feat: add opencrvs integration#39
Conversation
|
⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done |
![amazon-inspector-n-virginia[bot]](https://avatars.githubusercontent.com/u/214039647?s=60&v=4){kind=small}
| try { | ||
| this.logger.log(`Executing processor: ${config.type}`); | ||
| await processor.execute(config.config, context); | ||
| const result = await processor.execute(config.config, context); |
There was a problem hiding this comment.
Description: A potential code injection vulnerability has been detected on this line, where untrusted input is passed to a method that may execute arbitrary code. This issue allows attackers to inject and execute arbitrary code within the application, which could lead to unauthorized access to sensitive data or other malicious actions. To mitigate this, ensure that all user-supplied input is properly sanitized and validated before being processed. Avoid passing untrusted input to methods like eval, send, or system that can execute arbitrary code. Where possible, use safer alternatives such as parameterized queries or more controlled methods for handling user input. Learn more
Severity: Critical
| submissionId, | ||
| data, | ||
| }); | ||
| const processorResults = await this.processorPipeline.execute( |
There was a problem hiding this comment.
Description: A potential code injection vulnerability has been detected on this line, where untrusted input is passed to a method that may execute arbitrary code. This issue allows attackers to inject and execute arbitrary code within the application, which could lead to unauthorized access to sensitive data or other malicious actions. To mitigate this, ensure that all user-supplied input is properly sanitized and validated before being processed. Avoid passing untrusted input to methods like eval, send, or system that can execute arbitrary code. Where possible, use safer alternatives such as parameterized queries or more controlled methods for handling user input. Learn more
Severity: Critical
|
|
||
| if (!res.ok) { | ||
| const errorText = await res.text(); | ||
| this.logger.error(`Token request failed: ${res.status} ${errorText}`); |
There was a problem hiding this comment.
Description: User input is being logged without proper sanitization. This creates a security vulnerability where malicious content could be injected through user inputs. To protect your application, always sanitize user data before logging.
Severity: High
| throw new Error('Create event response missing id'); | ||
| } | ||
|
|
||
| this.logger.log(`Birth event created: ${data.id} (${data.trackingId})`); |
There was a problem hiding this comment.
Description: User input is being logged without proper sanitization. This creates a security vulnerability where malicious content could be injected through user inputs. To protect your application, always sanitize user data before logging.
Severity: High
|
|
||
| if (!res.ok) { | ||
| const errorText = await res.text(); | ||
| this.logger.error(`Notify event failed: ${res.status} ${errorText}`); |
There was a problem hiding this comment.
Description: User input is being logged without proper sanitization. This creates a security vulnerability where malicious content could be injected through user inputs. To protect your application, always sanitize user data before logging.
Severity: High
|
|
||
| if (!res.ok) { | ||
| const errorText = await res.text(); | ||
| this.logger.error(`Create event failed: ${res.status} ${errorText}`); |
There was a problem hiding this comment.
Description: User input is being logged without proper sanitization. This creates a security vulnerability where malicious content could be injected through user inputs. To protect your application, always sanitize user data before logging.
Severity: High
| // Cache the result | ||
| this.locationCache.set(cacheKey, match.resource.id); | ||
|
|
||
| this.logger.log( |
There was a problem hiding this comment.
Description: User input is being logged without proper sanitization. This creates a security vulnerability where malicious content could be injected through user inputs. To protect your application, always sanitize user data before logging.
Severity: High
|
|
||
| if (!res.ok) { | ||
| const errorText = await res.text(); | ||
| this.logger.error( |
There was a problem hiding this comment.
Description: User input is being logged without proper sanitization. This creates a security vulnerability where malicious content could be injected through user inputs. To protect your application, always sanitize user data before logging.
Severity: High
|
|
||
| this.logger.log(`Requesting OpenCRVS access token from: ${url.host}`); | ||
|
|
||
| const res = await fetch(url.toString(), { |
There was a problem hiding this comment.
Description: Server-Side Request Forgery (SSRF) vulnerability detected.
Untrusted user input is being used in a network request without proper validation.
This can allow attackers to craft requests to internal systems, access metadata services,
or perform internal port scans. To fix this issue, strictly validate and sanitize the input URL
using a library like node:url for parsing, enforce an allowlist of trusted domains,
and block access to private IP ranges (e.g., 127.0.0.1, 169.254.169.254).
Learn more: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
Severity: High
|
✅ I finished the code review, and left comments with the issues I found. |
schemas/register-birth-form.json
Outdated
| "type": "email", | ||
| "config": { | ||
| "to": "{{formData.email}}", | ||
| "to": "testing@govtech.bb", |
| opencrvs: opencrvsResult.success | ||
| ? { | ||
| success: true, | ||
| message: 'Birth registration submitted successfully', |
There was a problem hiding this comment.
This message is hardcoded for "Birth registration"; if we need to configure opencrvs for another form, the same message will be returned
3 participants
Description
Type of Change
Changes Made
Notes
Testing
Related Github Issue(s)/Trello Ticket(s)
Checklist