susom / biocatalyst-link Goto Github PK
View Code? Open in Web Editor NEWA REDCap External Module to enable integration with Biocatalyst
License: Apache License 2.0
A REDCap External Module to enable integration with Biocatalyst
License: Apache License 2.0
Version 0.2 (with code to support #2 ) does not include the crucial introduction of a mechanism for blocking data from being exported from reports if an end user was able to request a report_id that was not on the allowed list returned by getProjectReports()
.
The module currently permits all reports in a project to be extracted with the Biocatalyst link. This can cause problems in environments where the Biocatalyst platform is permitted to contain less sensitive data than REDCap, where Biocatalyst users in the REDCap environment may have access to projects with reports that could contain sensitive data.
Update the module to include an option for administrators to restrict which data reports may be extracted on a per-project basis.
We have a strong need to be able to allow only specific reports to be pulled by the module. The UCSF security environment has very strict rules on where PHI can live, and currently REDCap is cleared for PHI, but Biocatalyst will not be. So we need to be able to ship only deid data across the Biocatalyst integration, which has created a requirement that our system admins review each activation of the module. But we still can't restrict which reports a user can pull from a project, so it's very possible for someone to inadvertently pull out an identified report for consumption by Biocatalyst.
SQL queries called in the following functions are not sanitized to prevent SQL injection attack:
verifyReportAllowed()
(v0.3 and higher)getProjectReports()
(v0.1 and higher)getReportColumns()
(v0.1 and higher)checkReportInProject()
(v0.1 and higher)SQL injection protection should be applied to all parameterized queries.
From REDCap Framework v4 release notes:
Parameterized Queries - Framework Version 4 requires that all query()
method calls must include an additional $parameters
argument. All queries should be refactored so that all dynamic values are passed as parameters. Please take a moment to read the Query Documentation page to get a feel for parameterized queries in general, then return here for the following specifics on transitioning modules to use them:
query()
method supports (but does not require) the $parameters
argument. This allows module queries to be updated incrementally over time, prior to updating to Framework Version 4.db_escape()
and db_real_escape_string()
should be removed to avoid double escaping.$parameters
argument instead. Cases that require additional handling are included below.db_affected_rows()
method will no longer work. See the Query Documentation page for an alternative.mysqli_...
and operate on the MySQL result object will no longer work. Please use the equivalent db_...
methods instead.int
type in PHP where they previously returned as string
. This can cause problems for any type sensitive operations like triple equals checking. The simplest solution to prevent potential issues without refactoring is to cast the numeric columns in either SQL or PHP.
$row = $module->convertIntsToStrings($row);
select project_id
select cast(project_id as char) as project_id
.$module->query("...where value like '{$value}%'");
$module->query("...where value like ?)", [$value . '%']");
db_query()
calls as well. Manually calling db_query()
is deprecated in modules, and may be disallowed in the future.A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.