security: fix all 20 CodeQL code scanning alerts

.github/workflows/codeql.yml

@@ -18,7 +18,10 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
+
+    strategy:
+      fail-fast: false
 
     steps:
       - name: Checkout repository
@@ -29,12 +32,10 @@ jobs:
         with:
           languages: javascript-typescript
           build-mode: none
+          queries: +security-extended
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
-        # Analysis runs and detects vulnerabilities regardless of upload.
-        # Upload may fail on private repos without GitHub Advanced Security
-        # enabled — this does not indicate a code quality problem.
-        continue-on-error: true
         with:
           category: "/language:javascript-typescript"
+          upload: always

.github/workflows/security.yml

@@ -160,3 +160,28 @@ jobs:
               description: `Dependency audit ${state}`,
               target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
             });
+
+  report-snyk-status:
+    name: Report snyk status
+    runs-on: ubuntu-latest
+    needs: snyk
+    if: always()
+    steps:
+      - name: Set snyk commit status
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const result = '${{ needs.snyk.result }}';
+            const state = (result === 'success' || result === 'skipped') ? 'success' : 'failure';
+            const sha = context.payload.pull_request
+              ? context.payload.pull_request.head.sha
+              : context.sha;
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha,
+              state,
+              context: 'snyk',
+              description: `Snyk vulnerability scan ${state}`,
+              target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
+            });

electron/database/init.cjs

@@ -590,7 +590,7 @@ async function initDatabase() {
   if (process.env.NODE_ENV === 'development') {
     console.log('Encrypted database initialized successfully');
     console.log(`Encryption enabled: ${encryptionEnabled}`);
-    console.log(`Default organization: ${defaultOrg.id}`);
+    console.log('Default organization: [configured]');
   }
 
   return db;

electron/services/mfa.cjs

@@ -147,13 +147,16 @@ function decryptSecret(stored) {
 // ---------------- Backup codes ----------------
 
 function generateBackupCodes(count = BACKUP_CODE_COUNT) {
-  const charset = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'; // exclude ambiguous chars
+  const charset = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+  const limit = 256 - (256 % charset.length);
   const codes = [];
   for (let i = 0; i < count; i++) {
-    const buf = crypto.randomBytes(BACKUP_CODE_LENGTH);
     let s = '';
-    for (let j = 0; j < BACKUP_CODE_LENGTH; j++) {
-      s += charset[buf[j] % charset.length];
+    while (s.length < BACKUP_CODE_LENGTH) {
+      const buf = crypto.randomBytes(1);
+      if (buf[0] < limit) {
+        s += charset[buf[0] % charset.length];
+      }
     }
     codes.push(s.slice(0, 5) + '-' + s.slice(5));
   }

electron/services/siemForwarder.cjs

@@ -135,7 +135,8 @@ function toRfc5424(record) {
   const app = 'transtrack';
   const procid = process.pid;
   const msgid = String(record.action || 'audit').slice(0, 32);
-  const sd = `[transtrack@53914 org="${(record.org_id || '').replace(/"/g, '\\"')}" user="${(record.user_email || '').replace(/"/g, '\\"')}" entity="${(record.entity_type || '')}" id="${(record.entity_id || '')}"]`;
+  const esc = (s) => String(s || '').replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\]/g, '\\]');
+  const sd = `[transtrack@53914 org="${esc(record.org_id)}" user="${esc(record.user_email)}" entity="${esc(record.entity_type)}" id="${esc(record.entity_id)}"]`;
   const msg = String(record.details || '').replace(/[\r\n]+/g, ' ');
   return `<${pri}>1 ${ts} ${HOSTNAME} ${app} ${procid} ${msgid} ${sd} ${msg}`;
 }
@@ -198,7 +199,7 @@ function ensureSocket(dest, st) {
     sock.on('close', () => { st.socket = null; });
     st.socket = sock;
   } else if (dest.protocol === 'tls') {
-    const sock = tls.connect({ host: dest.host, port: dest.port, rejectUnauthorized: false });
+    const sock = tls.connect({ host: dest.host, port: dest.port, rejectUnauthorized: true });
     sock.on('error', (err) => { recordFailure(dest.id, err.message); try { sock.destroy(); } catch {} st.socket = null; });
     sock.on('close', () => { st.socket = null; });
     st.socket = sock;

functions/fhirWebhook.ts

@@ -3,6 +3,18 @@ import { createLogger, generateRequestId, safeErrorResponse } from './lib/logger
 
 const logger = createLogger('fhirWebhook');
 
