Merge pull request #424 from aurelianware/copilot/fix-security-scan-issues

Author: aurelianware

containers/claims-publisher/Dockerfile

@@ -13,5 +13,10 @@ RUN apk add --no-cache \
 COPY publish-claims.sh /app/
 RUN chmod +x /app/publish-claims.sh
 
+# Create non-root user
+RUN addgroup -S appuser && adduser -S -G appuser appuser \
+    && chown -R appuser:appuser /app
+USER appuser
+
 # Set entrypoint
 ENTRYPOINT ["/app/publish-claims.sh"]

containers/x12-834-parser/Dockerfile

@@ -14,11 +14,15 @@ COPY parse-834.js ./
 # Make script executable
 RUN chmod +x parse-834.js
 
-# Create input/output directories
-RUN mkdir -p /input /output
+# Create input/output directories and set permissions
+RUN mkdir -p /input /output \
+    && chown -R node:node /app /input /output
 
 # Set environment variables
 ENV INPUT_DIR=/input
 ENV OUTPUT_DIR=/output
 
+# Run as non-root user
+USER node
+
 CMD ["node", "parse-834.js"]

scripts/utils/template-helpers.ts

@@ -209,7 +209,9 @@ export function registerHelpers(): void {
 
   Handlebars.registerHelper('replace', function(str: string, search: string, replacement: string) {
     if (!str) return '';
-    return str.replace(new RegExp(search, 'g'), replacement);
+    // Escape regex special characters from the search string to prevent regex injection
+    const escapedSearch = search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    return str.replace(new RegExp(escapedSearch, 'g'), replacement);
   });
 
   Handlebars.registerHelper('trim', function(str: string) {

src/ai/redaction.ts

@@ -97,10 +97,11 @@ export function isPHIFieldName(fieldName: string): boolean {
     if (lowerFieldName.includes('_' + lowerPhiName + '_')) return true;
     // CamelCase suffix match (e.g., "patientEmail" contains "Email")
     // Match if PHI name appears as a capitalized word at the end
-    const camelCasePattern = new RegExp(lowerPhiName + '$', 'i');
+    const escapedPhiName = lowerPhiName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const camelCasePattern = new RegExp(escapedPhiName + '$', 'i');
     if (camelCasePattern.test(lowerFieldName)) return true;
     // Word boundary match for other cases (e.g., "name" as a whole word)
-    const wordBoundaryRegex = new RegExp(`\\b${lowerPhiName}\\b`, 'i');
+    const wordBoundaryRegex = new RegExp(`\\b${escapedPhiName}\\b`, 'i');
     if (wordBoundaryRegex.test(fieldName)) return true;
     return false;
   });

src/fhir/patient-access-api.ts

@@ -699,7 +699,10 @@ export class PatientAccessApi {
    */
   logAudit(entry: AuditLogEntry): void {
     this.auditLogs.push(entry);
-    console.log(`[AUDIT] ${entry.timestamp} - ${entry.eventType} - ${entry.result} - User: ${entry.userId} - ${entry.details || ''}`);
+    // Sanitize user-controlled values to prevent log injection
+    const safeUserId = String(entry.userId || '').replace(/[\r\n]/g, '');
+    const safeDetails = String(entry.details || '').replace(/[\r\n]/g, '');
+    console.log(`[AUDIT] ${entry.timestamp} - ${entry.eventType} - ${entry.result} - User: ${safeUserId} - ${safeDetails}`);
   }
 
   /**

src/fhir/provider-access-api.ts

@@ -749,8 +749,10 @@ export class ProviderAccessApi {
     // In production: send to Azure Application Insights or Log Analytics
     this.auditLogs.push(entry);
 
