Skip to content

Fix Path Traversal and XSS Security Vulnerabilities Detected by SpotBugs #5546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DuoChen-317 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix Path Traversal and XSS Security Vulnerabilities Detected by SpotBugs #5546

DuoChen-317 wants to merge 1 commit into from

Conversation

@DuoChen-317
Copy link

@DuoChen-317 DuoChen-317 commented Dec 1, 2025

This PR fixes multiple security vulnerabilities detected by SpotBugs Security in the OpenMRS Core codebase.

Changes include:

  • Added canonical path validation to prevent Path Traversal attacks in several file operations.
  • Ensured path normalization and rejection of unsafe paths containing "..".
  • Updated File constructors to use sanitized absolute paths.
  • Added HTML escaping to all PrintWriter.write() calls that output request-derived content to prevent XSS.
  • Ensured JSON responses use proper escaping or safe serialization.
  • Removed unsafe string-based SQL concatenation and replaced with parameterized logic where applicable.

These changes eliminate all reported warnings under:
Security → Potential Path Traversal (file read)
Security → Potential XSS in Servlet
Security → Potential SQL Injection

jwnasambu
jwnasambu suggested changes Dec 10, 2025
View reviewed changes
web/src/main/java/org/openmrs/module/web/WebModuleUtil.java
// clear the module messages
String messagesPath = realPath + "/WEB-INF/";
File folder = new File(messagesPath.replace("/", File.separator));
// Normalize separators
Copy link
Contributor

@jwnasambu jwnasambu Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kindly the comments here don’t seem to add extra value so it would be better to remove them and rely on the code readability instead.

web/src/main/java/org/openmrs/module/web/WebModuleUtil.java
// Normalize separators
String safePath = messagesPath.replace("/", File.separator);

// Detect basic path traversal patterns
Copy link
Contributor

@jwnasambu jwnasambu Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

web/src/main/java/org/openmrs/module/web/WebModuleUtil.java
File moduleWebFolder = new File(absPath.replace("/", File.separator));
String absPath = realPath + "/WEB-INF/web/module/" + moduleId;

// normalize path separator
Copy link
Contributor

@jwnasambu jwnasambu Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. Kindly remove all the comments that starts with //.

web/src/main/java/org/openmrs/web/filter/update/UpdateFilter.java

addLogLinesToResponse(result);
}
Copy link
Contributor

@jwnasambu jwnasambu Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there away you can fix the format changes please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jwnasambu jwnasambu jwnasambu requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DuoChen-317 @jwnasambu