Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

I don't think it's worth washing hogs over. -- Larry Wall in <199710060253.TAA09723@wall.org>

devel / comp.protocols.dicom / Re: Validation of Patient / Study fields input in web service

SubjectAuthor
* Re: Validation of Patient / Study fields input in web serviceHemant Jain
`* Re: Validation of Patient / Study fields input in web serviceJörg Riesmeier
 `* Re: Validation of Patient / Study fields input in web serviceHemant Jain
  `- Re: Validation of Patient / Study fields input in web serviceMathieu Malaterre

1
Re: Validation of Patient / Study fields input in web service

<24de49f3-56ac-436c-b5cc-2f29d9e25b05n@googlegroups.com>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=619&group=comp.protocols.dicom#619

  copy link   Newsgroups: comp.protocols.dicom
X-Received: by 2002:a05:622a:1a05:b0:3d7:8712:a808 with SMTP id f5-20020a05622a1a0500b003d78712a808mr2362889qtb.1.1679580321484;
Thu, 23 Mar 2023 07:05:21 -0700 (PDT)
X-Received: by 2002:a4a:e243:0:b0:525:5f43:215a with SMTP id
c3-20020a4ae243000000b005255f43215amr1982264oot.1.1679580321188; Thu, 23 Mar
2023 07:05:21 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!usenet.blueworldhosting.com!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.protocols.dicom
Date: Thu, 23 Mar 2023 07:05:20 -0700 (PDT)
In-Reply-To: <d32834df-528e-4338-ae6d-e88e483f4a9en@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=136.226.253.14; posting-account=e_POAQoAAACQkgBaFrqs3KvUUPx_quyx
NNTP-Posting-Host: 136.226.253.14
References: <d32834df-528e-4338-ae6d-e88e483f4a9en@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <24de49f3-56ac-436c-b5cc-2f29d9e25b05n@googlegroups.com>
Subject: Re: Validation of Patient / Study fields input in web service
From: mail2h.jain@gmail.com (Hemant Jain)
Injection-Date: Thu, 23 Mar 2023 14:05:21 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 1192
 by: Hemant Jain - Thu, 23 Mar 2023 14:05 UTC

Any pointers are much appreciated.

Re: Validation of Patient / Study fields input in web service

<5ee7a6c8-b051-4591-ba37-eb2ec480b82an@googlegroups.com>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=629&group=comp.protocols.dicom#629

  copy link   Newsgroups: comp.protocols.dicom
X-Received: by 2002:a05:620a:4087:b0:746:8786:5bfc with SMTP id f7-20020a05620a408700b0074687865bfcmr4408902qko.0.1680031958543;
Tue, 28 Mar 2023 12:32:38 -0700 (PDT)
X-Received: by 2002:a05:622a:1a98:b0:3df:f0cf:97e with SMTP id
s24-20020a05622a1a9800b003dff0cf097emr5974217qtc.13.1680031958316; Tue, 28
Mar 2023 12:32:38 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.protocols.dicom
Date: Tue, 28 Mar 2023 12:32:38 -0700 (PDT)
In-Reply-To: <24de49f3-56ac-436c-b5cc-2f29d9e25b05n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=85.16.189.30; posting-account=P9OsJAoAAABf_UoLgO-4Y0jtck08GqVx
NNTP-Posting-Host: 85.16.189.30
References: <d32834df-528e-4338-ae6d-e88e483f4a9en@googlegroups.com> <24de49f3-56ac-436c-b5cc-2f29d9e25b05n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <5ee7a6c8-b051-4591-ba37-eb2ec480b82an@googlegroups.com>
Subject: Re: Validation of Patient / Study fields input in web service
From: dicom@jriesmeier.com (Jörg Riesmeier)
Injection-Date: Tue, 28 Mar 2023 19:32:38 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 1695
 by: Jörg Riesmeier - Tue, 28 Mar 2023 19:32 UTC

Hemant,

I am not sure which "obvious threats" you mean. Storing (almost) arbitrary textual data in DICOM data elements such as Study Description or Requested Procedure Description should not be an issue for the PACS. Of course, your web service should clearly distinguish between "user input" and "code" (that is to be executed). However, this requirement is not DICOM specific.

Regards,
Jörg

Re: Validation of Patient / Study fields input in web service

<cadb47d0-a700-4030-97a8-8a3a3be6d84en@googlegroups.com>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=648&group=comp.protocols.dicom#648

  copy link   Newsgroups: comp.protocols.dicom
X-Received: by 2002:a05:622a:282:b0:3e2:976d:ebe9 with SMTP id z2-20020a05622a028200b003e2976debe9mr2491758qtw.1.1680787753998;
Thu, 06 Apr 2023 06:29:13 -0700 (PDT)
X-Received: by 2002:ad4:4ae4:0:b0:5e6:404e:13bb with SMTP id
cp4-20020ad44ae4000000b005e6404e13bbmr322696qvb.2.1680787753740; Thu, 06 Apr
2023 06:29:13 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.protocols.dicom
Date: Thu, 6 Apr 2023 06:29:13 -0700 (PDT)
In-Reply-To: <5ee7a6c8-b051-4591-ba37-eb2ec480b82an@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=136.226.253.3; posting-account=e_POAQoAAACQkgBaFrqs3KvUUPx_quyx
NNTP-Posting-Host: 136.226.253.3
References: <d32834df-528e-4338-ae6d-e88e483f4a9en@googlegroups.com>
<24de49f3-56ac-436c-b5cc-2f29d9e25b05n@googlegroups.com> <5ee7a6c8-b051-4591-ba37-eb2ec480b82an@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <cadb47d0-a700-4030-97a8-8a3a3be6d84en@googlegroups.com>
Subject: Re: Validation of Patient / Study fields input in web service
From: mail2h.jain@gmail.com (Hemant Jain)
Injection-Date: Thu, 06 Apr 2023 13:29:13 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2644
 by: Hemant Jain - Thu, 6 Apr 2023 13:29 UTC

