GSoC 2021 - Improving OpenMRS Security - Final Presentation

Project Summary Template

Overview

The aim of the project is to implement improve/fix security issues in various OpenMRS Modules. Security plays a pivotal role to protect users against unintended security breaches and attacks. A polyglot web-application like OpenMRS has multiple modules written by multiple developers, and the OpenMRS security team has identified potential security issues. Thus it is paramount to ensure that the identified security issues among various Modules are fixed timely. I could successfully patch around 12 XSS vulnerabilities. Additionally, I implemented safe exception handling for 1-2 HTTP 500 errors.

Objectives of the Project

(First Priority) Patch critical XSS vulnerabilities → Patched 10-12 XSS vulnerabilities

(Second priority) Implement authorization checks where they are lacking

(Third priority) Implement safe exception handling for HTTP 500 errors → Handled and fixed 1-2 HTTP 500 errors

Contributions

The links below contains all the github PR’s containing the implemented code as well as relevant screenshots describing the fixes. Almost all of them have been merged on github, apart from 1-2 PR’s that are complex and tricky to address.

  1. Fixed EMPT51 by Parth59 · Pull Request #163 · openmrs/openmrs-module-legacyui · GitHub
  2. Made changes to Fix EMPT 61 and EMPT171 :- Try 2 by Parth59 · Pull Request #91 · openmrs/openmrs-module-uicommons · GitHub
  3. Updated message.properties by Parth59 · Pull Request #1 · Parth59/openmrs-core · GitHub
  4. Made changes to Fix EMPT 61 and EMPT171 :- Try 2 by Parth59 · Pull Request #91 · openmrs/openmrs-module-uicommons · GitHub
  5. Added error message in messages.properties by Parth59 · Pull Request #3796 · openmrs/openmrs-core · GitHub
  6. Made changes to remove XSS in displayValue param by Parth59 · Pull Request #114 · openmrs/openmrs-module-registrationapp · GitHub
  7. Added error handling for EMPT155 by Parth59 · Pull Request #63 · openmrs/openmrs-module-metadatasharing · GitHub
  8. C:out changes to manageReportDesigns.jsp for xss by Parth59 · Pull Request #215 · openmrs/openmrs-module-reporting · GitHub
  9. Made changes to fix EMPT107 by Parth59 · Pull Request #165 · openmrs/openmrs-module-legacyui · GitHub
  10. Made chanes to fix EMPT80 by Parth59 · Pull Request #166 · openmrs/openmrs-module-legacyui · GitHub
  11. Made changes to fix EMPT82 by Parth59 · Pull Request #27 · openmrs/openmrs-module-appointmentschedulingui · GitHub
  12. Added angular sanitize library from uicommons for EMPT84 by Parth59 · Pull Request #1 · openmrs/openmrs-module-conditionui · GitHub
  13. Added angular sanitize from uicommons for EMPT84 by Parth59 · Pull Request #424 · openmrs/openmrs-module-coreapps · GitHub
  14. Added changes to roleList.jsp by Parth59 · Pull Request #167 · openmrs/openmrs-module-legacyui · GitHub
  15. Made changes to fix EMPT176 by Parth59 · Pull Request #168 · openmrs/openmrs-module-legacyui · GitHub

Talk Thread links

Here is my OpenMrs talk link

Weekly Blog Posts

List all of your past weekly blog posts.

  1. GSOC Week1 - parthk - Medium

  2. GSOC Week 2. This week focused on learning some… | by parthk | Medium

  3. Week 3. This week focused on implementing… | by parthk | Medium

  4. Gsoc Week 4 - parthk - Medium

  5. GSOC Week 5 - parthk - Medium

  6. GSOC Week 6 - parthk - Medium

  7. Week 7 - parthk - Medium

  8. GSOC Week 8 - parthk - Medium

Resources

Additional links to other key resources and documentation.

  1. GSoC 2021: Patch Security Vulnerabilities Identified by NCSU - Projects - OpenMRS Wiki
  2. https://docs.google.com/spreadsheets/d/187CN4SCySzrsC98-Q8IbtmqMWRtj6WGk9uzL32Js1Qc/edit#gid=0 [Need to obtain permissions for the same]

Future Works

Whenever, new Security loopholes are discovered. They are discussed on Jira and possibly documented on the above google sheet. Thus, the newer security issues and the pending tasks on the google sheet are something that can be implemented in future.

Thoughts on GSoC

It was an amazing experience working as a student in Google Summer of Code. The kind of learning that I gained during these 2.5 months is something that I will cherish. My overall experience was great fun and stress-free. I had a blast! I have all praises for OpenMRS community and especially my mentor @isears and @sharif . Issac and Sharif helped me whenever there were any blockers, and if I had any problem in understanding the codebase or structure, he has always been there to help. Many thanks to my team mates @jnsereko and @katebelson , who made this project lively and I truly enjoyed working with them. During these 2.5 months I have gained interest in OpenSource tech stack and I will love to contributing in future as well… I must mention my deep sense of appreciation for the OpenMRS community, for being quite supportive throughout this time. I am really thankful to Google for providing such an amazing platform and wonderful opportunity.

5 Likes

Well done @parth59 , on the trademous work and thanks alot to @isears

1 Like

Please find attached the Links for the video -

  1. Part 1 - YouTube
  2. Part 2 - YouTube
1 Like