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  const encoder = new TextEncoder();
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  let result = 0;
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i] ^ bufB[i];
+  }
+  return result === 0;
+}
+
 Deno.serve(async (req) => {
   const requestId = generateRequestId();
 
@@ -17,8 +29,8 @@ Deno.serve(async (req) => {
       }, { status: 503 });
     }
 
-    // Simple bearer token auth
-    if (!authHeader || authHeader !== `Bearer ${webhookSecret}`) {
+    const expectedToken = `Bearer ${webhookSecret}`;
+    if (!authHeader || !timingSafeEqual(authHeader, expectedToken)) {
       return Response.json({ error: 'Unauthorized' }, { status: 401 });
     }
 

functions/pushToEHR.ts

@@ -64,10 +64,26 @@ Deno.serve(async (req) => {
     authHeaders['Content-Type'] = 'application/fhir+json';
     authHeaders['Accept'] = 'application/fhir+json';
 
-    // Push to EHR system
+    // Validate endpoint URL to prevent SSRF
+    let endpointUrl: URL;
+    try {
+      endpointUrl = new URL(integration.endpoint_url);
+    } catch {
+      return Response.json({ error: 'Invalid integration endpoint URL' }, { status: 400 });
+    }
+    if (endpointUrl.protocol !== 'https:' && endpointUrl.protocol !== 'http:') {
+      return Response.json({ error: 'Unsupported endpoint protocol' }, { status: 400 });
+    }
+    const hostname = endpointUrl.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1' ||
+        hostname.startsWith('10.') || hostname.startsWith('192.168.') ||
+        hostname.startsWith('169.254.') || hostname.endsWith('.internal')) {
+      return Response.json({ error: 'Endpoint resolves to restricted address' }, { status: 400 });
+    }
+
     let ehrResponse;
     try {
-      const pushResponse = await fetch(integration.endpoint_url, {
+      const pushResponse = await fetch(endpointUrl.toString(), {
         method: 'POST',
         headers: authHeaders,
         body: JSON.stringify(fhirBundle)
@@ -76,7 +92,6 @@ Deno.serve(async (req) => {
       ehrResponse = {
         status: pushResponse.status,
         statusText: pushResponse.statusText,
-        body: await pushResponse.text()
       };
 
       if (!pushResponse.ok) {
@@ -128,7 +143,6 @@ Deno.serve(async (req) => {
       synced_fields: syncedFields,
       errors,
       sync_log_id: syncLog.id,
-      ehr_response: ehrResponse
     });
   } catch (error) {
     logger.error('EHR push failed', error, { request_id: requestId });

functions/validateFHIRData.ts

@@ -106,9 +106,14 @@ Deno.serve(async (req) => {
         case 'regex_pattern':
           if (fieldValue) {
             const pattern = rule.validation_config?.pattern;
-            if (pattern) {
-              const regex = new RegExp(pattern);
-              isValid = regex.test(fieldValue);
+            if (pattern && typeof pattern === 'string' && pattern.length <= 200) {
+              try {
+                const regex = new RegExp(pattern);
+                const testValue = String(fieldValue).slice(0, 1000);
+                isValid = regex.test(testValue);
+              } catch {
+                isValid = false;
+              }
               if (!isValid) {
                 errorMsg = rule.error_message || `Field '${rule.target_field}' does not match required pattern`;
               }

scripts/epic-sandbox-test.mjs

@@ -131,7 +131,7 @@ async function fhirGet(token, path) {
   const patient = await fhirGet(tok.access_token, `Patient/${PATIENT_ID}`);
   const name = patient.name?.[0];
   console.log(
-    `  ${name?.family}, ${name?.given?.join(' ')}  | DOB ${patient.birthDate}  | gender ${patient.gender}`,
+    `  ${name?.family ? name.family[0] + '***' : '?'}, ${name?.given?.[0]?.[0] || '?'}***  | DOB ****-**-${patient.birthDate?.slice(-2) || '**'}  | gender ${patient.gender}`,
   );
   console.log('');
 
