Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Zend Module Installer

Developers
2013-12-28
2014-09-06
1 2 3 .. 6 > >> (Page 1 of 6)
  • ZH Healthcare
    ZH Healthcare
    2013-12-28

    Hi,

    We have developed a zend based module installer for OpenEMR which enables the community an option to install enhancements as compartmentalized code in order to help maintain and manage
    installations. Thus enabling contributors to release features as modules from which the user
    can opt to use without hindering the basic structure and direction of the common
    project.

    The git hub and sourceforge path are as follows. The complete documentation is available in sourceforge link.

    Sourceforge path : https://sourceforge.net/p/openemr/code-review/232/
    Github path : https://github.com/zhhealthcare/openemr/commits/ModuleInstaller-V5

    Please share your comments/suggestions.

    Thanks and Regards,
    ZH Healthcare
    www.zhhealthcare.com

     
  • Brady Miller
    Brady Miller
    2014-01-01

    Hi,

    To get Zend to work in Ubuntu, I had to do the following:
    1.Edit /etc/apache2/sites-available/default:
    Change:
    AllowOverride None
    To:
    AllowOverride FileInfo

    2.Then enable mod_rewrite:
    sudo a2enmod rewrite

    3.Ensure using php version 5.3.3 or greater

    -brady
    OpenEMR

     
    Last edit: Brady Miller 2014-01-01
  • ZH Healthcare
    ZH Healthcare
    2014-01-01

    Kevin,
    In this zend module we have implemented all the security mechanism which are available in the community version. Also we have implemented the logging mechanism which will log all the db queries in to the same log table.
    And also I think its the time to move to framework based openemr. So that we can avoid all the security vulnerability and the data vulnerability. Also I strongly believe that zf2 is one among the best framework.

    HAPPY NEW YEAR
    Thanks and Regards,
    ZH Healthcare
    www.zhhealthcare.com

     
  • Kevin Yeh
    Kevin Yeh
    2014-01-01

    Please provide more documentation regarding your approach to security. This is a huge bit of code to review.

    The "AllowOveride:FileInfo" setting Brady mentions in needing to get things to work is also a significant concern.

    My other big concern is that Shameem during the Ad-hoc conferences expressed the fact that his goal for this module installer is to allow for easier integration of closed sourced modules. This is not a "vendor-neutral" contribution.

     
    • ZH Healthcare
      ZH Healthcare
      2014-01-01

      "“Free software” means software that respects users' freedom and community.
      Roughly, the users have the freedom to run, copy, distribute, study,
      change and improve the software
      . Thus, “free software” is a matter of
      liberty, not price." http://www.gnu.org/philosophy/free-sw.html

      My goal is to provide the users of OpenEMR the liberty to accept and use
      closed or open source modules. As an open source community we have the
      ability to accept only open source modules, but we do not have the right to
      block the users ability to accept closed source modules.

      This is no different from the forms installer which is already part of
      OpenEMR. There are people who sell the forms they have created, and yet
      there are others who contribute forms to open source.The argument that this
      is not Vendor Neutral is not right. Any Vendor can develop a module, open
      or closed source, and distribute it the way he or she wants it. The rules
      and framework to develop a module are open to any and everyone. My view is
      that this will actually increase interest in our community. I have stated,
      time and again, the example of the Lab module where there are several
      vendors developing interfaces. Ultimately the best interface with the
      right price will attract users. So also is the case of the eRx.

      ultimately I leave it to the community to decide if they want a module
      installer where anyone can develop modules and contribute it to the
      community.

      --
      Shameem C Hameed
      ZH Healthcare
      2010 Corporate Ridge, Suite 700
      McLean VA 22102

      ph: +1-703-340-8065 Ext: 6666
      Direct: 571-766-8074
      Fax: +1-703-890-8702

      www.zhservices.com
      http://www.linkedin.com/pub/shameem-hameed/5/5a6/712

       
  • MD Support
    MD Support
    2014-01-01

    Congratulation to ZH for committing resources towards a change - something that has been discussed on these forums for long time.

    Some basic questions - probably already discussed elsewhere..

    Shouldn't framework be implemented at a lower level than (one of the) application using it? Isn't it a framework for PHP not OpenEMR? By putting Zend code inside

    interface/modules/zend_modules/library/Zend/

    is OpenEMR taking on responsibility of releasing Zend patches as part of OpenEMR patch/upgrade process?

    This also makes it harder for an installation to use other modules unrelated to OpenEMR.

    Is it too late to suggest that implementation process to be :

    Step 1. Working OpenEMR

    Optional Steps:
    Step 2. Install Zend per Zend install process
    Step 3. Activate zf2 based modules using options/configuration

    This will let community evaluate the benefits until consensus emerges to make OpenEMR a zf module.

     
    Last edit: MD Support 2014-01-02
  • Rod Roark
    Rod Roark
    2014-01-02

    We've had this discussion before:

    https://sourceforge.net/p/openemr/discussion/202506/thread/94801241

    I don't see how it can be right to include Zend in our project. It's a separate project that is readily available for installation and comes with all major Linux distributions. We don't want to be responsible for keeping it up to date. Furthermore we are very far from any consensus to standardize on using it.