On Wednesday, 29 March, 2023 at 1:02:40 am UTC+5:30, Jörg Riesmeier wrote:
> Hemant,
>
> I am not sure which "obvious threats" you mean. Storing (almost) arbitrary textual data in DICOM data elements such as Study Description or Requested Procedure Description should not be an issue for the PACS. Of course, your web service should clearly distinguish between "user input" and "code" (that is to be executed). However, this requirement is not DICOM specific.
>
> Regards,
> Jörg
Thanks Jörg for the reply. I agree its not a direct dicom specific requirement and of course the textual data resting in the Dicom Data elements as such would not be an issue, but it might create issues for the applications (e.g. viewers) consuming these dicom objects where they may try to render the dicom meta information in the frontend. Another aspect of this could be PACS servers storing / retrieving dicom meta information in database.

I somehow do not see a possibility of blacklisting / whitelisting being effective due to the wide character set allowed.

My question is more to understand if you (community) also have come across this situation and if you consider this as potential threat?
If yes, then what resolutions were applied to mitigate this?

Re: Validation of Patient / Study fields input in web service

<0a4c563a-3938-4ec6-8d77-22dfb477af02n@googlegroups.com>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=649&group=comp.protocols.dicom#649

  copy link   Newsgroups: comp.protocols.dicom
X-Received: by 2002:a05:622a:198b:b0:3e3:8455:f307 with SMTP id u11-20020a05622a198b00b003e38455f307mr532021qtc.1.1680847138587;
Thu, 06 Apr 2023 22:58:58 -0700 (PDT)
X-Received: by 2002:a05:620a:290f:b0:742:412d:1dc6 with SMTP id
m15-20020a05620a290f00b00742412d1dc6mr250413qkp.14.1680847138240; Thu, 06 Apr
2023 22:58:58 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.protocols.dicom
Date: Thu, 6 Apr 2023 22:58:58 -0700 (PDT)
In-Reply-To: <cadb47d0-a700-4030-97a8-8a3a3be6d84en@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=91.173.12.104; posting-account=5syELgoAAABMLWsjbxhk8Wo7CLxGgTPG
NNTP-Posting-Host: 91.173.12.104
References: <d32834df-528e-4338-ae6d-e88e483f4a9en@googlegroups.com>
<24de49f3-56ac-436c-b5cc-2f29d9e25b05n@googlegroups.com> <5ee7a6c8-b051-4591-ba37-eb2ec480b82an@googlegroups.com>
<cadb47d0-a700-4030-97a8-8a3a3be6d84en@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <0a4c563a-3938-4ec6-8d77-22dfb477af02n@googlegroups.com>
Subject: Re: Validation of Patient / Study fields input in web service
From: mathieu.malaterre@gmail.com (Mathieu Malaterre)
Injection-Date: Fri, 07 Apr 2023 05:58:58 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3214
 by: Mathieu Malaterre - Fri, 7 Apr 2023 05:58 UTC

On Thursday, April 6, 2023 at 3:29:15 PM UTC+2, Hemant Jain wrote:
> On Wednesday, 29 March, 2023 at 1:02:40 am UTC+5:30, Jörg Riesmeier wrote:
> > Hemant,
> >
> > I am not sure which "obvious threats" you mean. Storing (almost) arbitrary textual data in DICOM data elements such as Study Description or Requested Procedure Description should not be an issue for the PACS. Of course, your web service should clearly distinguish between "user input" and "code" (that is to be executed). However, this requirement is not DICOM specific.
> >
> > Regards,
> > Jörg
> Thanks Jörg for the reply. I agree its not a direct dicom specific requirement and of course the textual data resting in the Dicom Data elements as such would not be an issue, but it might create issues for the applications (e.g. viewers) consuming these dicom objects where they may try to render the dicom meta information in the frontend. Another aspect of this could be PACS servers storing / retrieving dicom meta information in database.
>
> I somehow do not see a possibility of blacklisting / whitelisting being effective due to the wide character set allowed.
>
> My question is more to understand if you (community) also have come across this situation and if you consider this as potential threat?
> If yes, then what resolutions were applied to mitigate this?

IMHO this a client-side only threat. I can store "rm -rf --no-preserve-root /" in e.g. the PatientName and this will never be an issue on any Windows system. So just be sure to sanitize those strings on the client side. If you client side is Web/JavaScript, there are frameworks to sanitize strings which may contains `<script/>` or `On*` events.

2cts

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor