Skip to content

Fix the WASA Issue : IDOR Vulnerability #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vanitha1822 merged 3 commits into from
Nov 19, 2025
Merged

Fix the WASA Issue : IDOR Vulnerability #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b23f4c7
fix: wasa-IDOR Vulnerability
vanitha1822 Nov 17, 2025
9cd210c
fix: coderabbit comments
vanitha1822 Nov 17, 2025
c455c66
fix: remove userid from request
vanitha1822 Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<groupId>com.iemr.tm</groupId>
<artifactId>tm-api</artifactId>
<version>3.4.0</version>
<version>3.6.1</version>
<packaging>war</packaging>

<name>TM-API</name>
Expand Down
57 changes: 38 additions & 19 deletions src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,14 @@
import com.iemr.tm.service.common.transaction.CommonDoctorServiceImpl;
import com.iemr.tm.service.common.transaction.CommonNurseServiceImpl;
import com.iemr.tm.service.common.transaction.CommonServiceImpl;
import com.iemr.tm.utils.CookieUtil;
import com.iemr.tm.utils.JwtUtil;
import com.iemr.tm.utils.mapper.InputMapper;
import com.iemr.tm.utils.response.OutputResponse;

import io.lettuce.core.dynamic.annotation.Param;
import io.swagger.v3.oas.annotations.Operation;
import jakarta.servlet.http.HttpServletRequest;

@RestController
@RequestMapping(value = "/common", headers = "Authorization", consumes = "application/json", produces = "application/json")
Expand All @@ -57,6 +60,9 @@ public class WorklistController {
private CommonServiceImpl commonServiceImpl;
private InputMapper inputMapper = new InputMapper();

@Autowired
private JwtUtil jwtUtil;

@Autowired
public void setCommonServiceImpl(CommonServiceImpl commonServiceImpl) {
this.commonServiceImpl = commonServiceImpl;
Expand Down Expand Up @@ -676,20 +682,24 @@ public String getBeneficiaryCaseSheetHistory(

// TC specialist worklist new
@Operation(summary = "Get teleconsultation specialist worklist")
@GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}/{userID}" })
@GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}" })
public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID,
@PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID) {
@PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
OutputResponse response = new OutputResponse();
try {
if (providerServiceMapID != null && userID != null) {
String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
String userId = jwtUtil.getUserIdFromToken(jwtToken);
Integer userID=Integer.parseInt(userId);
if (providerServiceMapID != null && userId != null ) {
String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID,
serviceID);
if (s != null)
response.setResponse(s);
} else if(userId == null || jwtToken == null) {
response.setError(403, "Unauthorized access!");
} else {
logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
+ providerServiceMapID + " SID = " + userID);
response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
logger.error("Invalid request");
response.setError(5000, "Invalid request");
}

} catch (Exception e) {
Expand All @@ -702,21 +712,25 @@ public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") I
// TC specialist worklist new, patient App, 14-08-2020
@Operation(summary = "Get teleconsultation specialist worklist for patient app")
@GetMapping(value = {
"/getTCSpecialistWorklistPatientApp/{providerServiceMapID}/{serviceID}/{userID}/{vanID}" })
"/getTCSpecialistWorklistPatientApp/{providerServiceMapID}/{serviceID}/{vanID}" })
public String getTCSpecialistWorkListNewPatientApp(
@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
@PathVariable("serviceID") Integer serviceID, @PathVariable("vanID") Integer vanID) {
@PathVariable("providerServiceMapID") Integer providerServiceMapID,
@PathVariable("serviceID") Integer serviceID, @PathVariable("vanID") Integer vanID, HttpServletRequest request) {
OutputResponse response = new OutputResponse();
try {
String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
String userId = jwtUtil.getUserIdFromToken(jwtToken);
Integer userID=Integer.parseInt(userId);
if (providerServiceMapID != null && userID != null) {
String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTMPatientApp(providerServiceMapID,
userID, serviceID, vanID);
if (s != null)
response.setResponse(s);
} else if(userId == null || jwtToken == null) {
response.setError(403, "Unauthorized access!");
} else {
logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
+ providerServiceMapID + " SID = " + userID);
response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
logger.error("Invalid request");
response.setError(5000, "Invalid request");
}

