send communication resource to EHR #182
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| logger.info(`Dispense authorization check for case: ${caseNumber}`); | ||
|
|
||
| // Find the REMS case | ||
| const remsCase = await remsCaseCollection.findOne({ case_number: caseNumber }); |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 25 days ago
The best way to fix the problem is to ensure that the user-supplied caseNumber is interpreted strictly as a literal value in the MongoDB query. This can be done by either validating that caseNumber is a string (or other expected primitive type), or by wrapping it in the $eq operator in the query. The $eq operator ensures that even if an attacker submits a crafted object value, it will not be executed as a query operator but only as a value to match exactly.
To implement the change, in src/lib/dispense_authorization.ts, update the line where findOne is called (remsCaseCollection.findOne({ case_number: caseNumber })) to instead use { case_number: { $eq: caseNumber } }. Optionally, you may add a validation to ensure caseNumber is a string, but using $eq is sufficient and straightforward.
No new imports are required.
| @@ -25,7 +25,7 @@ | ||
| logger.info(`Dispense authorization check for case: ${caseNumber}`); | ||
|
|
||
| // Find the REMS case | ||
| const remsCase = await remsCaseCollection.findOne({ case_number: caseNumber }); | ||
| const remsCase = await remsCaseCollection.findOne({ case_number: { $eq: caseNumber } }); | ||
|
|
||
| if (!remsCase) { | ||
| logger.warn(`REMS case not found: ${caseNumber}`); |
smalho01
committed this autofix suggestion 25 days ago.
…om user-controlled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
src/lib/dispense_authorization.ts
Outdated
| }; | ||
|
|
||
|
|
||
| let ehrEndpoint = config.fhirServerConfig?.auth?.resourceServer; |
There was a problem hiding this comment.
We need to use the previous hooks calls to the REMS Admin to determine who to send the Communication to. We do not want to send it to a preconfigured EHR. We can do this as a separate task if that makes more sense to do, at least add a todo here in the code. With the case we need to store who sent the request originally. This should be easy to save, but we may need to have the intermediary keep information about all of the calls it makes to know who to send the Communication back to.
Describe your changes
Check the ETASU status at the dispense authorization endpoint, basic fill in for NCPDP messages using JSON for now (will change to NCPDP XML once we receive spec) and send a communication resource to the FHIR EHR server for the prescriber to see.
Issue ticket number and Jira link
REMS-856
Checklist before requesting a review
devnot main (the only exception to this is releases fromdevand hotfix branches)Checklist for conducting a review
Workflow
Owner of the Pull Request will be responsible for merge after all requirements are met, including approval from at least one reviewer. Additional changes made after a review will dismiss any approvals and require re-review of the additional updates. Auto merging can be enabled below if additional changes are likely not to be needed. The bot will auto assign reviewers to your Pull Request for you.