Late last year, OpenMRS began collaborating with researchers from North Carolina State University (NCSU) to better secure the OpenMRS Reference Application. NCSU researchers, using cutting-edge security assessment techniques, have identified almost 300 distinct security issues. Many of those issues are relatively low-complexity, requiring one-line patches. This is a great opportunity for students who are interested in software security to get first-hand experience in the field.
- (First priority) Patch up to 50 XSS vulnerabilities
- (Second priority) Implement up to 25 authorization checks where they are lacking
- (Third priority) Implement safe exception handling for up to 10 HTTP 500 errors
- Take on responsibility for patching more complex security issues
- Experience with .jsp and/or .gsp frontend templating languages
- Basic knowledge of common web application security vulnerabilities
Examples to Look Through While Preparing Your Proposal
1) Understand XSS vulnerabilities
- https://owasp.org/www-community/attacks/xss/ - Description of XSS vulnerabilities
2) Review some recent fix examples
For security reasons we can't publicly release the full NCSU report; however, you can check out these PRs for recent examples of the kinds of bugs that are being patched (and the kind of work the patches in this GSOC project entail):
- https://github.com/openmrs/openmrs-module-reporting/pull/207 - Example of a PR patching one of the vulnerabilities identified in the report
Once you are accepted into the project, you will be added to the security team and a more detailed backlog of issues will be shared with you.
A successful proposal
A successful proposal could include a general approach to patching XSS vulnerabilities based on the examples above.