} catch (Exception e) {
Expand All @@ -729,21 +743,26 @@ public String getTCSpecialistWorkListNewPatientApp(
// TC specialist worklist new future scheduled
@Operation(summary = "Get teleconsultation specialist future scheduled")
@GetMapping(value = {
"/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}/{userID}" })
"/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}" })
public String getTCSpecialistWorklistFutureScheduled(
@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
@PathVariable("serviceID") Integer serviceID) {
@PathVariable("providerServiceMapID") Integer providerServiceMapID,
@PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
OutputResponse response = new OutputResponse();
try {
if (providerServiceMapID != null && userID != null) {

String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
String userId = jwtUtil.getUserIdFromToken(jwtToken);
Integer userID=Integer.parseInt(userId);
if (providerServiceMapID != null && userID != null ) {
String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID,
userID, serviceID);
if (s != null)
response.setResponse(s);
} else if(userId == null || jwtToken == null) {
response.setError(403, "Unauthorized access!");
} else {
logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
+ providerServiceMapID + " UserID = " + userID);
response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
logger.error("Invalid request");
response.setError(5000, "Invalid request");
}

} catch (Exception e) {
Expand Down
37 changes: 29 additions & 8 deletions src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,13 @@

import com.iemr.tm.controller.registrar.main.RegistrarController;
import com.iemr.tm.service.login.IemrMmuLoginServiceImpl;
import com.iemr.tm.utils.CookieUtil;
import com.iemr.tm.utils.JwtUtil;
import com.iemr.tm.utils.mapper.InputMapper;
import com.iemr.tm.utils.response.OutputResponse;

import io.swagger.v3.oas.annotations.Operation;
import jakarta.servlet.http.HttpServletRequest;

@RestController
@RequestMapping(value = "/user", headers = "Authorization", consumes = "application/json", produces = "application/json")
Expand All @@ -49,6 +52,10 @@ public class IemrMmuLoginController {

private IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl;


@Autowired
private JwtUtil jwtUtil;

@Autowired
public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl) {
this.iemrMmuLoginServiceImpl = iemrMmuLoginServiceImpl;
Expand All @@ -57,13 +64,21 @@ public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServi
@Operation(summary = "Get user service point van details")
@PostMapping(value = "/getUserServicePointVanDetails", produces = {
"application/json" })
public String getUserServicePointVanDetails(@RequestBody String comingRequest) {
public String getUserServicePointVanDetails(@RequestBody String comingRequest, HttpServletRequest request) {
OutputResponse response = new OutputResponse();
try {

String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
String userId = jwtUtil.getUserIdFromToken(jwtToken);
Integer userID=Integer.parseInt(userId);

JSONObject obj = new JSONObject(comingRequest);
logger.info("getUserServicePointVanDetails request " + comingRequest);
String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(obj.getInt("userID"));
if (userId == null || jwtToken ==null) {
response.setError(403, "Unauthorized access: Missing or invalid token");
return response.toString();
}
String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(userID);
response.setResponse(responseData);
} catch (Exception e) {
// e.printStackTrace();
Expand Down Expand Up @@ -97,17 +112,23 @@ public String getServicepointVillages(@RequestBody String comingRequest) {

@Operation(summary = "Get user service point van details")
@PostMapping(value = "/getUserVanSpDetails", produces = { "application/json" })
public String getUserVanSpDetails(@RequestBody String comingRequest) {
public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServletRequest request) {
OutputResponse response = new OutputResponse();
try {
String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
String userId = jwtUtil.getUserIdFromToken(jwtToken);
Integer userID=Integer.parseInt(userId);

