Skip to content

Code Security Report: 2 high severity findings, 10 total findings [master] #18

Open
Open
Code Security Report: 2 high severity findings, 10 total findings [master]#18
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 17, 2025

Code Security Report

Scan Metadata

Latest Scan: 2025-09-17 07:56AM
Total Findings: 10 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 820
Detected Programming Languages: 2 (Java*, JavaScript / TypeScript*)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention.

Severity
Vulnerability Type
CWE
File
Data Flows
Detected
Violated Workflows
Violation Priority
Violation SLA
High
Server Side Request Forgery
1
2025-09-17 07:57AM
Code Test
HIGH
2025-10-17
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Lines 227 to 236 in aa68077

* @return true if a connection a established otherwise false
*/
protected static boolean testConnection(String urlString) {
try {
HttpURLConnection urlConnect = (HttpURLConnection) new URL(urlString).openConnection();
//wait for 15sec
urlConnect.setConnectTimeout(15000);
urlConnect.setUseCaches(false);
//trying to retrieve data from the source. If there
//is no connection, this line will fail

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 754 in aa68077

if (TestInstallUtil.testConnection(wizardModel.remoteUrl)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 229 in aa68077

protected static boolean testConnection(String urlString) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 231 in aa68077

HttpURLConnection urlConnect = (HttpURLConnection) new URL(urlString).openConnection();

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 754 in aa68077

if (TestInstallUtil.testConnection(wizardModel.remoteUrl)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 229 in aa68077

protected static boolean testConnection(String urlString) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 231 in aa68077

HttpURLConnection urlConnect = (HttpURLConnection) new URL(urlString).openConnection();

Secure Code Warrior Training Material
High
Server Side Request Forgery
1
2025-09-17 07:57AM
Code Test
HIGH
2025-10-17
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Lines 272 to 281 in aa68077

return connection.getInputStream();
}
private static HttpURLConnection createConnection(String url)
throws IOException, MalformedURLException {
final HttpURLConnection result = (HttpURLConnection) new URL(url).openConnection();
result.setRequestMethod("POST");
result.setConnectTimeout(15000);
result.setUseCaches(false);
result.setDoOutput(true);
return result;

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 768 in aa68077

wizardModel.remoteUrl + RELEASE_TESTING_MODULE_PATH + "verifycredentials.htm",

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 767 in aa68077

TestInstallUtil.getResourceInputStream(

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 255 in aa68077

protected static InputStream getResourceInputStream(String url, String openmrsUsername, String openmrsPassword)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 258 in aa68077

HttpURLConnection connection = createConnection(url);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 274 in aa68077

private static HttpURLConnection createConnection(String url)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 276 in aa68077

final HttpURLConnection result = (HttpURLConnection) new URL(url).openConnection();

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 768 in aa68077

wizardModel.remoteUrl + RELEASE_TESTING_MODULE_PATH + "verifycredentials.htm",

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 767 in aa68077

TestInstallUtil.getResourceInputStream(

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 255 in aa68077

protected static InputStream getResourceInputStream(String url, String openmrsUsername, String openmrsPassword)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 258 in aa68077

HttpURLConnection connection = createConnection(url);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 274 in aa68077

private static HttpURLConnection createConnection(String url)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 276 in aa68077

final HttpURLConnection result = (HttpURLConnection) new URL(url).openConnection();

Secure Code Warrior Training Material
Medium
Insufficient Transport Layer Protection
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Lines 227 to 236 in aa68077

* @return true if a connection a established otherwise false
*/
protected static boolean testConnection(String urlString) {
try {
HttpURLConnection urlConnect = (HttpURLConnection) new URL(urlString).openConnection();
//wait for 15sec
urlConnect.setConnectTimeout(15000);
urlConnect.setUseCaches(false);
//trying to retrieve data from the source. If there
//is no connection, this line will fail

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 754 in aa68077

if (TestInstallUtil.testConnection(wizardModel.remoteUrl)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 229 in aa68077

protected static boolean testConnection(String urlString) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 231 in aa68077

HttpURLConnection urlConnect = (HttpURLConnection) new URL(urlString).openConnection();

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 754 in aa68077

if (TestInstallUtil.testConnection(wizardModel.remoteUrl)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 229 in aa68077

protected static boolean testConnection(String urlString) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 231 in aa68077

HttpURLConnection urlConnect = (HttpURLConnection) new URL(urlString).openConnection();

Secure Code Warrior Training Material
Medium
Insufficient Transport Layer Protection
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Lines 272 to 281 in aa68077

return connection.getInputStream();
}
private static HttpURLConnection createConnection(String url)
throws IOException, MalformedURLException {
final HttpURLConnection result = (HttpURLConnection) new URL(url).openConnection();
result.setRequestMethod("POST");
result.setConnectTimeout(15000);
result.setUseCaches(false);
result.setDoOutput(true);
return result;

