Issue Report

Path Traversal Vulnerability in MctConfig.java

Expected behavior

Limitation of a pathname to a restricted directory.

Actual behavior

Lack of limitation of a pathname to a restricted directory.

/java/src/main/java/org/config/MctConfig.java

public MctNpmPackageValidationSupport mctNpmPackageValidationSupport(
FhirContext fhirContext, MctProperties properties) throws IOException {
MctNpmPackageValidationSupport validationSupport = new
MctNpmPackageValidationSupport(fhirContext);
NpmPackage basePackage;
for (Map.Entry<String, MctProperties.ImplementationGuide> igs :
properties.getImplementationGuides().entrySet()) {
if (igs.getValue().getUrl() != null) {
basePackage = NpmPackage.fromUrl(igs.getValue().getUrl());
}

1. CVE-2023-24057 8.1 Improper Limitation of a Pathname to a Restricted Directory ('Path
   Traversal') vulnerability pending CVSS allocation

Issue Report

Backend: Dependency Version Bumping

Expected behavior

Versions are updated to mitigate known vulnerabilities. Let's enable dependabot after this to stay ahead of future dep issues.

Actual behavior

Dependencies
The following packages are out of date and have reported vulnerabilities:

1. maven:ca.uhn.hapi.fhir:org.hl7.fhir.convertors:5.6.68,
   maven:ca.uhn.hapi.fhir:org.hl7.fhir.validation:5.6.68,
   maven:ca.uhn.hapi.fhir:org.hl7.fhir.utilities:5.6.76,
   maven:ca.uhn.hapi.fhir:org.hl7.fhir.r5:5.6.68,
   maven:ca.uhn.hapi.fhir:org.hl7.fhir.r4b:5.6.68
   ○ CVE-2023-24057
   ○ HL7 (Health Level 7) FHIR Core Libraries prior to 5.6.92 allow attackers to
   extract files into arbitrary directories via directory traversal from a crafted ZIP or
   TGZ archive (for a prepackaged terminology cache, NPM package, or
   comparison archive).
2. maven:org.springframework.boot:spring-boot-autoconfigure:2.7.5
   ○ CVE-2023-20883
   ○ In org.springframework.boot:spring-boot-autoconfigure versions through 2.5.14,
   2.6.0 through 2.6.14, 2.7.0 through 2.7.11, and 3.0.0 through 3.0.6 and older
   unsupported versions, there is potential for a denial-of-service (DoS) attack if
   Spring MVC is used together with a reverse proxy cache.
3. maven:org.yaml:snakeyaml:1.30
   ○ Several CVE alerts; Please consider upgrading to version 2.0.
4. maven:org.springframework:spring-webmvc:5.3.23,
   maven:org.springframework:spring-web:5.3.23,
   maven:org.springframework:spring-expression:5.3.23
   ○ There are several CVE alerts for spring framework; Please consider updating to
   version 6.0.9
5. maven:com.fasterxml.woodstox:woodstox-core:6.2.7
   ○ There are several CVE alerts for woodstox; Please consider updating to 6.4.0.
6. maven:net.minidev:json-smart:2.4.7
   ○ CVE-2023-1370
   ○ Json-smart is a performance-focused, JSON processor lib. When reaching a ‘[‘ or
   ‘{‘ character in the JSON input, the code parses an array or an object
   respectively. It was discovered that the code does not have any limit to the
   nesting of such arrays or objects in versions prior to 2.4.9. Since the parsing of
   Java
   nested arrays and objects is done recursively, nesting too many of them can
   cause a stack exhaustion (stack overflow) and crash the software

Issue Report

Missing Route-based access control?

Expected behavior

As concisely as possible, describe the expected behavior.

Actual behavior

src/routes/MainRoutes.js

1. There's no mention of route-based access control here (like restricting certain routes
   based on user roles).

CQF Ruler

• git submodule update --init --recursive
• git clean -fdx
• ./mvnw package
• java -jar server/target/cqf-ruler-server-*.war

MCT Backend (mct/java)

• mvn package
• mvn spring-boot:run
• May need to brew install maven

MCT Frontend (mct/frontend)

• yarn install
• yarn start
• May need to brew install yarn

Navigate to localhost:3000 in browser, which should display the MCT landing page

Issue Report

Missing Security Headers?

Expected behavior

Security Headers are typically present in production-quality projects (acknowledging this is a proof-of-concept.)

Actual behavior

public/index.html

When running the app, there are several security headers that are missing during
development. Do not know if they have been added to the app, or if it even matters, in
production

Issue Report

lodash dependency swap?

