Updated and removed some dependencies for security purpose

src/main/java/com/indivica/olis/Driver.java

@@ -39,9 +39,6 @@
 import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.SchemaFactory;
 
-import org.apache.axis2.transport.http.HTTPConstants;
-import org.apache.commons.httpclient.protocol.Protocol;
-import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaCertStore;
 import org.bouncycastle.cms.CMSProcessableByteArray;
@@ -114,9 +111,6 @@ public static String submitOLISQuery(LoggedInInfo loggedInInfo, HttpServletReque
             String olisRequestURL = OscarProperties.getInstance().getProperty("olis_request_url", "https://olis.ssha.ca/ssha.olis.webservices.ER7/OLIS.asmx");
             OLISStub olis = new OLISStub(olisRequestURL);
 
-            if (OscarProperties.getInstance().getProperty("olis_simulate", "no").equals("no")) {
-                olis._getServiceClient().getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, new Protocol("https", (ProtocolSocketFactory) new OLISProtocolSocketFactory(), 443));
-            }
             olisRequest.getHIALRequest().setClientTransactionID(message.getTransactionId());
             olisRequest.getHIALRequest().setSignedRequest(new HIALRequestSignedRequest());
 

src/main/java/org/oscarehr/casemgmt/service/CaseManagementManagerImpl.java

@@ -1468,7 +1468,12 @@ public List<EChartNoteEntry> filterNotes1(String providerNo, Collection<EChartNo
 
             if (cmNote.getType().equals("local_note")) {
                 noteRole = cmNote.getRole();
-                noteRoleName = RoleCache.getRole(Long.valueOf(noteRole)).getName().toLowerCase();
+                com.quatro.model.security.Secrole secRole = RoleCache.getRole(Long.valueOf(noteRole));
+                if (secRole != null) {
+                    noteRoleName = secRole.getName().toLowerCase();
+                } else {
+                    noteRoleName = "unknown_role";
+                }
             }
             if (cmNote.getType().equals("remote_note")) {
                 noteRoleName = cmNote.getRole();

src/main/java/org/oscarehr/common/web/Demographic2Action.java

@@ -25,8 +25,8 @@
 package org.oscarehr.common.web;
 
 import com.opensymphony.xwork2.ActionSupport;
-import net.sf.json.JSONArray;
-import net.sf.json.JSONObject;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.io.IOUtils;
 import org.apache.struts2.ServletActionContext;
 import org.oscarehr.common.dao.DemographicArchiveDao;
@@ -39,12 +39,15 @@
 import org.oscarehr.util.LoggedInInfo;
 import org.oscarehr.util.MiscUtils;
 import org.oscarehr.util.SpringUtils;
-import oscar.form.JSONUtil;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Iterator;
 import java.util.List;
 
@@ -245,8 +248,9 @@ public String getAddressAndPhoneHistoryAsJson()
 
             }
 
-            response.getWriter().print(JSONArray.fromObject(items));
-
+            ObjectMapper mapper = new ObjectMapper();
+            String json = mapper.writeValueAsString(items);
+            response.getWriter().print(json);
         }
 
 
@@ -263,13 +267,16 @@ public String checkForDuplicates() {
         List<Demographic> duplicateList = demographicDao.getDemographicWithLastFirstDOBExact(lastName, firstName,
                 yearOfBirth, monthOfBirth, dayOfBirth);
 
-        JSONObject result = new JSONObject();
-        result.put("hasDuplicates", false);
-        if (duplicateList.size() > 0) {
-            result.put("hasDuplicates", true);
-        }
+        Map<String, Object> result = new HashMap<>();
+        result.put("hasDuplicates", !duplicateList.isEmpty());
 
