Fix a potential security vulneability in the testpage overlay

hapifhir · May 2, 2019 · 8f41159 · 8f41159
1 parent 5132f1f
commit 8f41159
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 10 deletions.
diff --git a/hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java b/hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java
@@ -32,7 +32,6 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.ui.ModelMap;
 import org.thymeleaf.ITemplateEngine;
-import org.thymeleaf.TemplateEngine;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -63,14 +62,14 @@ protected IBaseResource addCommonParams(HttpServletRequest theServletRequest, fi
 		final String serverBase = theRequest.getServerBase(theServletRequest, myConfig);
 		final String serverName = theRequest.getServerName(myConfig);
 		final String apiKey = theRequest.getApiKey(theServletRequest, myConfig);
-		theModel.put("serverId", serverId);
-		theModel.put("base", serverBase);
-		theModel.put("baseName", serverName);
-		theModel.put("apiKey", apiKey);
-		theModel.put("resourceName", defaultString(theRequest.getResource()));
-		theModel.put("encoding", theRequest.getEncoding());
-		theModel.put("pretty", theRequest.getPretty());
-		theModel.put("_summary", theRequest.get_summary());
+		theModel.put("serverId", sanitizeInput(serverId));
+		theModel.put("base", sanitizeInput(serverBase));
+		theModel.put("baseName", sanitizeInput(serverName));
+		theModel.put("apiKey", sanitizeInput(apiKey));
+		theModel.put("resourceName", sanitizeInput(defaultString(theRequest.getResource())));
+		theModel.put("encoding", sanitizeInput(theRequest.getEncoding()));
+		theModel.put("pretty", sanitizeInput(theRequest.getPretty()));
+		theModel.put("_summary", sanitizeInput(theRequest.get_summary()));
 		theModel.put("serverEntries", myConfig.getIdToServerName());
 
 		return loadAndAddConf(theServletRequest, theRequest, theModel);
@@ -307,7 +306,6 @@ private IBaseResource loadAndAddConf(HttpServletRequest theServletRequest, final
 		throw new IllegalStateException("Unknown version: " + theRequest.getFhirVersion(myConfig));
 	}
 
-
 	private IResource loadAndAddConfDstu2(HttpServletRequest theServletRequest, final HomeRequest theRequest, final ModelMap theModel) {
 		CaptureInterceptor interceptor = new CaptureInterceptor();
 		GenericClient client = theRequest.newClient(theServletRequest, getContext(theRequest), myConfig, interceptor);
@@ -746,4 +744,21 @@ public void interceptResponse(IHttpResponse theResponse) throws IOException {
 
 	}
 
+	private static String sanitizeInput(String theString) {
+		String retVal = theString;
+		if (retVal != null) {
+			for (int i = 0; i < retVal.length(); i++) {
+				char nextChar = retVal.charAt(i);
+				switch (nextChar) {
+					case '\'':
+					case '"':
+					case '<':
+					case '>':
+						retVal = retVal.replace(nextChar, '_');
+				}
+			}
+		}
+		return retVal;
+	}
+
 }
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -7,6 +7,11 @@
 	</properties>
 	<body>
 		<release version="3.8.0" date="TBD" description="Hippo">
+			<action type="fix">
+				A potential security vulnerability in the hapi-fhir-testpage-overlay project was corrected: A URL
+				parameter was not being correctly escaped, leading to a potential XSS vulnerabnility. A big thanks to
+				Mudit Punia and Dushyant Garg for reporting this.
+			</action>
 			<action type="add">
 				The version of a few dependencies have been bumped to the
 				latest versions (dependent HAPI modules listed in brackets):