Potential fix for code scanning alert no. 113: Log entries created from user input#261
Open
aurelianware wants to merge 1049 commits into
Open
Potential fix for code scanning alert no. 113: Log entries created from user input#261aurelianware wants to merge 1049 commits into
aurelianware wants to merge 1049 commits into
Conversation
…ON.parse DoS Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
- Add Access-Control-Max-Age header to eligibility-service for consistency - Document CORS wildcard + credentials limitation in both services - Change wildcard CORS to echo origin (instead of '*') for credential compatibility - Add Vary: Origin header for proper caching behavior Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
…ng-warnings Fix code scanning security vulnerabilities (17+ alerts)
…olled format string Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: aurelianware <markus@aurelianware.com>
…service Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Fix format string injection vulnerabilities in error logging
Potential fix for code scanning alert no. 17: Use of externally-controlled format string
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: aurelianware <markus@aurelianware.com>
Potential fix for code scanning alert no. 11: Workflow does not contain permissions
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: aurelianware <markus@aurelianware.com>
… demographics Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
… gender, and cityIndex Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Potential fix for code scanning alert no. 14: Insecure randomness
…domInt for PHI security Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
Replace remaining Math.random() with secureRandomInt in patient demographics
… phone, address, maritalStatus) Co-authored-by: aurelianware <194855645+aurelianware@users.noreply.github.com>
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: aurelianware <markus@aurelianware.com>
Extend secure randomness to all PHI fields in patient generator
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: aurelianware <markus@aurelianware.com>
Potential fix for code scanning alert no. 12: Workflow does not contain permissions
…anization, contact, billing, and contract tracking
…nsurance, benefits library, and exclusions management
… usage stats and benefit plan assignment capability
… Pipeline - README.md: Add Provider UI and 837 pipeline to core capabilities - FEATURES.md: Add Provider Network Management section (13 providers, 6-tab details) - FEATURES.md: Add 837 Claims section (Argo Workflows + Kafka pipeline) - ARCHITECTURE.md: Update microservices count to 10, add 6 utility containers - DEPLOYMENT.md: Add Container Image Build & Deployment section (18 images)
Comprehensive assessment covering: - Technical infrastructure: 75% complete (strong foundation) - Business readiness: 25% complete (missing critical components) - 8-12 week staged rollout plan (Beta → Limited GA → Full GA) - Critical gaps: tenant management, billing, legal docs, portal integration - Recommended MVS: 4 sprints to first paying customer - Budget estimate: -75k over 12 weeks, ~3.6 FTE - Success metrics: 3 beta customers by week 4, k MRR by week 8 Priority 1 next steps: Stripe setup, BAA template, tenant management API
New microservice for multi-tenant SaaS management: Tenant Management: - CRUD operations for health plan tenants - Automatic tenant ID generation (e.g., blueshield-ca-a1b2c3d4) - Status management (pending, active, suspended, terminated) - Multi-tier support (Starter, Professional, Enterprise) - Configuration management (modules, clearinghouse settings) API Key Management: - Cryptographically secure key generation (cho_xxxx...) - SHA256 hashing (never store plain-text) - Scoped permissions (claims:read, claims:write) - Expiration support and revocation - Last used tracking Usage Tracking: - Monthly metrics (claims, prior auths, eligibility, API calls) - Automatic monthly reset - Storage tracking (GB) - Tier limit enforcement ready Stripe Billing Integration: - Customer creation in Stripe - Subscription managemen New microservice for multi-tenant SaaS management: Tenant Management: - CRUD operations for health plan tenants - Automatic tenant ID generation (e.g., blueshield-ca-a1b2c3d4) - Status managemets Tenant Management: - CRUD operations for health eme- CRUD operationsan- Automatic tenant ID generation (e.g., g - Status management (pending, active, suspended, terminated) - -- Multi-tier support (Starter, Professional, Enterprise) - .n- Configuration management (modules, clearinghouse settym API Key Management: - Cryptographically secure key generatock- Cryptographicallau- SHA256 hashing (never store plain-text) - Scoped perct- Scoped permissions (claims:read, claimxt- Expiration support and revocation - Last usedflow
…ouse, Portals, Analytics, Mobile
- X12 834 parser (Node.js) for benefit enrollment EDI files - Enrollment import service (.NET 8) with Cosmos DB integration - Argo CronWorkflow for automated SFTP processing - Kubernetes deployment with HPA (2-10 replicas) - Sample 834 test file and comprehensive documentation Handles member additions, changes, and terminations with multi-tenant isolation.