-        JSONUtil.jsonResponse(response, JSONObject.fromObject(result));
+        response.setContentType("application/json");
+        response.setCharacterEncoding("UTF-8");
+        try {
+            new ObjectMapper().writeValue(response.getWriter(), result);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
 
         return null;
     }

src/main/java/org/oscarehr/common/web/FlowSheetCustom2Action.java

@@ -26,9 +26,9 @@
 package org.oscarehr.common.web;
 
 import org.apache.logging.log4j.Logger;
-import org.jdom.Element;
-import org.jdom.output.Format;
-import org.jdom.output.XMLOutputter;
+import org.jdom2.Element;
+import org.jdom2.output.Format;
+import org.jdom2.output.XMLOutputter;
 import org.oscarehr.common.dao.FlowSheetCustomizationDao;
 import org.oscarehr.common.dao.FlowSheetUserCreatedDao;
 import org.oscarehr.common.model.FlowSheetCustomization;

src/main/java/org/oscarehr/decisionSupport/model/DSGuidelineFactory.java

@@ -39,11 +39,11 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.logging.log4j.Logger;
-import org.jdom.Attribute;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.JDOMException;
-import org.jdom.input.SAXBuilder;
+import org.jdom2.Attribute;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.JDOMException;
+import org.jdom2.input.SAXBuilder;
 import org.oscarehr.decisionSupport.model.conditionValue.DSValue;
 import org.oscarehr.decisionSupport.model.impl.drools.DSGuidelineDrools;
 import org.oscarehr.util.MiscUtils;

src/main/java/org/oscarehr/decisionSupport/model/impl/drools/DSGuidelineDrools.java

@@ -45,8 +45,8 @@
 import org.drools.FactException;
 import org.drools.RuleBase;
 import org.drools.WorkingMemory;
-import org.jdom.Element;
-import org.jdom.Namespace;
+import org.jdom2.Element;
+import org.jdom2.Namespace;
 import org.oscarehr.decisionSupport.model.DSCondition;
 import org.oscarehr.decisionSupport.model.DSConsequence;
 import org.oscarehr.decisionSupport.model.DSDemographicAccess;

src/main/java/org/oscarehr/decisionSupport/prevention/DSPreventionDrools.java

@@ -31,10 +31,10 @@
 
 import org.apache.logging.log4j.Logger;
 import org.drools.RuleBase;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.Namespace;
-import org.jdom.input.SAXBuilder;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.Namespace;
+import org.jdom2.input.SAXBuilder;
 import org.oscarehr.util.MiscUtils;
 
 import oscar.OscarProperties;

src/main/java/org/oscarehr/fax/admin/ManageFaxes2Action.java

@@ -43,7 +43,7 @@
 
 import net.sf.json.JSONObject;
 
-import org.apache.commons.httpclient.HttpStatus;
+import org.apache.http.HttpStatus;
 import org.apache.commons.lang.time.DateUtils;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;

src/main/java/org/oscarehr/fax/core/FaxImporter.java

@@ -31,7 +31,7 @@
 import java.util.Date;
 import java.util.List;
 
-import org.apache.commons.httpclient.HttpStatus;
+import org.apache.http.HttpStatus;
 import org.apache.commons.lang.time.DateFormatUtils;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;

src/main/java/org/oscarehr/fax/core/FaxStatusUpdater.java

@@ -29,7 +29,7 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 
-import org.apache.commons.httpclient.HttpStatus;
+import org.apache.http.HttpStatus;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;
 import org.apache.http.auth.AuthScope;

src/main/java/org/oscarehr/integration/hl7/handlers/PhsStarHandler.java

@@ -36,9 +36,9 @@
 import java.util.Map;
 
 import org.apache.logging.log4j.Logger;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.input.SAXBuilder;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.input.SAXBuilder;
 import org.oscarehr.PMmodule.dao.ProgramDao;
 import org.oscarehr.PMmodule.dao.ProviderDao;
 import org.oscarehr.PMmodule.model.Program;

src/main/java/org/oscarehr/olis/OLISProtocolSocketFactory.java

@@ -28,59 +28,55 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.net.SocketAddress;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 
-import javax.net.SocketFactory;
-
-
-import org.apache.commons.httpclient.params.HttpConnectionParams;
-import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 
 import oscar.OscarProperties;
 
