aboutsummaryrefslogtreecommitdiffstats
path: root/admportal/server/router/routes/csp.js
diff options
context:
space:
mode:
authorRotundo, Al (ar3165) <ar3165@att.com>2019-11-22 15:07:18 +0000
committerRotundo, Al (ar3165) <ar3165@att.com>2019-11-22 15:07:18 +0000
commit6d9e9c449782cbf560a0dd591509c596326b8bf0 (patch)
treede91df55c586e26db0ac16a1acdc995c53629485 /admportal/server/router/routes/csp.js
parent34f2213be95352e1643bbeaadfe5723fbddf1c35 (diff)
fixing security issues found in onap admportal
changed exec command to spawn command to prevent arbitray code execution Issue-ID: SDNC-978 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Change-Id: I4487b5c7a14d7a7b1e4985b89e646cf6801845e0 Former-commit-id: 484d74555c481f055a7f33909071962cace85aa0
Diffstat (limited to 'admportal/server/router/routes/csp.js')
-rw-r--r--admportal/server/router/routes/csp.js59
1 files changed, 19 insertions, 40 deletions
diff --git a/admportal/server/router/routes/csp.js b/admportal/server/router/routes/csp.js
index 8828052f..f82edd89 100644
--- a/admportal/server/router/routes/csp.js
+++ b/admportal/server/router/routes/csp.js
@@ -15,50 +15,29 @@ function logout(req,res){
function login (req,res) {
-console.log('login');
-var tkn = req.sanitize(req.body._csrf);
-console.log('login:tkn=' + tkn);
+ var tkn = req.sanitize(req.body._csrf);
var loggedInAdmin={};
var email = req.sanitize(req.body.email);
var pswd = req.sanitize(req.body.password);
- dbRoutes.findAdminUser(email,res,function(adminUser){
- if(adminUser !== null){
-
- // make sure correct password is provided
- if (pswd != adminUser.password) {
- res.render("pages/login",
- {
- result:
- {
- code:'error',
- msg:'Invalid password entered.'
- },
- header:process.env.MAIN_MENU
- });
- return;
- }
-
- var loggedInAdmin = {
+ dbRoutes.findAdminUser(email,res,function(adminUser)
+ {
+ // make sure correct password is provided
+ if (pswd != adminUser.password) {
+ res.render("pages/err", { result: { code:'error', msg:'Invalid password entered.' }, header:process.env.MAIN_MENU });
+ return;
+ }
+ var loggedInAdmin = {
email:adminUser.email,
csrfToken: tkn,
password:adminUser.password,
privilege:adminUser.privilege
- }
- req.session.loggedInAdmin = loggedInAdmin;
- console.log("Login Success"+JSON.stringify(loggedInAdmin));
- res.redirect('sla/listSLA');
- }else{
- res.render("pages/err",
- {
- result:
- {
- code:'error',
- msg:'User ' + attuid + ' is not in the database. Please see an adminstrator to have them added.'
- },
- header:process.env.MAIN_MENU
- });
}
+ req.session.loggedInAdmin = loggedInAdmin;
+
+ console.log("Login Success"+JSON.stringify(loggedInAdmin));
+ res.redirect('sla/listSLA');
+ return;
});
}
@@ -72,17 +51,17 @@ function checkAuth(req,res,next){
var host = req.headers['host'];
console.log('host=' + host);
- console.log("cookie is not null "+JSON.stringify(req.session.loggedInAdmin));
if(req.session == null || req.session == undefined
|| req.session.loggedInAdmin == null || req.session.loggedInAdmin == undefined)
{
- // nothing else to do but log them back in, or they may
- // be coming from the graph tool
console.log("loggedInAdmin not found.session timed out.");
- res.render('pages/login');
- return false;
+ res.redirect('/login');
+ //res.render('pages/login');
+ return;
}
+ console.log("cookie is: " + JSON.stringify(req.session.loggedInAdmin));
next();
+ return;
}
function checkPriv(req,res,next)