Skip to content
Permalink
Browse files

Fix a potential security vulneability in the testpage overlay

  • Loading branch information...
jamesagnew committed May 2, 2019
1 parent 5132f1f commit 8f41159eb147eeb964cad68b28eff97acac6ea9a
@@ -32,7 +32,6 @@
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.ui.ModelMap;
import org.thymeleaf.ITemplateEngine;
import org.thymeleaf.TemplateEngine;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
@@ -63,14 +62,14 @@ protected IBaseResource addCommonParams(HttpServletRequest theServletRequest, fi
final String serverBase = theRequest.getServerBase(theServletRequest, myConfig);
final String serverName = theRequest.getServerName(myConfig);
final String apiKey = theRequest.getApiKey(theServletRequest, myConfig);
theModel.put("serverId", serverId);
theModel.put("base", serverBase);
theModel.put("baseName", serverName);
theModel.put("apiKey", apiKey);
theModel.put("resourceName", defaultString(theRequest.getResource()));
theModel.put("encoding", theRequest.getEncoding());
theModel.put("pretty", theRequest.getPretty());
theModel.put("_summary", theRequest.get_summary());
theModel.put("serverId", sanitizeInput(serverId));
theModel.put("base", sanitizeInput(serverBase));
theModel.put("baseName", sanitizeInput(serverName));
theModel.put("apiKey", sanitizeInput(apiKey));
theModel.put("resourceName", sanitizeInput(defaultString(theRequest.getResource())));
theModel.put("encoding", sanitizeInput(theRequest.getEncoding()));
theModel.put("pretty", sanitizeInput(theRequest.getPretty()));
theModel.put("_summary", sanitizeInput(theRequest.get_summary()));
theModel.put("serverEntries", myConfig.getIdToServerName());

return loadAndAddConf(theServletRequest, theRequest, theModel);
@@ -307,7 +306,6 @@ private IBaseResource loadAndAddConf(HttpServletRequest theServletRequest, final
throw new IllegalStateException("Unknown version: " + theRequest.getFhirVersion(myConfig));
}


private IResource loadAndAddConfDstu2(HttpServletRequest theServletRequest, final HomeRequest theRequest, final ModelMap theModel) {
CaptureInterceptor interceptor = new CaptureInterceptor();
GenericClient client = theRequest.newClient(theServletRequest, getContext(theRequest), myConfig, interceptor);
@@ -746,4 +744,21 @@ public void interceptResponse(IHttpResponse theResponse) throws IOException {

}

private static String sanitizeInput(String theString) {
String retVal = theString;
if (retVal != null) {
for (int i = 0; i < retVal.length(); i++) {
char nextChar = retVal.charAt(i);
switch (nextChar) {
case '\'':
case '"':
case '<':
case '>':
retVal = retVal.replace(nextChar, '_');
}
}
}
return retVal;
}

}
@@ -7,6 +7,11 @@
</properties>
<body>
<release version="3.8.0" date="TBD" description="Hippo">
<action type="fix">
A potential security vulnerability in the hapi-fhir-testpage-overlay project was corrected: A URL
parameter was not being correctly escaped, leading to a potential XSS vulnerabnility. A big thanks to
Mudit Punia and Dushyant Garg for reporting this.
</action>
<action type="add">
The version of a few dependencies have been bumped to the
latest versions (dependent HAPI modules listed in brackets):

0 comments on commit 8f41159

Please sign in to comment.
You can’t perform that action at this time.