@@ -141,14 +141,6 @@ async function fhirGet(token, path) {
     `Observation?patient=${PATIENT_ID}&category=laboratory&_count=10`,
   );
   console.log(`  ${labs.entry?.length || 0} lab observations`);
-  for (const e of labs.entry?.slice(0, 5) || []) {
-    const o = e.resource;
-    const v =
-      o.valueQuantity?.value !== undefined
-        ? `${o.valueQuantity.value} ${o.valueQuantity.unit || ''}`
-        : o.valueCodeableConcept?.text || '(no value)';
-    console.log(`    - ${o.code?.text || o.code?.coding?.[0]?.display}: ${v}`);
-  }
   console.log('');
 
   console.log('Step 4 - GET Condition?patient=...&category=problem-list-item');
@@ -157,12 +149,6 @@ async function fhirGet(token, path) {
     `Condition?patient=${PATIENT_ID}&category=problem-list-item&_count=10`,
   );
   console.log(`  ${probs.entry?.length || 0} active problems`);
-  for (const e of probs.entry?.slice(0, 5) || []) {
-    const c = e.resource;
-    console.log(
-      `    - ${c.code?.text || c.code?.coding?.[0]?.display} [${c.clinicalStatus?.coding?.[0]?.code}]`,
-    );
-  }
   console.log('');
 
   console.log('Step 5 - GET MedicationRequest?patient=...');
@@ -171,15 +157,6 @@ async function fhirGet(token, path) {
     `MedicationRequest?patient=${PATIENT_ID}&_count=10`,
   );
   console.log(`  ${meds.entry?.length || 0} medication requests`);
-  for (const e of meds.entry?.slice(0, 5) || []) {
-    const m = e.resource;
-    const drug =
-      m.medicationCodeableConcept?.text ||
-      m.medicationCodeableConcept?.coding?.[0]?.display ||
-      m.medicationReference?.display ||
-      '(unknown)';
-    console.log(`    - ${drug}  [status=${m.status}]`);
-  }
   console.log('');
 
   console.log('Step 6 - GET AllergyIntolerance?patient=...');
@@ -188,16 +165,10 @@ async function fhirGet(token, path) {
     `AllergyIntolerance?patient=${PATIENT_ID}&_count=10`,
   );
   console.log(`  ${alg.entry?.length || 0} allergies`);
-  for (const e of alg.entry?.slice(0, 5) || []) {
-    const a = e.resource;
-    console.log(
-      `    - ${a.code?.text || a.code?.coding?.[0]?.display} [${a.clinicalStatus?.coding?.[0]?.code || 'unknown'}]`,
-    );
-  }
   console.log('');
 
   console.log('SUCCESS - Epic sandbox round-trip complete.');
-})().catch((e) => {
-  console.error('FAILED:', e.message);
-  process.exit(1);
+})().catch(() => {
+  console.error('FAILED: request failed. Check configuration and endpoint availability.');
+  process.exitCode = 1;
 });

scripts/smoke-test.mjs

@@ -376,8 +376,8 @@ function sendMllp(message) {
 
     await pool.end();
     console.log('\n\x1b[42m\x1b[30m SMOKE TEST PASSED \x1b[0m\n');
-})().catch(e => {
+})().catch(() => {
     console.error('\n\x1b[41m\x1b[37m SMOKE TEST FAILED \x1b[0m');
-    console.error(e);
+    console.error('Smoke test failed. Check service logs or run with a debugger for details.');
     process.exit(1);
 });

server/src/config.js

@@ -68,6 +68,7 @@ const schema = z.object({
   SIEM_ENDPOINT: z.string().optional().default(''),
   SIEM_TOKEN: z.string().optional().default(''),
 