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 768 in aa68077

wizardModel.remoteUrl + RELEASE_TESTING_MODULE_PATH + "verifycredentials.htm",

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 767 in aa68077

TestInstallUtil.getResourceInputStream(

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 255 in aa68077

protected static InputStream getResourceInputStream(String url, String openmrsUsername, String openmrsPassword)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 258 in aa68077

HttpURLConnection connection = createConnection(url);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 274 in aa68077

private static HttpURLConnection createConnection(String url)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 276 in aa68077

final HttpURLConnection result = (HttpURLConnection) new URL(url).openConnection();

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 750 in aa68077

wizardModel.remoteUrl = httpRequest.getParameter("remoteUrl");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 768 in aa68077

wizardModel.remoteUrl + RELEASE_TESTING_MODULE_PATH + "verifycredentials.htm",

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 767 in aa68077

TestInstallUtil.getResourceInputStream(

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 255 in aa68077

protected static InputStream getResourceInputStream(String url, String openmrsUsername, String openmrsPassword)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 258 in aa68077

HttpURLConnection connection = createConnection(url);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 274 in aa68077

private static HttpURLConnection createConnection(String url)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java

Line 276 in aa68077

final HttpURLConnection result = (HttpURLConnection) new URL(url).openConnection();

Secure Code Warrior Training Material
Medium
Unsafe Reflection
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Lines 53 to 62 in aa68077

* @throws ClassNotFoundException
*/
public static String loadDatabaseDriver(String connectionUrl, String connectionDriver) throws ClassNotFoundException {
if (StringUtils.hasText(connectionDriver)) {
Class.forName(connectionDriver);
log.debug("set user defined Database driver class: " + connectionDriver);
} else {
if (connectionUrl.contains("mysql")) {
Class.forName("com.mysql.cj.jdbc.Driver");
connectionDriver = "com.mysql.cj.jdbc.Driver";

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 519 in aa68077

wizardModel.databaseDriver = httpRequest.getParameter("database_driver");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 522 in aa68077

loadedDriverString = loadDriver(wizardModel.databaseConnection, wizardModel.databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1881 in aa68077

public static String loadDriver(String connection, String databaseDriver) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 55 in aa68077

public static String loadDatabaseDriver(String connectionUrl, String connectionDriver) throws ClassNotFoundException {

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 57 in aa68077

Class.forName(connectionDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 519 in aa68077

wizardModel.databaseDriver = httpRequest.getParameter("database_driver");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 522 in aa68077

loadedDriverString = loadDriver(wizardModel.databaseConnection, wizardModel.databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1881 in aa68077

public static String loadDriver(String connection, String databaseDriver) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 55 in aa68077

public static String loadDatabaseDriver(String connectionUrl, String connectionDriver) throws ClassNotFoundException {

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 57 in aa68077

Class.forName(connectionDriver);

Medium
Trust Boundary Violation
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Lines 929 to 938 in aa68077

// if user has changed locale parameter to new one
// or chooses it parameter at first page loading
if (storedLocale == null || !storedLocale.equals(localeParameter)) {
log.info("Stored locale parameter to session " + localeParameter);
httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);
}
if (rememberLocale) {
httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);
httpRequest.getSession().setAttribute(FilterUtil.REMEMBER_ATTRIBUTE, true);
wizardModel.localeToSave = localeParameter;

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 918 in aa68077

String localeParameter = httpRequest.getParameter(FilterUtil.LOCALE_ATTRIBUTE);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 931 in aa68077

if (storedLocale == null || !storedLocale.equals(localeParameter)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 933 in aa68077

httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 918 in aa68077

String localeParameter = httpRequest.getParameter(FilterUtil.LOCALE_ATTRIBUTE);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 931 in aa68077

if (storedLocale == null || !storedLocale.equals(localeParameter)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 933 in aa68077

httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);

Medium
Trust Boundary Violation
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Lines 932 to 941 in aa68077

log.info("Stored locale parameter to session " + localeParameter);
httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);
}
if (rememberLocale) {
httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);
httpRequest.getSession().setAttribute(FilterUtil.REMEMBER_ATTRIBUTE, true);
wizardModel.localeToSave = localeParameter;
} else {
// we need to reset it if it was set before
httpRequest.getSession().setAttribute(FilterUtil.REMEMBER_ATTRIBUTE, null);

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 918 in aa68077

String localeParameter = httpRequest.getParameter(FilterUtil.LOCALE_ATTRIBUTE);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 931 in aa68077

if (storedLocale == null || !storedLocale.equals(localeParameter)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 933 in aa68077

httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 936 in aa68077

httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 918 in aa68077

String localeParameter = httpRequest.getParameter(FilterUtil.LOCALE_ATTRIBUTE);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 931 in aa68077

if (storedLocale == null || !storedLocale.equals(localeParameter)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 933 in aa68077

httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 936 in aa68077

httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);

Low
Log Forging
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Lines 76 to 85 in aa68077

