Cannot persist session in openmrs nightly image (has new log4j)

Ask OpenMRS
,
1

I would like to use the Docker image based on the latest GitHub commit from the reference-app repo as it contains fixes for log4shell. The image in Docker is openmrs/openmrs-reference-application-distro:nightly and seems to have these changes

However, there seems to be a regression. I can no longer persist connections. When I spin up a webserver using the nightly image and run the Python code in [1], the first post request works, but the second fails with:

The origin server did not find a current representation
 for the target resource or is not willing to disclose that one exists

Looking at the webserver logs, I see this:

ERROR - Log.execute(73) |2021-12-23T01:17:13,983| potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.1, method:POST, uri:/openmrs/ws/fhir2/R4/Patient, error:The token should exist in the storage at this point)
WARN - CsrfGuardFilter.logInvalidRequest(136) |2021-12-23T01:17:13,983| Invalid request: URI: '/openmrs/ws/fhir2/R4/Patient' | Remote Address: '192.168.8.1'

I do not know why this is getting triggered. When I spin up a docker image using openmrs/openmrs-reference-application-distro:latest, which does not have the latest changes to remove log4shell, the Python code is able to execute both POST requests.

Can someone let me know what changed to cause this to happen, and how to adjust my code to hand the change? I want to keep using Session to persist the connection.

[1]

import requests 

s = requests.Session()
s.auth = ('admin', 'Admin123')
s.headers.update({'Content-Type': 'application/fhir+json;charset=utf-8'})
response_ = s.post("http://localhost:8099/openmrs/ws/fhir2/R4/Patient",data=r"""{"resourceType":"Patient","id":"60f096dd-5190-8937-ba0b-a7482b386572","meta":{"profile":["http://hl7.org/fhir/us/core/StructureDefinition/us-core-patient"]},"identifier":[{"extension":[{"url":"http://fhir.openmrs.org/ext/patient/identifier#location","valueReference":{"reference":"Location/8d6c993e-c2cc-11de-8d13-0010c6dffd0f","type":"Location","display":"Unknown Location"}}],"use":"official","type":{"text":"OpenMRS ID"},"value":"60609644519089372102174822386572C","id":"60f096dd-5190-8937-ba0b-a7482b386572"}],"name":[{"use":"official","family":"Shanahan202","given":["Alberta625"],"prefix":["Mrs."],"id":"8b0949cc-68ef-422f-bc44-dec01d8fb1b7"},{"use":"maiden","family":"Rowe323","given":["Alberta625"],"prefix":["Mrs."],"id":"5c616fe2-6b86-4849-b6a0-d0f1aebd8c7f"}],"telecom":[{"system":"phone","value":"555-504-2136","use":"home","id":"a3479539-688a-4248-bfc3-8a677ff5fb67"}],"gender":"female","birthDate":"1987-01-23","address":[{"extension":[{"url":"http://hl7.org/fhir/StructureDefinition/geolocation","extension":[{"url":"latitude","valueDecimal":41.73063225482089},{"url":"longitude","valueDecimal":-71.14304250280718}]}],"line":["1092 Wilderman Esplanade"],"city":"Fall River","state":"MA","postalCode":"02721","country":"US","id":"e07c0f87-71cb-4aae-aae3-ab325958ffea"}],"maritalStatus":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v3-MaritalStatus","code":"M","display":"M"}],"text":"M"},"communication":[{"language":{"coding":[{"system":"urn:ietf:bcp:47","code":"en-US","display":"English"}],"text":"English"},"id":"94052e8a-31c1-45ec-9c5c-517b71e4718d"}]}""")

print(response_.content)

response_ = s.post("http://localhost:8099/openmrs/ws/fhir2/R4/Patient",data=r"""{"resourceType":"Patient","id":"60f096dd-5190-8937-ba0b-a7482b386572","meta":{"profile":["http://hl7.org/fhir/us/core/StructureDefinition/us-core-patient"]},"identifier":[{"extension":[{"url":"http://fhir.openmrs.org/ext/patient/identifier#location","valueReference":{"reference":"Location/8d6c993e-c2cc-11de-8d13-0010c6dffd0f","type":"Location","display":"Unknown Location"}}],"use":"official","type":{"text":"OpenMRS ID"},"value":"60609644519089372102174822386572C","id":"60f096dd-5190-8937-ba0b-a7482b386572"}],"name":[{"use":"official","family":"Shanahan202","given":["Alberta625"],"prefix":["Mrs."],"id":"8b0949cc-68ef-422f-bc44-dec01d8fb1b7"},{"use":"maiden","family":"Rowe323","given":["Alberta625"],"prefix":["Mrs."],"id":"5c616fe2-6b86-4849-b6a0-d0f1aebd8c7f"}],"telecom":[{"system":"phone","value":"555-504-2136","use":"home","id":"a3479539-688a-4248-bfc3-8a677ff5fb67"}],"gender":"female","birthDate":"1987-01-23","address":[{"extension":[{"url":"http://hl7.org/fhir/StructureDefinition/geolocation","extension":[{"url":"latitude","valueDecimal":41.73063225482089},{"url":"longitude","valueDecimal":-71.14304250280718}]}],"line":["1092 Wilderman Esplanade"],"city":"Fall River","state":"MA","postalCode":"02721","country":"US","id":"e07c0f87-71cb-4aae-aae3-ab325958ffea"}],"maritalStatus":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v3-MaritalStatus","code":"M","display":"M"}],"text":"M"},"communication":[{"language":{"coding":[{"system":"urn:ietf:bcp:47","code":"en-US","display":"English"}],"text":"English"},"id":"94052e8a-31c1-45ec-9c5c-517b71e4718d"}]}""")

print(response_.content)
2

I have just made some changes to it. Can you try again?

3

Hey Daniel - it still does not work unfortunately :slightly_frowning_face:

The error I get now from the Python client is different:

Invalid or Missing CSRF Token. Try Going Back and Refresh the page after clearing the browser cache

and on the webserver side, the log is still:

potential cross-site request forgery (CSRF) attack thwarted 
(user:<anonymous>, ip:192.168.8.1, method:POST, 
uri:/openmrs/ws/fhir2/R4/Patient, 
error:The token should exist in the storage at this point)
4

Are you sure that you are using the latest?

5

Ah, you are right, I was not. I used the latest nightly image now and it works.

However, I noticed the openmrs version running on the nightly image is 2.4.3 (not 2.6.0-SNAPSHOT), which IIUC, does not have the patch to fix log4jshell.

I would like to use an image that has the log4j fix as well as the ability to persist connections.

6

Did some digging around, and 2.4.3 does have the log4j fix:

Sorry for not seeing that earlier!