Stream: shorthand
Topic: SUSHI 2.2.4
Chris Moesel (Dec 21 2021 at 03:07):
Announcing SUSH 2.2.4 with the following bug fixes and minor enhancements:
- Fix output paths for resources with path separators in their
id(details below) - Fix canonical lookups for instances whose URL was set by an
insertrule - Update dependency libraries to address known vulnerabilities
Vulnerability w/ Output Paths and IDs
SUSHI generates file names based on the resource id (i.e., ${resourceType}-${resourceId}.json). In past versions of SUSHI, if the id contained one or more path separators, it was possible to cause SUSHI to write the JSON file to other locations on the filesystem. This behavior could be abused to intentionally overwrite existing JSON files. The utility of leveraging this bug, however, is limited by the fact that the file contents would still be a FHIR resource (i.e., you cannot force it to write arbitrary JSON). In this version of SUSHI, the bug has been fixed by properly sanitizing file names before writing them to disk.
Install or Update
To install or update to this release, run the following command:
$ npm install -g fsh-sushi
More Information
For more details on this release, see the SUSHI 2.2.4 Release Notes.
Last updated: Apr 12 2022 at 19:14 UTC