Class.forName("com.microsoft.jdbc.sqlserver.SQLServerDriver");
connectionDriver = "com.microsoft.jdbc.sqlserver.SQLServerDriver";
}
}
log.info("Set database driver class as " + connectionDriver);
return connectionDriver;
}
/**
* Executes the passed SQL query, enforcing select only if that parameter is set for given Session

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 519 in aa68077

wizardModel.databaseDriver = httpRequest.getParameter("database_driver");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 522 in aa68077

loadedDriverString = loadDriver(wizardModel.databaseConnection, wizardModel.databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1881 in aa68077

public static String loadDriver(String connection, String databaseDriver) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 55 in aa68077

public static String loadDatabaseDriver(String connectionUrl, String connectionDriver) throws ClassNotFoundException {

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 80 in aa68077

log.info("Set database driver class as " + connectionDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 519 in aa68077

wizardModel.databaseDriver = httpRequest.getParameter("database_driver");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 522 in aa68077

loadedDriverString = loadDriver(wizardModel.databaseConnection, wizardModel.databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1881 in aa68077

public static String loadDriver(String connection, String databaseDriver) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 55 in aa68077

public static String loadDatabaseDriver(String connectionUrl, String connectionDriver) throws ClassNotFoundException {

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 80 in aa68077

log.info("Set database driver class as " + connectionDriver);

Secure Code Warrior Training Material
Low
Log Forging
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Lines 928 to 937 in aa68077

}
// if user has changed locale parameter to new one
// or chooses it parameter at first page loading
if (storedLocale == null || !storedLocale.equals(localeParameter)) {
log.info("Stored locale parameter to session " + localeParameter);
httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);
}
if (rememberLocale) {
httpRequest.getSession().setAttribute(FilterUtil.LOCALE_ATTRIBUTE, localeParameter);
httpRequest.getSession().setAttribute(FilterUtil.REMEMBER_ATTRIBUTE, true);

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 918 in aa68077

String localeParameter = httpRequest.getParameter(FilterUtil.LOCALE_ATTRIBUTE);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 931 in aa68077

if (storedLocale == null || !storedLocale.equals(localeParameter)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 932 in aa68077

log.info("Stored locale parameter to session " + localeParameter);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 918 in aa68077

String localeParameter = httpRequest.getParameter(FilterUtil.LOCALE_ATTRIBUTE);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 931 in aa68077

if (storedLocale == null || !storedLocale.equals(localeParameter)) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 932 in aa68077

log.info("Stored locale parameter to session " + localeParameter);

Secure Code Warrior Training Material
Low
Log Forging
1
2025-09-17 07:57AM
Vulnerable Code

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Lines 1881 to 1890 in aa68077

public static String loadDriver(String connection, String databaseDriver) {
String loadedDriverString = null;
try {
loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);
log.info("using database driver :" + loadedDriverString);
}
catch (ClassNotFoundException e) {
log.error("The given database driver class was not found. "
+ "Please ensure that the database driver jar file is on the class path "
+ "(like in the webapp's lib folder)");

Data Flows (1 detected)

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 519 in aa68077

wizardModel.databaseDriver = httpRequest.getParameter("database_driver");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 522 in aa68077

loadedDriverString = loadDriver(wizardModel.databaseConnection, wizardModel.databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1881 in aa68077

public static String loadDriver(String connection, String databaseDriver) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 55 in aa68077

public static String loadDatabaseDriver(String connectionUrl, String connectionDriver) throws ClassNotFoundException {

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 81 in aa68077

return connectionDriver;

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1885 in aa68077

log.info("using database driver :" + loadedDriverString);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 519 in aa68077

wizardModel.databaseDriver = httpRequest.getParameter("database_driver");

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 522 in aa68077

loadedDriverString = loadDriver(wizardModel.databaseConnection, wizardModel.databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1881 in aa68077

public static String loadDriver(String connection, String databaseDriver) {

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 55 in aa68077

public static String loadDatabaseDriver(String connectionUrl, String connectionDriver) throws ClassNotFoundException {

openmrs-core/api/src/main/java/org/openmrs/util/DatabaseUtil.java

Line 81 in aa68077

return connectionDriver;

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1884 in aa68077

loadedDriverString = DatabaseUtil.loadDatabaseDriver(connection, databaseDriver);

openmrs-core/web/src/main/java/org/openmrs/web/filter/initialization/InitializationFilter.java

Line 1885 in aa68077

log.info("using database driver :" + loadedDriverString);

Secure Code Warrior Training Material

Findings Overview

Severity Vulnerability Type CWE Language Count
High Server Side Request Forgery CWE-918 Java* 2
Medium Insufficient Transport Layer Protection CWE-319 Java* 2
Medium Trust Boundary Violation CWE-501 Java* 2
Medium Unsafe Reflection CWE-470 Java* 1
Low Log Forging CWE-117 Java* 3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions