From 66eb999be9c89023a8e048324cbab3fb49490a03 Mon Sep 17 00:00:00 2001 From: slubwama1 Date: Tue, 1 Oct 2024 04:07:31 +0300 Subject: [PATCH 1/3] resolve 3.1.1 --- .../web/servlet/QuickReportServlet.java | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java b/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java index 6d72c7b7..35a525e3 100644 --- a/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java +++ b/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java @@ -62,6 +62,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "error.null"); return; } + if (!Context.hasPrivilege(PrivilegeConstants.GET_PATIENTS)) { session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "Privilege required: " + PrivilegeConstants.GET_PATIENTS); session.setAttribute(WebConstants.OPENMRS_LOGIN_REDIRECT_HTTPSESSION_ATTR, request.getRequestURI() + "?" @@ -70,6 +71,13 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t return; } + reportType = sanitizeInput(reportType); + + if (!isValidReportType(reportType)) { + session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "error.invalidReportType"); + return; + } + try { Velocity.init(); } @@ -359,4 +367,16 @@ private String getTemplate(String reportType) { return template; } + + private String sanitizeInput(String input) { + if (input == null) { + return null; + } + return input.replaceAll("[<>\"'%;()&+]", ""); + } + + private boolean isValidReportType(String reportType) { + return "RETURN VISIT DATE THIS WEEK".equals(reportType) || "ATTENDED CLINIC THIS WEEK".equals(reportType) + || "VOIDED OBS".equals(reportType); + } } From a12db1352d5367aba4e4b3302daa97965197233c Mon Sep 17 00:00:00 2001 From: slubwama1 Date: Tue, 1 Oct 2024 13:20:54 +0300 Subject: [PATCH 2/3] Keep only sanitization functionality --- .../org/openmrs/web/servlet/QuickReportServlet.java | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java b/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java index 35a525e3..58e837bb 100644 --- a/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java +++ b/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java @@ -73,11 +73,6 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t reportType = sanitizeInput(reportType); - if (!isValidReportType(reportType)) { - session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "error.invalidReportType"); - return; - } - try { Velocity.init(); } @@ -374,9 +369,4 @@ private String sanitizeInput(String input) { } return input.replaceAll("[<>\"'%;()&+]", ""); } - - private boolean isValidReportType(String reportType) { - return "RETURN VISIT DATE THIS WEEK".equals(reportType) || "ATTENDED CLINIC THIS WEEK".equals(reportType) - || "VOIDED OBS".equals(reportType); - } } From 80656c4bebe4b395fe7f83d0eb01c3af636c7518 Mon Sep 17 00:00:00 2001 From: slubwama1 Date: Tue, 1 Oct 2024 18:15:12 +0300 Subject: [PATCH 3/3] use already established methods --- .../org/openmrs/web/servlet/QuickReportServlet.java | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java b/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java index 58e837bb..afe3d280 100644 --- a/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java +++ b/omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java @@ -45,6 +45,7 @@ import org.openmrs.util.OpenmrsConstants; import org.openmrs.util.PrivilegeConstants; import org.openmrs.web.WebConstants; +import org.openmrs.web.WebUtil; public class QuickReportServlet extends HttpServlet { @@ -71,7 +72,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t return; } - reportType = sanitizeInput(reportType); + reportType = WebUtil.escapeHTML(reportType); try { Velocity.init(); @@ -362,11 +363,4 @@ private String getTemplate(String reportType) { return template; } - - private String sanitizeInput(String input) { - if (input == null) { - return null; - } - return input.replaceAll("[<>\"'%;()&+]", ""); - } }