GSoC @ OpenMRS 2021: Security Issues Project Final Evaluation

· Project Title: Security Issues

· Primary mentor: Isaac Sears @isears

· Backup mentor: Sharif Magembe @sharif

· Student: Kate Belson @katebelson

· Project Link: GSoC 2021: Patch Security Issues

Overview

For Google Summer of Code 2021 at OpenMRS, I worked on the Security Issues project. My team had two mentors (@isears and @sharif), and three students (myself (Kate Belson), @parth, and Nsereko Joshua). The project involved patching security issues such as XSS vulnerabilities, HTTP 500 errors, and insufficient password requirements. These vulnerabilities are exceptionally important to fix, especially when working with personal and medical information like OpenMRS is.

Prior to GSoC, I had no experience with Open Source Projects, Git, or patching security vulnerabilities, and my teammates had much more practice than me. Working with OpenMRS was a challenge I was really looking forward to. My first obstacle was learning how to set up and use an SDK (while at the same time finishing my first year university exams) — with some excellent help from @isears I got this up and running using technologies such as Maven and Docker which were also new to me.

I then had to learn how to use Git — through research via YouTube videos and GitHub documentation I practiced my skills before finding the code on GitHub I needed to start working on the OpenMRS XSS vulnerability I had been assigned. I later had to find out how to submit a pull request (PR). This has been very helpful as I know that Git will be an integral part of my further studies, and work in the future.

Once I had the code, I attempted to use Maven’s watch command to check my edits, only to discover that my newly updated Maven version did not support the RubyGems dependency in the code. I spent some time fixing this error and submitting my first ever PR, which was committed into the code. I then worked on another RubyGems error which was not so successful (read more about this later in the project summary).

Once this issue had been fixed and I could use the watch command correctly, I started work on patching the XSS vulnerability I had been assigned. I did a week’s research on XSS attacks and how they could be prevented before getting to work, finding what I thought was a fix. It was only after I submitted the PR that I realised even though my code stopped the XSS attack, it also stopped half the page’s functionality! I kept this aside to work on later.

I next got to work with my teammate @parth to fix two other XSS vulnerabilities with very similar patches. I appreciated @parth’s expertise and experience, learning another way in which to protect against cross-site scripting. The PR for these vulnerabilities was successfully merged.
For the next week, I had a look at another XSS issue only to find it had already been fixed! I updated the vulnerability list and moved on to find another issue to work on. I decided to look at the user minimum password length, as currently it was 8 characters long, but it would be much more secure if it were 12 characters. I discovered the point in the code where the password length was declared, but after speaking to my mentor, decided not to change this; instead, I started to look into how to set the password requirements using RegEX and then creating a Talk post to tell others how to do the same. This is something I am still currently working on after researching RegEx and how to do this. Hopefully I will have this finished before I go back to university in September.

Finally, to finish GSoC I returned to my first XSS patch to try to work out how to fix the limited functionality. This is also something I am still working on and am aiming to fix as soon as possible.

Objectives

GSoC Objectives:

1. Patch XSS Vulnerabilities — COMPLETED (worked on 3 patches)

2. Implement Authorisation Checks — INCOMPLETED (but something I’m keen to work on after GSoC)

3. Handle HTTP 500 Errors — INCOMPLETED (but something I’m keen to work on after GSoC)

4. Look at Other Security Issues — COMPLETED (worked on RubyGems dependency issues and password security issues)

Personal Objectives:

1. Learn how to use Git and GitHub — COMPLETED

2. Learn how to use a Java SDK — COMPLETED

3. Gain experience on an Open Source Project — COMPLETED

4. Learn how to patch XSS vulnerabilities — COMPLETED

5. Work with a team member on a PR — COMPLETED

Contributions

Repositories

· OpenMRS-Core

· AdminUI

· LegacyUI

· AppointmentSchedulingUI

· RegistrationApp

Pull Requests

· Changing rubygems link to work with later Maven versions (AppointmentSchedulingUI)

· Changing rubygems link to work with later Maven versions (RegistrationApp)

· Fixing 2 XSS bugs (LegacyUI)

· Fixing an XSS bug (AppointmentSchedulingUI)

Video Overview

Click here.