-    // For development: log to console
-    console.log(`[AUDIT] ${entry.timestamp} - ${entry.eventType} - ${entry.result} - User: ${entry.userId} - ${entry.details || ''}`);
+    // For development: log to console (sanitize user-controlled values to prevent log injection)
+    const safeUserId = String(entry.userId || '').replace(/[\r\n]/g, '');
+    const safeDetails = String(entry.details || '').replace(/[\r\n]/g, '');
+    console.log(`[AUDIT] ${entry.timestamp} - ${entry.eventType} - ${entry.result} - User: ${safeUserId} - ${safeDetails}`);
   }
 
   /**

src/services/appeals-service/Controllers/AppealsController.cs

@@ -28,7 +28,7 @@ public AppealsController(
     [ProducesResponseType(StatusCodes.Status400BadRequest)]
     public async Task<ActionResult<Appeal>> SubmitAppeal([FromBody] Appeal appeal)
     {
-        _logger.LogInformation("Submitting appeal for claim {ClaimId}", appeal.ClaimId);
+        _logger.LogInformation("Submitting appeal for claim {ClaimId}", SanitizeForLog(appeal.ClaimId));
 
         // Validation
         if (string.IsNullOrEmpty(appeal.ClaimId))
@@ -118,7 +118,7 @@ public async Task<ActionResult<IEnumerable<Appeal>>> SearchAppeals(
         [FromQuery] int pageSize = 50)
     {
         _logger.LogInformation("Searching appeals: member {Member}, provider {Provider}, status {Status}",
-            memberId, providerNPI, status);
+            SanitizeForLog(memberId), SanitizeForLog(providerNPI), status);
 
         var appeals = await _appealRepository.SearchAsync(
             memberId, providerNPI, submittedFrom, submittedTo, status, lineOfBusiness, page, pageSize);
@@ -153,7 +153,7 @@ public async Task<ActionResult<Appeal>> AddAttachment(string id, [FromBody] Appe
         var updated = await _appealRepository.UpdateAsync(appeal);
 
         _logger.LogInformation("Added attachment {AttachmentId} to appeal {AppealId}", 
-            attachment.AttachmentId, id);
+            SanitizeForLog(attachment.AttachmentId), SanitizeForLog(id));
 
         return Ok(updated);
     }
@@ -248,7 +248,7 @@ public async Task<ActionResult<Appeal>> SubmitDecision(string id, [FromBody] App
 
         var updated = await _appealRepository.UpdateAsync(appeal);
 
-        _logger.LogInformation("Appeal {AppealId} decision: {Decision}", id, decision.DecisionType);
+        _logger.LogInformation("Appeal {AppealId} decision: {Decision}", SanitizeForLog(id), decision.DecisionType);
 
         return Ok(updated);
     }
@@ -291,6 +291,13 @@ public async Task<ActionResult<AppealsSummary>> GetAppealsSummary(
 
         return Ok(summary);
     }
+
+    private static string SanitizeForLog(string? value)
+    {
+        if (string.IsNullOrEmpty(value))
+            return string.Empty;
+        return value.Replace("\r", string.Empty).Replace("\n", string.Empty);
+    }
 }
 
 public class UpdateAttachmentStatusRequest
@@ -309,3 +316,4 @@ public class UpdateStatusRequest
 {
     public AppealStatus Status { get; set; }
 }
+

src/services/appeals-service/Middleware/TenantMiddleware.cs

@@ -44,13 +44,13 @@ public async Task InvokeAsync(HttpContext context)
         if (string.IsNullOrEmpty(tenantId))
         {
             tenantId = "default-tenant";
-            _logger.LogWarning("No TenantId found in JWT or headers, using default: {TenantId}", tenantId);
+            _logger.LogWarning("No TenantId found in JWT or headers, using default: {TenantId}", SanitizeForLog(tenantId));
         }
 
         // Store in HttpContext for repository access
         context.Items["TenantId"] = tenantId;
 
