRequestDetails().getServletResponse();
getRequestDetails().getServer().addHeadersToResponse(theHttpResponse);
for (Entry<String, List<String>> header : getHeaders().entrySet()) {
final String key = header.getKey();
String key = header.getKey();
key = sanitizeHeaderField(key);
boolean first = true;
for (String value : header.getValue()) {
value = sanitizeHeaderField(value);
// existing headers should be overridden
if (first) {
theHttpResponse.setHeader(key, value);
@ -94,6 +98,10 @@ public class ServletRestfulResponse extends RestfulResponse<ServletRequestDetail
}
}
static String sanitizeHeaderField(String theKey) {
return StringUtils.replaceChars(theKey, "\r\n", null);
}
@Override
public final Writer sendWriterResponse(int theStatus, String theContentType, String theCharset, Writer theWriter) {
return theWriter;

9
hapi-fhir-server/src/test/java/ca/uhn/fhir/rest/server/servlet/ServletRestfulResponseTest.java
View File

@ -13,6 +13,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
@ -52,4 +53,12 @@ public class ServletRestfulResponseTest {
orderVerifier.verify(servletResponse).addHeader(eq("Authorization"), eq("Bearer"));
verify(servletResponse).setHeader(eq("Cache-Control"), eq("no-cache, no-store"));
}
@Test
public void testSanitizeHeaderField() {
assertEquals("AB", ServletRestfulResponse.sanitizeHeaderField("A\nB"));
assertEquals("AB", ServletRestfulResponse.sanitizeHeaderField("A\r\r\rB"));
assertEquals("AB", ServletRestfulResponse.sanitizeHeaderField("AB"));
}
}