+import javax.net.SocketFactory;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 
-public class OLISProtocolSocketFactory implements SecureProtocolSocketFactory {
+public class OLISProtocolSocketFactory extends SSLConnectionSocketFactory {
     SSLContext context = null;
 
     public OLISProtocolSocketFactory() throws Exception {
+        super(createSSLContext(), new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
+    }
 
+    private static SSLContext createSSLContext() throws Exception {
         String pKeyFile = OscarProperties.getInstance().getProperty("olis_ssl_keystore").trim();
         String pKeyPassword = OscarProperties.getInstance().getProperty("olis_ssl_keystore_password").trim();
 
-
         KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
         KeyStore keyStore = KeyStore.getInstance("JKS");
-        InputStream keyInput = new FileInputStream(pKeyFile);
-        keyStore.load(keyInput, pKeyPassword.toCharArray());
-        keyInput.close();
+        try (InputStream keyInput = new FileInputStream(pKeyFile)) {
+            keyStore.load(keyInput, pKeyPassword.toCharArray());
+        }
         keyManagerFactory.init(keyStore, pKeyPassword.toCharArray());
 
-        context = SSLContext.getInstance("TLS");
+        SSLContext context = SSLContext.getInstance("TLS");
         context.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
+        return context;
     }
+
+    public Socket createSocket(final String host, final int port, final InetAddress localAddress, final int localPort, final int timeout) throws IOException {
+        SocketFactory socketFactory = context.getSocketFactory();
 
-    public Socket createSocket(final String host, final int port, final InetAddress localAddress, final int localPort, final HttpConnectionParams params) throws IOException {
-        if (params == null) {
-            throw new IllegalArgumentException("Parameters may not be null");
-        }
-        int timeout = params.getConnectionTimeout();
-        SocketFactory socketfactory = context.getSocketFactory();
-        if (timeout == 0) {
-            return socketfactory.createSocket(host, port, localAddress, localPort);
+        if (timeout <= 0) {
+            return socketFactory.createSocket(host, port, localAddress, localPort);
         } else {
-            Socket socket = socketfactory.createSocket();
-            SocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
-            SocketAddress remoteaddr = new InetSocketAddress(host, port);
-            socket.bind(localaddr);
-            socket.connect(remoteaddr, timeout);
+            Socket socket = socketFactory.createSocket();
+            SocketAddress localAddr = new InetSocketAddress(localAddress, localPort);
+            SocketAddress remoteAddr = new InetSocketAddress(host, port);
+            socket.bind(localAddr);
+            socket.connect(remoteAddr, timeout);
             return socket;
         }
     }

src/main/java/org/oscarehr/util/OntarioMD.java

@@ -32,14 +32,16 @@
 
 import org.apache.commons.collections.OrderedMap;
 import org.apache.commons.collections.map.LinkedMap;
-import org.apache.commons.httpclient.HttpClient;
-import org.apache.commons.httpclient.methods.PostMethod;
-import org.apache.commons.httpclient.methods.RequestEntity;
-import org.apache.commons.httpclient.methods.StringRequestEntity;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.filter.ElementFilter;
-import org.jdom.input.SAXBuilder;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.util.EntityUtils;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.jdom2.Document;
+import org.jdom2.Element;
+import org.jdom2.filter.ElementFilter;
+import org.jdom2.input.SAXBuilder;
 
 import oscar.OscarProperties;
 