-        _logger.LogDebug("Request TenantId: {TenantId}", tenantId);
+        _logger.LogDebug("Request TenantId: {TenantId}", SanitizeForLog(tenantId));
 
         await _next(context);
     }
@@ -60,6 +60,13 @@ private static bool IsHealthCheckPath(PathString path)
         return path.StartsWithSegments("/health") 
             || path.StartsWithSegments("/swagger");
     }
+
+    private static string SanitizeForLog(string? value)
+    {
+        if (string.IsNullOrEmpty(value))
+            return string.Empty;
+        return value.Replace("\r", string.Empty).Replace("\n", string.Empty);
+    }
 }
 
 public static class TenantMiddlewareExtensions

src/services/appeals-service/Repositories/AppealRepository.cs

@@ -249,7 +249,7 @@ public async Task<Appeal> CreateAsync(Appeal appeal)
             new PartitionKey(appeal.TenantId));
 
         _logger.LogInformation("Created appeal {AppealId} for claim {ClaimId}",
-            appeal.Id, appeal.ClaimId);
+            SanitizeForLog(appeal.Id), SanitizeForLog(appeal.ClaimId));
 
         return response.Resource;
     }
@@ -261,7 +261,7 @@ public async Task<Appeal> UpdateAsync(Appeal appeal)
             appeal.Id,
             new PartitionKey(appeal.TenantId));
 
-        _logger.LogInformation("Updated appeal {AppealId}", appeal.Id);
+        _logger.LogInformation("Updated appeal {AppealId}", SanitizeForLog(appeal.Id));
 
         return response.Resource;
     }
@@ -274,6 +274,13 @@ await _container.DeleteItemAsync<Appeal>(
             id,
             new PartitionKey(tenantId));
 
-        _logger.LogInformation("Deleted appeal {AppealId}", id);
+        _logger.LogInformation("Deleted appeal {AppealId}", SanitizeForLog(id));
+    }
+
+    private static string SanitizeForLog(string? value)
+    {
+        if (string.IsNullOrEmpty(value))
+            return string.Empty;
+        return value.Replace("\r", string.Empty).Replace("\n", string.Empty);
     }
 }

src/services/attachment-service/Controllers/AttachmentsController.cs

@@ -123,7 +123,7 @@ public async Task<ActionResult<Attachment>> CreateAttachment(
                 created.Id,
                 !string.IsNullOrWhiteSpace(created.ClaimId) ? "Claim" :
                 !string.IsNullOrWhiteSpace(created.AuthorizationId) ? "Authorization" : "Appeal",
-                created.ClaimId ?? created.AuthorizationId ?? created.AppealId);
+                SanitizeForLog(created.ClaimId ?? created.AuthorizationId ?? created.AppealId));
 
             return CreatedAtAction(nameof(GetAttachment), new { id = created.Id, tenantId = created.TenantId }, created);
         }
@@ -310,7 +310,7 @@ public async Task<ActionResult<AcknowledgmentResponse>> GenerateAcknowledgment(
             _logger.LogInformation(
                 "Generated {AckType} acknowledgment for attachment {AttachmentId}",
                 ackType,
-                id);
+                SanitizeForLog(id));
 
             return Ok(new AcknowledgmentResponse
             {
@@ -325,7 +325,7 @@ public async Task<ActionResult<AcknowledgmentResponse>> GenerateAcknowledgment(
         }
         catch (Exception ex)
         {
-            _logger.LogError(ex, "Error generating acknowledgment for attachment {AttachmentId}", id);
+            _logger.LogError(ex, "Error generating acknowledgment for attachment {AttachmentId}", SanitizeForLog(id));
             return StatusCode(500, new { error = "Failed to generate acknowledgment", details = ex.Message });
         }
     }
@@ -344,6 +344,13 @@ private TradingPartner CreateDefaultTradingPartner(Attachment attachment)
             ApplicationReceiverId = attachment.ProviderId
         };
     }
+
+    private static string SanitizeForLog(string? value)
+    {
+        if (string.IsNullOrEmpty(value))
+            return string.Empty;
+        return value.Replace("\r", string.Empty).Replace("\n", string.Empty);
+    }
 }
 
 /// <summary>