Skip to content

AMM-1168 #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking β€œSign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 7, 2025
+13 βˆ’5
Merged

AMM-1168 #64

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
714205c
AMM-1168
ravishanigarapu Dec 18, 2024
0e5af10
Merge branch 'PSMRI:develop' into develop
ravishanigarapu Jan 24, 2025
cc0e043
Merge branch 'PSMRI:develop' into develop
ravishanigarapu Feb 22, 2025
34cff9c
Merge branch 'develop' into develop
ravishanigarapu Apr 7, 2025
ba1ae50
Update application.properties
ravishanigarapu Apr 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/main/java/com/iemr/mmu/service/anc/ANCServiceImpl.java
View file
Original file line number Diff line number Diff line change
@@ -121,6 +121,10 @@ public void setCommonBenStatusFlowServiceImpl(CommonBenStatusFlowServiceImpl com
this.commonBenStatusFlowServiceImpl = commonBenStatusFlowServiceImpl;
}
*/
@Autowired
public void setTeleConsultationServiceImpl(TeleConsultationServiceImpl teleConsultationServiceImpl) {
this.teleConsultationServiceImpl = teleConsultationServiceImpl;
}
@Autowired
public void setANCDoctorServiceImpl(ANCDoctorServiceImpl ancDoctorServiceImpl) {
this.ancDoctorServiceImpl = ancDoctorServiceImpl;
6 changes: 3 additions & 3 deletions src/main/java/com/iemr/mmu/service/dataSyncLayerCentral/DataSyncRepositoryCentral.java
View file
Original file line number Diff line number Diff line change
@@ -168,18 +168,18 @@ public List<Map<String, Object>> getMasterDataFromTable(String schema, String ta
if (lastDownloadDate != null) {
if (masterType.equalsIgnoreCase("A")) {
baseQuery += " SELECT " + columnNames + " FROM " + schema + "." + table
+ " WHERE Date(LastModDate) >= ? ";
+ " WHERE LastModDate >= ? ";
resultSetList = jdbcTemplate.queryForList(baseQuery,lastDownloadDate);

}
else if (masterType.equalsIgnoreCase("V")) {
baseQuery += " SELECT " + columnNames + " FROM " + schema + "." + table
+ " WHERE Date(LastModDate) >= ? AND VanID = ? ";
+ " WHERE LastModDate >= ? AND VanID = ? ";
resultSetList = jdbcTemplate.queryForList(baseQuery,lastDownloadDate,vanID);
}
else if (masterType.equalsIgnoreCase("P")) {
baseQuery += " SELECT " + columnNames + " FROM " + schema + "." + table
+ " WHERE Date(LastModDate) >= ? AND ProviderServiceMapID = ? ";
+ " WHERE LastModDate >= ? AND ProviderServiceMapID = ? ";
Comment on lines +171 to +182
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ’‘ Codebase verification

Security improvements needed for medical data handling

Based on the code analysis:

  1. Direct concatenation of schema and table names in SQL queries creates SQL injection vulnerabilities. These parameters should be validated or whitelisted before use.
  2. While logging is implemented using SLF4J throughout the application, the DataSyncRepositoryCentral class needs to add appropriate logging for sensitive operations with proper data sanitization.
  3. No input validation is found for schema and table parameters in the data sync operations.

Recommended actions:

  • Add a whitelist validation for allowed schema and table names
  • Implement parameterized queries instead of string concatenation for schema and table names
  • Add structured logging for sync operations with sanitized data
πŸ”— Analysis chain

Review security and logging practices for medical data handling

As this code handles sensitive medical records:

  1. Consider adding input validation for schema and table parameters to prevent SQL injection through these parameters
  2. Add error logging with appropriate sanitization of sensitive data
  3. Consider implementing rate limiting for sync operations to prevent DoS
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for input validation patterns in the codebase
rg "validateTableName|validateSchema" --type java

# Check for rate limiting implementations
rg "RateLimiter|@RateLimit" --type java

Length of output: 93

Script:

#!/bin/bash
# Let's check for SQL query construction and validation patterns
rg -A 3 "baseQuery.*=.*SELECT.*FROM" --type java

# Check for any existing security measures or input sanitization
rg -B 2 "jdbcTemplate\.query" --type java

# Look for logging implementations
rg "Logger|LogFactory|getLogger" --type java

Length of output: 25015

resultSetList = jdbcTemplate.queryForList(baseQuery,lastDownloadDate,psmID);
}
} else {
6 changes: 5 additions & 1 deletion src/main/java/com/iemr/mmu/service/tele_consultation/TeleConsultationServiceImpl.java
View file
Original file line number Diff line number Diff line change
@@ -74,11 +74,15 @@ public class TeleConsultationServiceImpl implements TeleConsultationService {
private TCRequestModelRepo tCRequestModelRepo;
@Autowired
private BeneficiaryFlowStatusRepo beneficiaryFlowStatusRepo;
@Autowired
private CommonDoctorServiceImpl commonDoctorServiceImpl;
@Autowired
public void setCommonDoctorServiceImpl(CommonDoctorServiceImpl commonDoctorServiceImpl) {
this.commonDoctorServiceImpl = commonDoctorServiceImpl;
}
@Autowired
private CookieUtil cookieUtil;


public int createTCRequest(TCRequestModel tCRequestModel) {
TCRequestModel tCRequestModelRS = tCRequestModelRepo.save(tCRequestModel);
if (tCRequestModelRS != null && tCRequestModelRS.gettMRequestID() > 0)
2 changes: 1 addition & 1 deletion src/main/resources/application.properties
View file
Original file line number Diff line number Diff line change
@@ -48,4 +48,4 @@ logging.path=logs/
logging.file.name=logs/mmu-api.log

spring.main.allow-circular-references=true

spring.main.allow-bean-definition-overriding=true