JSONObject obj = new JSONObject(comingRequest);
logger.info("getServicepointVillages request " + comingRequest);
if (obj.has("userID") && obj.has("providerServiceMapID")) {
String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"),
obj.getInt("providerServiceMapID"));
response.setResponse(responseData);
} else {

if (userId !=null && obj.has("providerServiceMapID")) {
String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(userID,
obj.getInt("providerServiceMapID"));
response.setResponse(responseData);
} else if(userId == null || jwtToken ==null) {
response.setError(403, "Unauthorized access : Missing or invalid token");
} else {
response.setError(5000, "Invalid request");
}
} catch (Exception e) {
Expand Down
22 changes: 17 additions & 5 deletions src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import jakarta.servlet.http.HttpServletRequest;
import com.iemr.tm.utils.CookieUtil;
import com.iemr.tm.utils.JwtUtil;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
Expand All @@ -47,6 +50,9 @@ public class TeleConsultationController {
@Autowired
private TeleConsultationServiceImpl teleConsultationServiceImpl;

@Autowired
private JwtUtil jwtUtil;

@Operation(summary = "Update beneficiary arrival status based on request")
@PostMapping(value = { "/update/benArrivalStatus" })
public String benArrivalStatusUpdater(@RequestBody String requestOBJ) {
Expand Down Expand Up @@ -137,24 +143,30 @@ public String createTCRequestForBeneficiary(@RequestBody String requestOBJ, @Req
// TC request List
@Operation(summary = "Get teleconsultation request list for a specialist")
@PostMapping(value = { "/getTCRequestList" })
public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ) {
public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpServletRequest request) {
OutputResponse response = new OutputResponse();
try {
String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
String userId = jwtUtil.getUserIdFromToken(jwtToken);
Integer userID=Integer.parseInt(userId);

if (requestOBJ != null) {
JsonObject jsnOBJ = new JsonObject();
JsonParser jsnParser = new JsonParser();
JsonElement jsnElmnt = jsnParser.parse(requestOBJ);
jsnOBJ = jsnElmnt.getAsJsonObject();

if (userId != null) {
String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate(
jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(),
jsnOBJ.get("psmID").getAsInt(), userID,
jsnOBJ.get("date").getAsString());
if (s != null)
response.setResponse(s);
} else {
logger.error("Invalid request, either ProviderServiceMapID or userID or reqDate is invalid");
response.setError(403, "Unauthorized access!");
} } else {
logger.error("Invalid request, either ProviderServiceMapID or reqDate is invalid");
response.setError(5000,
"Invalid request, either ProviderServiceMapID or UserID or RequestDate is invalid");
"Invalid request, either ProviderServiceMapID or RequestDate is invalid");
}

} catch (Exception e) {
Expand Down
20 changes: 15 additions & 5 deletions .../java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@

import com.iemr.tm.service.videoconsultation.VideoConsultationService;
import com.iemr.tm.utils.response.OutputResponse;
import jakarta.servlet.http.HttpServletRequest;
import com.iemr.tm.utils.CookieUtil;
import com.iemr.tm.utils.JwtUtil;

import io.swagger.v3.oas.annotations.Operation;

Expand All @@ -44,19 +47,26 @@ public class VideoConsultationController {
@Autowired
private VideoConsultationService videoConsultationService;

@Autowired
private JwtUtil jwtUtil;

@Operation(summary = "Login to video consultation service")
@GetMapping(value = "/login/{userID}", headers = "Authorization", produces = {
"application/json" })
public String login(@PathVariable("userID") Long userID) {
public String login(@PathVariable("userID") Long userID, HttpServletRequest request) {

OutputResponse response = new OutputResponse();

try {
String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
String userId = jwtUtil.getUserIdFromToken(jwtToken);

String createdData = videoConsultationService.login(userID);

response.setResponse(createdData.toString());
if(userID.toString().equals(userId)) {
String createdData = videoConsultationService.login(userID);

response.setResponse(createdData.toString());
} else {
response.setError(403, "Unauthorized access!");
}
} catch (Exception e) {
logger.error(e.getMessage());
response.setError(e);
Expand Down
9 changes: 9 additions & 0 deletions src/main/java/com/iemr/tm/utils/JwtUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,13 @@ private Claims extractAllClaims(String token) {
.parseSignedClaims(token)
.getPayload();
}

public String getUserIdFromToken(String token) {
Claims claims = validateToken(token);
if (claims == null) {
return null;
}
return claims.get("userId", String.class);
}
}