- Add validation for test-x12-834-enrollment-sample.edi - Add microservices structure validation (enrollment-import-service) - Add Node.js container validation (x12-834-parser) - Add Argo Workflow validation (x12-834-enrollment-import.yaml) - Update test summary to reflect new validations
- Add 834 transaction type definition - Accept 'BE' functional identifier for enrollment (in addition to 'HI' for claims) - Update parameter validation to include 834 - Update documentation to reflect 834 support Fixes smoke test failures when validating test-x12-834-enrollment-sample.edi
- Add exclusions for code comments about validation (exists, verify, validate, check, ensure) - Allow internal Kubernetes cluster URLs (svc.cluster.local, localhost) for UnencryptedPHI check - These are not actual PHI exposures - just metadata and internal service communication Resolves false positive smoke test failures in security scan.
- Add WebSocket support to portal ingress (proxy upgrade headers) - Enable sticky sessions with cookie-based affinity (required for Blazor Server with multiple replicas) - Add nginx ConfigMap with WebSocket upgrade header mapping - Increase session affinity timeout to 3 hours for long-running Blazor sessions - Configure proxy buffers for SignalR message handling Fixes WebSocket connection failures: 'No Connection with that ID' 404 errors
WebSocket support is still enabled via: - websocket-services annotation - proxy-http-version 1.1 - nginx ConfigMap with upgrade header mapping
…om user input Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: aurelianware <markus@aurelianware.com>
…bbing-service/azure/storage-blob-12.30.0
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…vices/claims-scrubbing-service/azure/storage-blob-12.30.0 Bump @azure/storage-blob from 12.29.1 to 12.30.0 in /services/claims-scrubbing-service
…om user input Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: aurelianware <markus@aurelianware.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Mitigates code-scanning finding #113 (log-forging via user-controlled input) by sanitizing request-derived values before writing them to structured logs in the enrollment import API.
Changes:
- Sanitize
tenantIdfromX-Tenant-IDheader to strip\r/\n, and propagate the sanitized value downstream. - Sanitize
enrollment.FileNamebefore logging to prevent log line injection. - Update controller logging/service call to use sanitized values.
Comment on lines
27
to
+31
| return BadRequest("X-Tenant-ID header is required"); | ||
| } | ||
|
|
||
| // Sanitize tenantId to prevent log forging by removing line breaks | ||
| var safeTenantId = tenantId.Replace("\r", string.Empty).Replace("\n", string.Empty); |
There was a problem hiding this comment.
tenantId is validated before sanitization, so a header value containing only CR/LF (or whitespace + CR/LF) will pass IsNullOrEmpty, be sanitized to an empty string, and then be used for logging and passed downstream as the tenant context. Re-validate after sanitization (or reject when tenantId contains CR/LF/control chars) and return BadRequest if the resulting tenant id is empty/whitespace.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/aurelianware/cloudhealthoffice/security/code-scanning/113
In general, to fix log-forging issues, user-controlled values should be sanitized before being logged, at least by removing newline and carriage-return characters (and optionally other control characters). This ensures a malicious header value cannot inject extra log lines or otherwise alter log structure.
For this case, the single best fix with minimal functional change is to sanitize
TenantIdat the controller boundary, where it enters the system, and then log and propagate the sanitized value throughout the services and repository. That way, any downstream logging involvingtenantIdor entities whoseTenantIdis derived from it (likeSponsorEntity.TenantId) will automatically use the safe version. Specifically:EnrollmentController.ImportEnrollment, after checking thattenantIdis not null or empty, create a sanitized version that strips\rand\ncharacters (and optionally trims whitespace), e.g.var safeTenantId = tenantId.Replace("\r", "").Replace("\n", "");.safeTenantIdin the_logger.LogInformationcall in the controller.safeTenantIdto_importService.ImportEnrollmentAsync(...)instead of the rawtenantId.No changes are required to
EnrollmentImportServiceorEnrollmentRepositoryto maintain existing functionality; they will continue to receive thetenantIdargument and setSponsorEntity.TenantIdthe same way, but now it will already be sanitized. This directly addresses the CodeQL finding because the loggedsponsor.TenantIdinEnrollmentRepository.CreateSponsorAsynccan no longer contain line breaks injected by an attacker.Concretely:
services/enrollment-import-service/Controllers/EnrollmentController.cswithinImportEnrollment:safeTenantIdvariable after the null/empty check.safeTenantIdin both theLogInformationcall and the service call.string.Replace, which is inSystemand already available.Suggested fixes powered by Copilot Autofix. Review carefully before merging.