openmrs-core master

• 

  Jonathan Leitschuh <jonathan.leitschuh@gmail.com> 12 Sep 2022 8e435b3355733f767c89b8ce3409e17ab400f811

  vuln-fix: Zip Slip Vulnerability (#4144)
  This fixes a Zip-Slip vulnerability.
  
  This change does one of two things. This change either
  
  1. Inserts a guard to protect against Zip Slip.
  OR
  2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
  
  For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
  The check is bypassed although `/outnot` is not under the `/out` directory.
  It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
  For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
  however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
  
  Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  Severity: High
  CVSSS: 7.4
  Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)
  
  Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
  Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
  
  Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16
  
  Co-authored-by: Moderne <team@moderne.io>
  
  Co-authored-by: Moderne <team@moderne.io>

  • web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java (version 8e435b3355733f767c89b8ce3409e17ab400f811)
• 

  dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 12 Sep 2022 d9de1cbf1bfc43de462a5fc7f3c5f553d6f8aa1f

  github-actions(deps): bump actions/checkout from 2 to 3 (#4147)
  Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
  - [Release notes](https://github.com/actions/checkout/releases)
  - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
  - [Commits](https://github.com/actions/checkout/compare/v2...v3)
  
  ---
  updated-dependencies:
  - dependency-name: actions/checkout
    dependency-type: direct:production
    update-type: version-update:semver-major
  ...
  
  Signed-off-by: dependabot[bot] <support@github.com>
  
  Signed-off-by: dependabot[bot] <support@github.com>
  Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

  • .github/workflows/codeql-analysis.yml (version d9de1cbf1bfc43de462a5fc7f3c5f553d6f8aa1f)
• 

  Siva Reddy <sivareddy.pathuri@thoughtworks.com> 12 Sep 2022 f7e2e474d9e8b4915fd99d12738b17070e501fbc

  Siva Reddy | BAH-2274 | Support for Java8 DateTime in jackson (#4146)

  • api/pom.xml (version f7e2e474d9e8b4915fd99d12738b17070e501fbc)
  • pom.xml (version f7e2e474d9e8b4915fd99d12738b17070e501fbc)