    In general I think it's probably OK for some individual contributions to use Zend, as long as anything requiring it is an optional feature that can be disabled. However as things are now I'd discourage it (see various comments in the thread referenced above).

    What I do encourage is more use of object oriented methods, especially to encapsulate things like patients, encounters, providers, facilities etc. A lot of the stuff in the library directory could be rewritten to use classes. We could clean things up a lot that way without doing anything controversial, and if we ever do settle on a framework it would make moving to it easier.

    Rod
    http://www.sunsetsystems.com/

     
  • ZH Healthcare
    ZH Healthcare
    2014-01-02

    Hi,

    We have attached a document regarding the security mechanisms.
    We have not modified the zend library files, so it is possible to move it to another level, we will try it and let you know.

    Thanks and Regards,
    ZH Healthcare
    www.zhhealthcare.com

     
  • Kevin Yeh
    Kevin Yeh
    2014-01-02

    All that your "security" document seems to do is list vulnerabilities. It doesn't say how they are addressed.

     
  • ZH Healthcare
    ZH Healthcare
    2014-01-03

    Hi,

    The commit you mentioned includes only the changes from the Zend git repository as a result of pulling the default skeleton application posted by Zend. The Zend library files are located in '/zend_modules/library' folder, it is not affected by this commit. If you want to use the default zend library with module installer then we can use the third commit directly after which the zend library path must be specified in the configuration file. We will make the necessary changes and will commit it as soon as possible.

    Thanks and Regards,
    ZH Healthcare
    www.zhhealthcare.com

     
  • ZH Healthcare
    ZH Healthcare
    2014-01-03

    Hi,

    As per the discussion we have made the commits in such a way that the user can use already existing zf2 library available in his system for the module installer. The path can be set in 'zend_modules/init_autoloader.php' file which is mentioned within the file comments.

    The git path for the latest commit is : https://github.com/zhhealthcare/openemr/commit/5dde10c4936271d5246b3ff6e7d9502f19a762cd

    Thanks and Regards,
    ZH Healthcare
    www.zhhealthcare.com

     
  • Brady Miller
    Brady Miller
    2014-01-04

    Hi ZH,

    Couple quick questions for now:

    1. Regarding your security document above, how do you plan to secure the following from sql injection:
      SELECT * FROM $variable_table_name WHERE 'value'=? ORDER BY $variable_direction LIMIT $variable_limit
      (note there are functions within openemr database engine that do these things already)

    2. Are you able to insert a new sql row of data and correctly return the insert row id?

    3. Is your log function doing the same thing as the original log function in openemr?

    thanks,
    -brady
    OpenEMR

     
  • Kevin Yeh
    Kevin Yeh
    2014-01-04

    I am also concerned about the potential for "social engineering" attacks should this installer be incorporated into the official code base.

    A malicious attacker could offer a module under the guise of something useful. Given the wide variety of technical skills among OpenEMR users, I suspect a significant number would "fall for it."

    The expressed purpose of this module is make it easier to run "arbitrary code" in the context of OpenEMR, which is a dangerous prospect.

    I'm trying to keep an open mind about the issues, but as Rod pointed out, we've discussed this topic pretty extensively before and I still don't think this code is appropriate.

     
  • Brady Miller
    Brady Miller
    2014-01-04

    Hi Kevin,
    Focus on keeping an open mind is good in this case. Regarding "social engineering" attack issue, already have that issue in the forms installer, which is a rather vital feature; if somebody downloaded and installed a "attack" form, such as CAMOS-WAMOS or something like that. As with the forms installer, should ensure only admin can add modules to cover this.
    -brady

     
    • ZH Healthcare
      ZH Healthcare
      2014-01-06

      I would humbly submit that we should let the users decide what they want to
      run on their systems. Let us treat them as mature adults. If a user
      decides to run arbitrary code it should be his choice and we shouldn't be
      policing that. That goes against the open source spirit.

      i agree with "MD Support" in that we should police the code that is
      submitted to us as a module. These should be thoroughly reviewed before
      accepting as part of the community code. Why are we rejecting something
      based on an apprehension that it has the potential to be used for bad?

      --
      Shameem C Hameed
      ZH Healthcare
      2010 Corporate Ridge, Suite 700
      McLean VA 22102

      ph: +1-703-340-8065 Ext: 6666
      Direct: 571-766-8074
      Fax: +1-703-890-8702

      www.zhservices.com
      http://www.linkedin.com/pub/shameem-hameed/5/5a6/712

       
      • Kevin Yeh
        Kevin Yeh
        2014-01-06

        Why are we rejecting something
        based on an apprehension that it has the potential to be used for bad?

        Because I am one of the few people who takes care of security issues for the project, I worry a great deal about the very real additional burdens of including such a large chunk of new code in the project.

