From 8f41159eb147eeb964cad68b28eff97acac6ea9a Mon Sep 17 00:00:00 2001 From: James Agnew Date: Thu, 2 May 2019 08:13:22 -0400 Subject: [PATCH] Fix a potential security vulneability in the testpage overlay --- .../java/ca/uhn/fhir/to/BaseController.java | 35 +++++++++++++------ src/changes/changes.xml | 5 +++ 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java b/hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java index 979c83148ad0..ad48f5a2bd79 100644 --- a/hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java +++ b/hapi-fhir-testpage-overlay/src/main/java/ca/uhn/fhir/to/BaseController.java @@ -32,7 +32,6 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.ui.ModelMap; import org.thymeleaf.ITemplateEngine; -import org.thymeleaf.TemplateEngine; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -63,14 +62,14 @@ protected IBaseResource addCommonParams(HttpServletRequest theServletRequest, fi final String serverBase = theRequest.getServerBase(theServletRequest, myConfig); final String serverName = theRequest.getServerName(myConfig); final String apiKey = theRequest.getApiKey(theServletRequest, myConfig); - theModel.put("serverId", serverId); - theModel.put("base", serverBase); - theModel.put("baseName", serverName); - theModel.put("apiKey", apiKey); - theModel.put("resourceName", defaultString(theRequest.getResource())); - theModel.put("encoding", theRequest.getEncoding()); - theModel.put("pretty", theRequest.getPretty()); - theModel.put("_summary", theRequest.get_summary()); + theModel.put("serverId", sanitizeInput(serverId)); + theModel.put("base", sanitizeInput(serverBase)); + theModel.put("baseName", sanitizeInput(serverName)); + theModel.put("apiKey", sanitizeInput(apiKey)); + theModel.put("resourceName", sanitizeInput(defaultString(theRequest.getResource()))); + theModel.put("encoding", sanitizeInput(theRequest.getEncoding())); + theModel.put("pretty", sanitizeInput(theRequest.getPretty())); + theModel.put("_summary", sanitizeInput(theRequest.get_summary())); theModel.put("serverEntries", myConfig.getIdToServerName()); return loadAndAddConf(theServletRequest, theRequest, theModel); @@ -307,7 +306,6 @@ private IBaseResource loadAndAddConf(HttpServletRequest theServletRequest, final throw new IllegalStateException("Unknown version: " + theRequest.getFhirVersion(myConfig)); } - private IResource loadAndAddConfDstu2(HttpServletRequest theServletRequest, final HomeRequest theRequest, final ModelMap theModel) { CaptureInterceptor interceptor = new CaptureInterceptor(); GenericClient client = theRequest.newClient(theServletRequest, getContext(theRequest), myConfig, interceptor); @@ -746,4 +744,21 @@ public void interceptResponse(IHttpResponse theResponse) throws IOException { } + private static String sanitizeInput(String theString) { + String retVal = theString; + if (retVal != null) { + for (int i = 0; i < retVal.length(); i++) { + char nextChar = retVal.charAt(i); + switch (nextChar) { + case '\'': + case '"': + case '<': + case '>': + retVal = retVal.replace(nextChar, '_'); + } + } + } + return retVal; + } + } diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 06d3ba70d7bf..849b7e4e35da 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -7,6 +7,11 @@ + + A potential security vulnerability in the hapi-fhir-testpage-overlay project was corrected: A URL + parameter was not being correctly escaped, leading to a potential XSS vulnerabnility. A big thanks to + Mudit Punia and Dushyant Garg for reporting this. + The version of a few dependencies have been bumped to the latest versions (dependent HAPI modules listed in brackets):