diff options
author | Rotundo, Al (ar3165) <ar3165@att.com> | 2019-07-31 14:46:56 +0000 |
---|---|---|
committer | Timoney, Dan (dt5972) <dtimoney@att.com> | 2019-07-31 14:31:07 -0400 |
commit | 18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch) | |
tree | 39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/csp.js | |
parent | 33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff) |
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal.
Issue-ID: OJSI-40
Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>
Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/csp.js')
-rw-r--r-- | admportal/server/router/routes/csp.js | 48 |
1 files changed, 44 insertions, 4 deletions
diff --git a/admportal/server/router/routes/csp.js b/admportal/server/router/routes/csp.js index 435aaf91..8828052f 100644 --- a/admportal/server/router/routes/csp.js +++ b/admportal/server/router/routes/csp.js @@ -15,13 +15,18 @@ function logout(req,res){ function login (req,res) { +console.log('login'); +var tkn = req.sanitize(req.body._csrf); +console.log('login:tkn=' + tkn); + var loggedInAdmin={}; - var email = req.body.email; + var email = req.sanitize(req.body.email); + var pswd = req.sanitize(req.body.password); dbRoutes.findAdminUser(email,res,function(adminUser){ if(adminUser !== null){ // make sure correct password is provided - if (req.body.password != adminUser.password) { + if (pswd != adminUser.password) { res.render("pages/login", { result: @@ -36,6 +41,7 @@ function login (req,res) { var loggedInAdmin = { email:adminUser.email, + csrfToken: tkn, password:adminUser.password, privilege:adminUser.privilege } @@ -57,6 +63,7 @@ function login (req,res) { } function checkAuth(req,res,next){ + var host = req.get('host'); var url = req.url; var originalUrl = req.originalUrl; @@ -64,8 +71,7 @@ function checkAuth(req,res,next){ console.log("checkAuth"); var host = req.headers['host']; -console.log('host=' + host); - + console.log('host=' + host); console.log("cookie is not null "+JSON.stringify(req.session.loggedInAdmin)); if(req.session == null || req.session == undefined || req.session.loggedInAdmin == null || req.session.loggedInAdmin == undefined) @@ -79,6 +85,40 @@ console.log('host=' + host); next(); } +function checkPriv(req,res,next) +{ + var priv = req.session.loggedInAdmin; + if(req.session == null || req.session == undefined + || req.session.loggedInAdmin == null || req.session.loggedInAdmin == undefined) + { + res.render("pages/err", + { + result: {code:'error', msg:'Unexpected null session.'}, + header: process.env.MAIN_MENU + }); + return; + } + else + { + if (priv.privilege == 'A') + { + next(); + return; + } + else + { + res.render("pages/err", + { + result: { code:'error', msg:'User does not have permission to run operation.'}, + header: process.env.MAIN_MENU + }); + return; + } + } +} + + exports.login = login; exports.logout = logout; exports.checkAuth = checkAuth; +exports.checkPriv = checkPriv; |