Security fixes#200
Open
tcezard wants to merge 1 commit into
Open
Conversation
nitin-ebi
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix 1: Rate limiter bypass (RateLimiterAspect.java)
The rate limiter used the X-Forwarded-For HTTP header as the per-IP bucket key. Any client could rotate this header on every request to create unlimited fresh buckets, bypassing the 5 req/sec cap entirely. The fix removes the header trust and uses the TCP-level remoteAddr instead, which a client cannot spoof.
Fix 2: HTTP parameter injection (ContigAliasService.java)
Chromosome names and assembly values were concatenated directly into URLs sent to the internal contig-alias service, without encoding. A crafted regionId containing ? or # characters could inject extra query parameters into those internal requests. The fix replaces all four string-concatenation URL builds with UriComponentsBuilder, which percent-encodes all user-supplied path segments and query values automatically.
Fix 3: Plaintext password in memory (SecurityConfiguration.java)
The {noop} Spring Security prefix meant the admin password for the count-stats write API was stored and compared as plaintext in JVM heap memory. A heap dump would expose it immediately. The fix registers a BCryptPasswordEncoder bean and hashes the password at startup, so only the hash lives in memory.
Fix 4: Git metadata exposure (4 × application.properties)
management.info.git.mode=full caused the /actuator/info endpoint to publish the full commit SHA, commit message, and timestamp — enough for an attacker to precisely identify the deployed version and match it against known CVEs. Changed to simple, which only exposes the abbreviated commit hash and branch name.
Dep bump: PostgreSQL JDBC (pom.xml)
Driver 9.4.1212 (2017) was affected by several CVEs including SQL injection via column names (CVE-2022-31197) and XXE (CVE-2020-13692). Updated to 42.7.4, the current stable release, which is a drop-in replacement for PostgreSQL 11.
Dep bump: H2 (pom.xml, test scope)
H2 1.4.193 (2016) carried CVE-2021-42392 (RCE via JNDI in the H2 console) and CVE-2022-45868. Although test-scoped, it could be exploited in developer and CI environments. Updated to 2.2.224.