        There are many existing pieces of the project that have "the potential to be used for bad" that still need to be taken care of with our limited resource, and the cost/benefit trade-off for this particular feature does not seem worth the effort at the moment.

         
        • ZH Healthcare
          ZH Healthcare
          2014-01-06

          Help me understand this: you are saying that a module that "May" be contributed to be installed using the Module installer "May" cause problems. Hence do no accept the Module Installer.

          My question is, do you have a problem with the Module installer per se assuming (without accepting) that a given module passes muster?

          Or is it your contention that the Module installer itself has non-secure items within it? If it is the latter we can fix that.

          Thanks and Regards,
          Jacob T.Paul
          ZH Healthcare
          www.zhhealthcare.com

           
          • Kevin Yeh
            Kevin Yeh
            2014-01-06

            Security is not my only concern with your approach. It was just the topic I choose to comment on first.

             
  • Kevin Yeh
    Kevin Yeh
    2014-01-04

    Except code for forms seems like it would be more natural to review before because the administrator has to take the move it into the forms directory manually first.

    The "one touch" install process has "convenience vs. security" trade-offs.

    Sometimes there's value in slowing thing down/taking extra steps. Think "timeout" in the Operating Room.

     
  • MD Support
    MD Support
    2014-01-04

    Before pulling in code, when we do our preliminary checks we find no invoke for AuthenticationService or Permissions\Acl. Does that mean the modules are not expected to use zf2 core security mechanisms? Shouldn't there be some code mapping/linking OpenEMR session with zf2 objects? Not sure if any suggestions could be offered if we are just checking to see if specific config changes allow zf2 based code to connect to MySQL.

    On a related note, community will need to think about implications of external modules. If a practice is sold a 'PayPal payment processing module' by Xyz LLC, surely OpenEMR has no responsibility and that may be ok. But if Xyz LLC chooses to contribute a module, are there adequate number of reviewers with appropriate tools and skillsets up to the task? Traditional code review will not work to identify issues in million lines of code in hundreads of files generated by some IDE?

     
    Last edit: MD Support 2014-01-04
  • In my opinion, I don't believe that this is a good approach for a plugin/module loader for OpenEMR. I don't see a reason to integrate the Zend Framework. If there was a clearly defined path to migrate all of OpenEMR into Zend Framework, then and only then would this approach make sense to me.

    OpenEMR already has components for ACL, Database abstraction, etc. In fact, OpenEMR already has a type of "module loader" in the forms interface (as Kevin alluded to.)

    My suggestion is that we help ZH enhance and secure the existing form plugin framework to be more flexible to include these types of modules.

    If ZH has code written in Zend Framework, they can integrate their code at the level of this new module loader that doesn't introduce a number unnecessary files and impose an extremely complex structure on newly developed modules.

    Ken
    ken@mi-squared.com

     
  • ZH Healthcare
    ZH Healthcare
    2014-01-07

    Hi,

    We have attached two documents, one lists the security features we already used in Module Installer and the other lists the security mechanisms supported by ZF2. The Zend prevents sql injection in the case of placeholder values. We are able to return the correct sql insert id. The logging mechanism is logging all the queries as in OpenEMR logs.

    Thanks and Regards,
    ZH Healthcare
    www.zhhealthcare.com

     
  • Brady Miller
    Brady Miller
    2014-01-07

    Hi ZH,

    I am assuming this is to answer my questions above, which were sort of trick questions :)

    1.Regarding your security document above, how do you plan to secure the following from sql injection:
    SELECT * FROM $variable_table_name WHERE 'value'=? ORDER BY $variable_direction LIMIT $variable_limit
    (note there are functions within openemr database engine that do these things already)

    I am asking you how you are going to escape the $variable_table_name, $variable_direction and $variable_limit variables in the above sql statement. You can't use parameters there; note this has been dealt with in openemr's current database scheme/functions.

    2.Are you able to insert a new sql row of data and correctly return the insert row id?

    Ensure your log function insert call does not replace the id. This was a super annoying bug that has been dealt with in openemr's current database scheme/functions and was operating system and php version dependent (for example, this is why openemr did not used to work on newer xampp versions in the past).

    3.Is your log function doing the same thing as the original log function in openemr?

    Your log function is 8 lines and the one in openemr now is using a library of code about 500 lines long...
    library/log.inc
    You are missing md5sums, ATNA connections, categorization, etc...

    Additionally, just by looking at the code, your method of recreating the sql queries that use binding is not in the same format and will break if there are any '?' symbols in the data fields.

    Please note this is only the beginning of converting to another database engine...

    Regarding security, Zend does give you tools in the security aspect, but important to note that there seems to be nothing there that does not yet already exist in openemr's library, except for the javascript and css escaping functions, which would very useful to analyze and also get it within openemr's native codebase at some point for non-zend stuff.

    -brady
    OpenEMR

     
    Last edit: Brady Miller 2014-01-07
1 2 3 .. 6 > >> (Page 1 of 6)