honeymoose
/
hapi-fhir
mirror of https://github.com/hapifhir/hapi-fhir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix a potential security vulneability in the testpage overlay

This commit is contained in:
James Agnew 2019-05-02 08:13:22 -04:00
parent 5132f1f4ed
commit 8f41159eb1
2 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java
View File

@ -32,7 +32,6 @@ import org.hl7.fhir.instance.model.api.IDomainResource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.ui.ModelMap;
import org.thymeleaf.ITemplateEngine;
import org.thymeleaf.TemplateEngine;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
@ -63,14 +62,14 @@ public class BaseController {
final String serverBase = theRequest.getServerBase(theServletRequest, myConfig);
final String serverName = theRequest.getServerName(myConfig);
final String apiKey = theRequest.getApiKey(theServletRequest, myConfig);
theModel.put("serverId", serverId);
theModel.put("base", serverBase);
theModel.put("baseName", serverName);
theModel.put("apiKey", apiKey);
theModel.put("resourceName", defaultString(theRequest.getResource()));
theModel.put("encoding", theRequest.getEncoding());
theModel.put("pretty", theRequest.getPretty());
theModel.put("_summary", theRequest.get_summary());
theModel.put("serverId", sanitizeInput(serverId));
theModel.put("base", sanitizeInput(serverBase));
theModel.put("baseName", sanitizeInput(serverName));
theModel.put("apiKey", sanitizeInput(apiKey));
theModel.put("resourceName", sanitizeInput(defaultString(theRequest.getResource())));
theModel.put("encoding", sanitizeInput(theRequest.getEncoding()));
theModel.put("pretty", sanitizeInput(theRequest.getPretty()));
theModel.put("_summary", sanitizeInput(theRequest.get_summary()));
theModel.put("serverEntries", myConfig.getIdToServerName());
return loadAndAddConf(theServletRequest, theRequest, theModel);
@ -307,7 +306,6 @@ public class BaseController {
throw new IllegalStateException("Unknown version: " + theRequest.getFhirVersion(myConfig));
}
private IResource loadAndAddConfDstu2(HttpServletRequest theServletRequest, final HomeRequest theRequest, final ModelMap theModel) {
CaptureInterceptor interceptor = new CaptureInterceptor();
GenericClient client = theRequest.newClient(theServletRequest, getContext(theRequest), myConfig, interceptor);
@ -746,4 +744,21 @@ public class BaseController {
}
private static String sanitizeInput(String theString) {
String retVal = theString;
if (retVal != null) {
for (int i = 0; i < retVal.length(); i++) {
char nextChar = retVal.charAt(i);
switch (nextChar) {
case '\'':
case '"':
case '<':
case '>':
retVal = retVal.replace(nextChar, '_');
}
}
}
return retVal;
}
}

5
src/changes/changes.xml
View File

@ -7,6 +7,11 @@
</properties>
<body>
<release version="3.8.0" date="TBD" description="Hippo">
<action type="fix">
A potential security vulnerability in the hapi-fhir-testpage-overlay project was corrected: A URL
parameter was not being correctly escaped, leading to a potential XSS vulnerabnility. A big thanks to
Mudit Punia and Dushyant Garg for reporting this.
</action>
<action type="add">
The version of a few dependencies have been bumped to the
latest versions (dependent HAPI modules listed in brackets):