Found Issues

· RubyGems dependency error found in appointmentschedulingui after a Maven update, where Maven would not run when using the watch command as the RubyGems dependency used was no longer supported.

· The RubyGems dependency discovery mentioned above helped to find the same error in the registrationapp module. The PR for this closed based on an OpenMRS talk conversation (see talk thread links below).

Fixed Issues

· RubyGems dependency error in appointmentschedulingui, fixed by changing the dependency link from http://rubygems-proxy.torquebox.org/releases to https://rubygems-proxy.torquebox.org/releases/url, so it became compatible with recent Maven versions.

· Worked with a teammate @parth to patch two XSS vulnerabilities in legacyui by changing the htmlEscape variable from “false” to “true”.

· Went to work on an XSS vulnerability when registering a patient and adding JavaScript as the patient’s relation’s name, but I discovered that this had already been patched and I could not recreate it, so I marked it as patched in the documentation.

Continuing Issues

· Fixing an XSS vulnerability in appointmentschedulingui — the initial fix I tried stopped some of the page functionality so am still working on this issue.

· Working on changing the user password minimum length from 8 characters to 12. Started this recently so is still ongoing.

Talk Thread links

· RubyGems dependency in registrationapp

· My personal Talk page

Weekly Blog Posts

Community Bonding Period

Week 1

Week 2

Week 3

Week 4

Week 5

Week 6

Week 7

Week 8

Week 9

Week 10

Final Report

Resources

General:

· OpenMRS Vulnerability Tracker — Google Sheets

Setting up the SDK:

· Troubleshooting Docker client errors on Windows — Visual Studio (Windows) | Microsoft Docs

· SDKs | IntelliJ IDEA (jetbrains.com)

· Why the SDK can not find this plugin — Development — OpenMRS Talk

Git and GitHub:

· Creating a pull request — GitHub Docs

XSS Attacks:

· openmrs-module-uiframework/UiUtils.java at b305971022c9ab0ce2f10b2434aefbd7b70fe462 · openmrs/openmrs-module-uiframework (github.com)

· Encoder — OWASP Java Encoder

· Encode HTML entities in JavaScript — Stack Overflow

· Encode HTML entities in JavaScript — Stack Overflow

RubyGems Dependencies:

· TorqueBox RubyGems Maven Proxy Repository

· TorqueBox Alternatives — Ruby Web Servers | LibHunt

Password Length:

· javascript — Regex for password must contain at least eight characters, at least one number and both lower and uppercase letters and special characters — Stack Overflow

· How a Regex Engine Works Internally (regular-expressions.info)

Future Works

In the future I am planning on continuing to contribute to OpenMRS, as I have really enjoyed my experience. Currently I still have two continuing issues that I am working on (as mentioned above), and after completing these I would like to look at further XSS vulnerabilities and how these can be fixed. I am also keen to start research into HTTP 500 errors and how these can be fixed, as well as working with more people in the OpenMRS community. There are new security issues found constantly and I would like to keep up with their progress and to continue helping OpenMRS be as secure as possible.

Thoughts on GSoC

I have loved working for OpenMRS during my time as a Google Summer of Code student. The experience of working on an Open Source Project has been very valuable to me and using Git and GitHub to submit code is a skill I will definitely be using throughout my career. I have been inspired to keep researching cyber security and the career options it may lead to, and the skills I have developed, like understanding and being able to patch XSS vulnerabilities.

I found Google Summer of Code very challenging, as it was nothing like anything I’ve ever done before. It has been a steep learning curve for me, but I appreciate the patience of my mentors and the rewarding feeling of knowing I have contributed to a global project such as OpenMRS.

Thank you to my teammates Parth and Joshua, I have really enjoyed working with you, and a massive thank you to my mentors Sharif and particularly Isaac for your support, help, and encouragement.

I am thankful to be part of the OpenMRS community and look forward to continuing this in the future.

BSc Computer Science Student at University of Exeter. Participating in Google Summer of Code for OpenMRS.