Comments (5)
Updates performed.
from ecrnow.
The path manipulation issues related to the attachment filename have not been addressed. I believe we talked about checking to see whether the file name (DirectResponseReceiver.java:103) contained either path slashes, forward or back. But upon further reflection, as you are writing to a file and then reading it back in, you should probably just generate the name used to guarantee uniqueness and prevent concurrency issues if multiple requests arrive with the same name.
Also with the introduction of password encryption the algorithm chosen has been flagged as weak. Search for "Weak Encryption: Insecure Mode of Operation" in the attached workbook, it has recommendations for how to address.
from ecrnow.
The latest changes to address the encryption improve the related 2 issues from critical to high. However, now the initialization vector is predictable and thus still insecure.
The code
byte[] iv = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
IvParameterSpec ivspec = new IvParameterSpec(iv);
should be changed to something like
SecureRandom random = new SecureRandom();
byte[] iv = random.generateSeed(16);
IvParameterSpec ivspec = new IvParameterSpec(iv);
from ecrnow.
The new function, getRandomString in ApplicationUtils is now being flagged for insecure random. I am thinking the simplest way to create a random file name is to use UUID.randomUUID() as part of it.
from ecrnow.
The latest updates address the issues reported by HPE Fortify
from ecrnow.
Related Issues (20)
- Encounter Resource Containing Trigger Code but Not Present in eICR HOT 4
- Guardian Code always populates with OTH value HOT 3
- Detailed race not appearing in eCR3.0 CCDA * Bug for #651 HOT 3
- Observation Resource - Travel History is missing in eCR CCDA HOT 2
- Handle HISP Direct message timeouts/failures HOT 4
- 500 server error for duplicate patient launch request HOT 2
- Create Encounter For Travel-History HOT 6
- Validation error [Medications]: Type 'TS' is not validly derived from the type definition, 'SXCM_TS', of element 'effectiveTime'.
- SONAR issues for eCR
- eICR Created Without Practitioner HOT 1
- reLaunchPatient broken due to deficient migration script uniqueness constraint
- Travel History Codeset HOT 1
- Travel History duplicate records in social history section In Ecr CCDA HOT 1
- Chief Complaint not populated. data param is unused HOT 1
- Country Code missing on all telecom HOT 4
- Duplicate records of Travel History and Occupation Observations in social history section HOT 1
- eICR Missing Trigger Template for Triggering Condition HOT 1
- Scheduled tasks don't happen on time. Skew of hours or days. HOT 1
- Unable to reLaunchPatient the Patient Encounter HOT 1
- Ethnicity Should Check for Text when Ombcategory is not Present
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecrnow.