Skip to content

Server v2.0.0

Choose a tag to compare

View all tags
@johngrimes johngrimes released this 09 May 07:24
· 116 commits to main since this release
server-v2.0.0
This tag was signed with the committer’s verified signature.
johngrimes John Grimes
GPG key ID: 09DFD6692E6B0654
Verified
Learn about vigilant mode.
e28cb7f
This commit was signed with the committer’s verified signature.
johngrimes John Grimes
GPG key ID: 09DFD6692E6B0654
Verified
Learn about vigilant mode.

Introduces the $sqlquery-run operation for executing SQL queries directly against the data warehouse, automatic schema evolution for resource updates, and a substantial round of security hardening across the bulk-data and import operations.

Breaking changes

This is a major version release. Several security-driven changes alter the default behaviour of existing operations. Operators upgrading from server v1.2.x should review the following before deploying:

  • URL allowlists are now mandatory. pathling.import.pnp.allowableExportUrls and pathling.bulkSubmit.allowableSources both default to [], and an empty list now causes every request to the corresponding operation to be rejected. Previously, $bulk-submit fell open with a https:// default and $import-pnp only enforced its allowlist when PNP credentials were configured. The previously documented default for pathling.bulkSubmit.allowableSources (https://) has also been corrected. Existing deployments must explicitly populate these lists to continue using $import-pnp and $bulk-submit.
  • Plain-HTTP URLs are rejected by default. $import, $import-pnp, and $bulk-submit now refuse http:// URLs in their allowlists and request payloads regardless of whether an http:// prefix has been configured. A new server-wide flag pathling.allowInsecureUrls (default false) can be set to restore the previous behaviour. https, s3, and file URLs are unaffected.
  • URL allowlist matching is URI-aware. Allowlist entries for $import, $import-pnp, and $bulk-submit are no longer compared with String.startsWith. URI-aware matching is stricter: bare-host prefixes that previously matched unrelated hosts (for example https://allowed.example.com matching https://allowed.example.com.attacker.org) will no longer match. Review existing allowlist entries to confirm they still cover the intended URLs.
  • Per-resource authority checks on typed CRUD and batch operations. Search, Read, Create, Update, Delete, and Batch providers now enforce per-resource read and write authorities in addition to operation-level authorities (pathling:search, pathling:update, etc.). Tokens that hold only coarse-grained operation authorities, without the corresponding pathling:read:<ResourceType> or pathling:write:<ResourceType>, will be rejected where they were previously accepted.

New features

$sqlquery-run operation

A new server operation that runs ad-hoc Spark SQL queries against the data warehouse, including queries that reference SQL on FHIR ViewDefinitions as virtual tables. Results can be returned in tabular formats including CSV, JSON, NDJSON, and FHIR Parameters.

Key capabilities:

  • Inline SQL or stored Library-resource queries, with parameter binding.
  • Automatic registration of ViewDefinitions as temporary views, scoped per request.
  • Configurable wall-clock timeout and unconditional row cap to keep ad-hoc queries bounded.
  • Defence-in-depth SQL validation that rejects built-in TVFs, arbitrary local file reads, and Pathling-registered UDFs from user SQL.

Admin UI support is included, with separate inline-query and stored-query tabs, runtime parameter bindings, and a tabular result preview.

Read the docs: SQL query run

Schema evolution on update

$update, create, and batch operations now support automatic schema merging when an incoming resource introduces new fields. A migration mode allows the warehouse schema to evolve in place without dropping data, with drift detection to surface unexpected changes.

Hadoop FileSystem-based job I/O

Job-result downloads, $bulk-submit staging, and $import-pnp downloads have been migrated to use Hadoop FileSystem APIs. This makes the storage layer pluggable across local filesystems and cloud object stores using a single code path, and adds a Hadoop-aware helper for warehouse job directory access.

Security

A substantial round of hardening was applied to the bulk-data and import operations:

  • URL allowlists are now mandatory for $import-pnp and $bulk-submit, with URI-aware matching that replaces the previous string-prefix approach.
  • Plain-HTTP URLs are rejected by default for outgoing connections.
  • SSRF protections close IP-class gaps in $import-pnp, fail closed when the export URL host cannot be resolved, and block IPv6 unique-local and IPv4 any-local addresses.
  • The discovered OAuth token endpoint and oauthMetadataUrl are validated against allowable sources for $bulk-submit.
  • Path containment and symlink resolution checks have been added across FileController, ExportResultProvider, ExportResponse, and $import-pnp download handling to prevent path traversal.
  • Per-resource authority checks are now applied to typed CRUD and batch providers, and the authenticated principal is verified in the $import-pnp auth interlock.
  • Server dependencies have been bumped to address upstream security advisories.

Bug fixes

  • Top line of search result in the admin UI now fills the full card width (#2559).

Full Changelog: server-v1.2.0...server-v2.0.0

Assets 2
Loading