Question/Suggestion

/Package.json

lodash has had multiple vulnerabilities in the past and it may be worth considering limiting
importing to necessary libraries or taking advantage of the latest ECMA standard, which should,
theoretically, increase performance.

Issue Report

.env committed to repo

Expected behavior

Committing the .env file increases chances of credentials or other sensitive info being leaked. Using an .example.env or other placeholder file instead can help reduce risk.

Actual behavior

.env

1. The .env file was checked into the repository. This increases the chances of credentials
   getting accidentally added into the repository. Perhaps renaming to .example.env can
   alleviate some of the concerns?

Issue Report

Hardcoded values in the initialState object:date: 'q1'.

Expected behavior

Hardcoded values can have unexpected consequences and make the code less reusable, so, we expect not to use them.

Actual behavior

src/store/reducers/filter.js

1. Hardcoded values in the initialState object:date: 'q1'.

Zulip - https://chat.fhir.org/#narrow/stream/401023-mct

Issue Report

Missing 404 and other Error Pages?

Expected behavior

Having a default 404 page at a minimum, other pages for other HTTP codes desirable.

Actual behavior

There is no default 404 error page, or any other error pages.

Issue Report

Front-end: Examine Select-all Behavior in FacilitiesMultiSelect.js

Expected behavior

Behavior could be as expected, but worth examining for possible performance improvements.

Actual behavior

src/components/FacilitiesMultiSelect.js

1. Inside the useEffect, you are checking the length of facilities against the length of
   selected facilities to determine if "Select All" should be on or off. In this case, the
   selectedFacilities dependency could potentially cause frequent re-renders.

2. The code block: selectedFacilities.indexOf(id) > -1 inside the map function
   can be performance-intensive if there are many facilities since indexOf would be O(n).

3. The "Select All" option toggles the state, which means if all facilities are already selected
   and a user clicks "Select All" again, it will deselect all. If this is the desired behavior, it's
   okay. If not, you might want to address it.

Issue Report

Bellese Code Review of MCT Repo (9-1-23).pdf

Expected behavior

Our friends over at Bellese have conducted another code review of the MCT codebase, and identified a few issues that they would like the project to address.

Attached is that review above for future reference.

As I see it, highest priority should be resolved pre-release, lower priority can be resolved post-release. If y'all think these priorities should be shifted, please comment here with updated lists.

Highest Priority:

• #32
• #43
• #36
• #40

Lower Priority:

• Google Fonts Dependency (unticketed)
• #41
• #33
• #34
• #35
• #37
• #38
• #39

Issue Report

DOCKERFILE Improvements

Expected behavior

Running as a non-root user helps to avoid security risks; Using Security Headers is a good best practice.

Actual behavior

DOCKERFILE

The Dockerfile is structured in a multi-stage build format which is good for optimizing the
final image size. I'll walk you through each part of the Dockerfile and point out any concerns or
recommendations:

1. Builder Stage (Node.js Build Phase):

• FROM node:18.12.1-alpine as builder: You're using a specific version of Node.js
  with Alpine, which is a lightweight distro. This is a good practice as it minimizes
  the image size and reduces potential attack surfaces.

• COPY package.json yarn.lock ./: Good! You're copying only the necessary files
  for the yarn install command. This takes advantage of Docker's caching
  mechanism and ensures faster builds if no dependencies change.

• Recommendations: Consider using a non-root user even in the builder stage. Running as a non-root
  user is a security best practice.

2. Production Environment (Nginx Server):

• It would be beneficial to use a non-root user to run the Nginx process. By default,
  Nginx will run as root, which is not recommended in a container environment.
• Consider adding security headers in your Nginx configuration for added security.
  Examples include: Strict-Transport-Security, Content-Security-Policy,
  X-Content-Type-Options, X-Frame-Options, etc

I am able to navigate to the CQF MCT site on my localhost and click through all the different options (single vs multi facility, facility name, date range, etc.). However, after selecting all of those options, clicking get report takes me to a blank screen that does not populate with any information. Any help would be appreciated. Thanks!

Issue Report

Unvalidated/Unsanitized user input in src/store/reducers/data.js

Expected behavior

User input should be validated and sanitized to prevent potential security issues.

Actual behavior

src/store/reducers/data.js

1. Data fetching functions, like in /store/reducers/data.js, use template literals for
   URLs. If any of the values (e.g., organizationId) come directly from user input, it can
   lead to security issues. Even though the risk in your code isn't evident, always validate
   and sanitize user input before use.