diff options
| author |   Rotundo, Al (ar3165) <ar3165@att.com> | 2019-07-31 14:46:56 +0000 |
|---|---|---|
| committer |   Timoney, Dan (dt5972) <dtimoney@att.com> | 2019-07-31 14:31:07 -0400 |
| commit | 18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch) | |
| tree | 39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/admin.js | |
| parent | 33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff) | |
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal.
Issue-ID: OJSI-40
Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>
Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/admin.js')
| -rwxr-xr-x | admportal/server/router/routes/admin.js | 45 |
1 files changed, 24 insertions, 21 deletions
diff --git a/admportal/server/router/routes/admin.js b/admportal/server/router/routes/admin.js index 4b7b8088..96c7fd85 100755 --- a/admportal/server/router/routes/admin.js +++ b/admportal/server/router/routes/admin.js @@ -5,40 +5,43 @@ var util = require('util'); var fs = require('fs'); var dbRoutes = require('./dbRoutes'); var csp = require('./csp'); +var cookieParser = require('cookie-parser'); var bodyParser = require('body-parser'); var sax = require('sax'),strict=true,parser = sax.parser(strict); var async = require('async'); +var csrf = require('csurf'); + +var csrfProtection = csrf({cookie: true}); +router.use(cookieParser()); // GET router.get('/getParameters', csp.checkAuth, dbRoutes.checkDB, function(req,res) { dbRoutes.getParameters(req,res, {code:'', msg:''}, req.session.loggedInAdmin); }); -router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res) { +router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res) { - var privilegeObj = req.session.loggedInAdmin; - var tasks = []; - tasks.push(function(callback) { - dbRoutes.deleteParameter(req,res,callback); - }); - async.series(tasks, function(err,result){ - var msgArray = new Array(); - if(err){ - msgArray.push(err); - dbRoutes.getParameters(req,res,{code:'failure', msg:msgArray},privilegeObj); - return; - } - else { - msgArray.push('Row successfully deleted from PARAMETERS table.'); - dbRoutes.getParameters(req,res,{code:'success', msg:msgArray},privilegeObj); - return; - } - }); + var privilegeObj = req.session.loggedInAdmin; + var tasks = []; + tasks.push(function(callback) { dbRoutes.deleteParameter(req,res,callback); }); + async.series(tasks, function(err,result){ + var msgArray = new Array(); + if(err){ + msgArray.push(err); + dbRoutes.getParameters(req,res,{code:'failure', msg:msgArray},privilegeObj); + return; + } + else { + msgArray.push('Row successfully deleted from PARAMETERS table.'); + dbRoutes.getParameters(req,res,{code:'success', msg:msgArray},privilegeObj); + return; + } + }); }); // POST -router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){ +router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res){ var privilegeObj = req.session.loggedInAdmin; var tasks = []; @@ -59,7 +62,7 @@ router.post('/addParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){ }); // gamma - updateAicSite -router.post('/updateParameter', csp.checkAuth, dbRoutes.checkDB, function(req,res){ +router.post('/updateParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res){ var privilegeObj = req.session.loggedInAdmin; var tasks = []; |