resolve 3.1.1

openmrs · Oct 1, 2024 · 66eb999 · 66eb999
1 parent f29296d
commit 66eb999
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java b/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java
@@ -62,6 +62,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
 			session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "error.null");
 			return;
 		}
+
 		if (!Context.hasPrivilege(PrivilegeConstants.GET_PATIENTS)) {
 			session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "Privilege required: " + PrivilegeConstants.GET_PATIENTS);
 			session.setAttribute(WebConstants.OPENMRS_LOGIN_REDIRECT_HTTPSESSION_ATTR, request.getRequestURI() + "?"
@@ -70,6 +71,13 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
 			return;
 		}
 
+		reportType = sanitizeInput(reportType);
+
+		if (!isValidReportType(reportType)) {
+			session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "error.invalidReportType");
+			return;
+		}
+
 		try {
 			Velocity.init();
 		}
@@ -359,4 +367,16 @@ private String getTemplate(String reportType) {
 
 		return template;
 	}
+
+	private String sanitizeInput(String input) {
+		if (input == null) {
+			return null;
+		}
+		return input.replaceAll("[<>\"'%;()&+]", "");
+	}
+
+	private boolean isValidReportType(String reportType) {
+		return "RETURN VISIT DATE THIS WEEK".equals(reportType) || "ATTENDED CLINIC THIS WEEK".equals(reportType)
+		        || "VOIDED OBS".equals(reportType);
+	}
 }