@@ -67,21 +69,23 @@ public boolean showOntarioMDLink() {
     public Hashtable loginToOntarioMD(String username, String password, String incomingRequestor) throws Exception {
         //public ArrayList soapHttpCall(int siteCode, String userId, String passwd,		String xml) throws Exception
         Hashtable h = null;
-        PostMethod post = new PostMethod("https://www.ontariomd.ca/services/OMDAutomatedAuthentication");
-        post.setRequestHeader("SOAPAction", "");
-        post.setRequestHeader("Content-Type", "text/xml; charset=utf-8");
+        HttpPost post = new HttpPost("https://www.ontariomd.ca/services/OMDAutomatedAuthentication");
+        post.setHeader("SOAPAction", "");
+        post.setHeader("Content-Type", "text/xml; charset=utf-8");
 
         String soapMsg = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><ns1:getSession xmlns:ns1=\"urn:OMDAutomatedAuthentication\"><username>" + username + "</username><password>" + password + "</password><incomingRequestor>" + incomingRequestor + "</incomingRequestor></ns1:getSession></soap:Body></soap:Envelope> ";
 
-        RequestEntity re = new StringRequestEntity(soapMsg, "text/xml", "utf-8");
+        StringEntity entity = new StringEntity(soapMsg, "UTF-8");
+        post.setEntity(entity);
 
-        post.setRequestEntity(re);
+        try (CloseableHttpClient httpclient = HttpClients.createDefault();
+            CloseableHttpResponse response = httpclient.execute(post)) {
+
+            InputStream responseStream = response.getEntity().getContent();
+            h = parseReturn(responseStream);
+
+            EntityUtils.consume(response.getEntity());
 
-        HttpClient httpclient = new HttpClient();
-        // Execute request
-        try {
-            httpclient.executeMethod(post);
-            h = parseReturn(post.getResponseBodyAsStream());
         } catch (Exception e) {
             MiscUtils.getLogger().error("Error", e);
         } finally {
@@ -94,12 +98,21 @@ public Hashtable loginToOntarioMD(String username, String password, String incom
     private Hashtable parseReturn(InputStream is) {
         Hashtable h = null;
         try {
+            // Create secure SAXBuilder with XXE protection
+            SAXBuilder parser = new SAXBuilder();
 
+            // Disable external entity processing to prevent XXE attacks
+            parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            parser.setExpandEntities(false);
 
-            SAXBuilder parser = new SAXBuilder();
             Document doc = parser.build(is);
             Element root = doc.getRootElement();
+
             h = new Hashtable();
+
             String jsessionID = g(root.getDescendants(new ElementFilter("jsessionID")));
             String ptLoginToken = g(root.getDescendants(new ElementFilter("ptLoginToken")));
             String returnCode = g(root.getDescendants(new ElementFilter("returnCode")));

src/main/java/org/oscarehr/util/VelocityUtils.java

@@ -30,7 +30,6 @@
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.exception.ResourceNotFoundException;
-import org.apache.velocity.runtime.log.Log4JLogChute;
 import org.apache.velocity.tools.generic.DateTool;
 import org.apache.velocity.tools.generic.EscapeTool;
 import org.apache.velocity.tools.generic.NumberTool;
@@ -49,8 +48,6 @@ private static VelocityEngine getInitialisedVelocityEngine() {
         try {
             VelocityEngine velocityEngine = new VelocityEngine();
             velocityEngine.setProperty("parser.pool.size", 10);
-            velocityEngine.setProperty("runtime.log.logsystem.class", Log4JLogChute.class.getName());
-            velocityEngine.setProperty("runtime.log.logsystem.log4j.logger", logger.getName());
             velocityEngine.init();
             return velocityEngine;
         } catch (Exception var1) {

src/main/java/org/oscarehr/web/admin/ProviderPreferencesUIBean.java

@@ -32,7 +32,7 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.jfree.util.Log;
-import org.opensaml.xml.signature.P;
+import org.opensaml.xmlsec.signature.Signature;
 import org.oscarehr.common.dao.EFormDao;
 import org.oscarehr.common.dao.EncounterFormDao;
 import org.oscarehr.common.dao.ProviderPreferenceDao;