+  CORS_ALLOWED_ORIGINS: z.string().optional().default(''),
   SUBSCRIPTION_DISPATCH_MS: z.coerce.number().int().positive().default(5000),
   SMART_DEFAULT_ACCESS_TTL_SECONDS: z.coerce.number().int().positive().default(3600),
 

server/src/db/pool.js

@@ -6,7 +6,7 @@ let pool = null;
 
 function init(config, logger) {
   if (pool) return pool;
-  const ssl = config.PGSSL === 'disable' ? false : { rejectUnauthorized: config.PGSSL === 'verify-full' };
+  const ssl = config.PGSSL === 'disable' ? false : { rejectUnauthorized: config.PGSSL !== 'disable' };
   pool = new Pool({
     connectionString: config.DATABASE_URL,
     max: config.PG_POOL_MAX,

server/src/fhir/subscriptions.js

@@ -17,8 +17,49 @@
 
 const https = require('https');
 const http = require('http');
+const dns = require('dns');
 const { withTransaction, getPool } = require('../db/pool');
 
+const FORBIDDEN_HEADER_NAMES = new Set([
+  'host', 'content-length', 'transfer-encoding', 'connection',
+  'keep-alive', 'upgrade', 'proxy-authorization', 'te',
+]);
+
+function sanitizeHeaders(raw) {
+  if (!raw || typeof raw !== 'object') return {};
+  const clean = {};
+  for (const [k, v] of Object.entries(raw)) {
+    const lower = k.toLowerCase();
+    if (FORBIDDEN_HEADER_NAMES.has(lower)) continue;
+    const sv = String(v).replace(/[\r\n]/g, '');
+    clean[k] = sv;
+  }
+  return clean;
+}
+
+const PRIVATE_RANGES = [
+  /^127\./, /^10\./, /^172\.(1[6-9]|2\d|3[01])\./, /^192\.168\./,
+  /^0\./, /^169\.254\./, /^::1$/, /^fc00:/i, /^fe80:/i, /^fd/i,
+];
+
+function isPrivateIp(ip) {
+  return PRIVATE_RANGES.some(r => r.test(ip));
+}
+
+async function resolveAndValidateUrl(endpoint) {
+  const url = new URL(endpoint);
+  if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+    throw new Error('unsupported protocol');
+  }
+  const addresses = await dns.promises.resolve4(url.hostname).catch(() => []);
+  const addresses6 = await dns.promises.resolve6(url.hostname).catch(() => []);
+  const all = [...addresses, ...addresses6];
+  if (all.some(isPrivateIp)) {
+    throw new Error('subscription endpoint resolves to private IP');
+  }
+  return url;
+}
+
 let dispatcherStarted = false;
 
 /**
@@ -147,16 +188,18 @@ async function deliverOne(row) {
   const headers = {
     'Content-Type': row.payload_mime || 'application/fhir+json',
     'Content-Length': Buffer.byteLength(payload),
-    ...(row.header || {}),
+    ...sanitizeHeaders(row.header),
   };
 
+  let url;
+  try {
+    url = await resolveAndValidateUrl(row.endpoint);
+  } catch (e) {
+    await markFailed(row.id, e.message || 'invalid endpoint url');
+    return;
+  }
+
   await new Promise((resolve) => {
-    let url;
-    try { url = new URL(row.endpoint); }
-    catch (e) {
-      markFailed(row.id, 'invalid endpoint url').finally(resolve);
-      return;
-    }
     const lib = url.protocol === 'https:' ? https : http;
     const req = lib.request({
       method: 'POST',

server/src/hl7/server.js

@@ -64,7 +64,7 @@ function start({ config, logger }) {
           parsed = parseMessage(raw);
         } catch (e) {
           logger.warn({ err: e.message }, 'mllp parse failed');
-          const nack = buildAck({ message_control_id: 'UNKNOWN' }, 'AR', e.message);
+          const nack = buildAck({ message_control_id: 'UNKNOWN' }, 'AR', 'Message parse failure');
           socket.write(frame(nack));
           continue;
         }
@@ -97,8 +97,8 @@ function start({ config, logger }) {
           logger.info({ msgId: parsed.message_control_id, processed: result.processed,
             patientId: result.patientId, labCount: result.labCount }, 'mllp ingested');
         } catch (e) {
-          logger.error({ err: e.stack }, 'mllp ingest threw');
-          const nack = buildAck(parsed, 'AE', e.message);
+          logger.error({ err: e }, 'mllp ingest threw');
+          const nack = buildAck(parsed, 'AE', 'Internal processing error');
           socket.write(frame(nack));
         }
       }