summaryrefslogtreecommitdiffstats
path: root/admportal/server/router/routes/admin.js
diff options
context:
space:
mode:
authorRotundo, Al (ar3165) <ar3165@att.com>2019-07-31 14:46:56 +0000
committerTimoney, Dan (dt5972) <dtimoney@att.com>2019-07-31 14:31:07 -0400
commit18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/admin.js
parent33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal. Issue-ID: OJSI-40 Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/admin.js')
-rwxr-xr-xadmportal/server/router/routes/admin.js45
1 files changed, 24 insertions, 21 deletions
diff --git a/admportal/server/router/routes/admin.js b/admportal/server/router/routes/admin.js
index 4b7b8088..96c7fd85 100755
--- a/admportal/server/router/routes/admin.js
+++ b/admportal/server/router/routes/admin.js
@@ -5,40 +5,43 @@ var util = require('util');
var fs = require('fs');
var dbRoutes = require('./dbRoutes');
var csp = require('./csp');
+var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var sax = require('sax'),strict=true,parser = sax.parser(strict);
var async = require('async');
+var csrf = require('csurf');
+
+var csrfProtection = csrf({cookie: true});
+router.use(cookieParser());
// GET
router.get('/getParameters', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
dbRoutes.getParameters(req,res, {code:'', msg:''}, req.session.loggedInAdmin);
});
-router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res) {
+router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res) {
- var privilegeObj = req.session.loggedInAdmin;
- var tasks = [];
- tasks.push(function(callback) {
- dbRoutes.deleteParameter(req,res,callback);
- });
- async.series(tasks, function(err,result){
- var msgArray = new Array();
- if(err){
- msgArray.push(err);
- dbRoutes.getParameters(req,res,{code:'failure', msg:msgArray},privilegeObj);
- return;
- }
- else {
- msgArray.push('Row successfully deleted from PARAMETERS table.');
- dbRoutes.getParameters(req,res,{code:'success', msg:msgArray},privilegeObj);
- return;
- }
- });
+ var privilegeObj = req.session.loggedInAdmin;
+ var tasks = [];
+ tasks.push(function(callback) { dbRoutes.deleteParameter(req,res,callback); });
+ async.series(tasks, function(err,result){
+ var msgArray = new Array();
+ if(err){
+ msgArray.push(err);
+ dbRoutes.getParameters(req,res,{code:'failure', msg:msgArray},privilegeObj);
+ return;
+ }
+ else {
+ msgArray.push('Row successfully deleted from PARAMETERS table.');
+ dbRoutes.getParameters(req,res,{code:'success', msg:msgArray},privilegeObj);
+ return;
+ }
+ });
});
// POST
-router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){
+router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res){
var privilegeObj = req.session.loggedInAdmin;
var tasks = [];
@@ -59,7 +62,7 @@ router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){
});
// gamma - updateAicSite
-router.post('/updateParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){
+router.post('/updateParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res){
var privilegeObj = req.session.loggedInAdmin;
var tasks = [];