fixing security issues found in onap admportal

changed exec command to spawn command to prevent arbitray code execution

Issue-ID: SDNC-978
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>
Change-Id: I4487b5c7a14d7a7b1e4985b89e646cf6801845e0

Former-commit-id: 484d74555c481f055a7f33909071962cace85aa0

1 files changed, 19 insertions, 40 deletions

diff --git a/admportal/server/router/routes/csp.js b/admportal/server/router/routes/csp.js
index 8828052f..f82edd89 100644
--- a/admportal/server/router/routes/csp.js
+++ b/admportal/server/router/routes/csp.js
@@ -15,50 +15,29 @@ function logout(req,res){
 
 function login (req,res) {
 
-console.log('login');
-var tkn = req.sanitize(req.body._csrf);
-console.log('login:tkn=' + tkn);
+	var tkn = req.sanitize(req.body._csrf);
 
 	var loggedInAdmin={};
 	var email = req.sanitize(req.body.email);
 	var pswd = req.sanitize(req.body.password);
-	dbRoutes.findAdminUser(email,res,function(adminUser){
-		if(adminUser !== null){
-			
-			// make sure correct password is provided
-			if (pswd != adminUser.password) {
-				res.render("pages/login", 
-				{
-					result:
-					{
-						code:'error',
-						msg:'Invalid password entered.'
-					},
-					header:process.env.MAIN_MENU 
-				});
-				return;
-			}
-				
-			var loggedInAdmin = {
+	dbRoutes.findAdminUser(email,res,function(adminUser)
+	{
+		// make sure correct password is provided
+		if (pswd != adminUser.password) {
+			res.render("pages/err", { result: { code:'error', msg:'Invalid password entered.' }, header:process.env.MAIN_MENU });
+			return;
+		}
+		var loggedInAdmin = {
 				email:adminUser.email,
 				csrfToken: tkn,
 				password:adminUser.password,
 				privilege:adminUser.privilege
-			}
-            req.session.loggedInAdmin = loggedInAdmin;
-        	console.log("Login Success"+JSON.stringify(loggedInAdmin));
-        	res.redirect('sla/listSLA');
-		}else{
-			res.render("pages/err", 
-			{
-				result:
-				{
-					code:'error',
-					msg:'User ' + attuid + ' is not in the database.  Please see an adminstrator to have them added.'
-				},
-				header:process.env.MAIN_MENU 
-			});
 		}
+		req.session.loggedInAdmin = loggedInAdmin;
+
+		console.log("Login Success"+JSON.stringify(loggedInAdmin));
+		res.redirect('sla/listSLA');
+		return;
 	});
 }
 
@@ -72,17 +51,17 @@ function checkAuth(req,res,next){
 
 	var host = req.headers['host'];
 	console.log('host=' + host);
-	console.log("cookie is not null "+JSON.stringify(req.session.loggedInAdmin));
 	if(req.session == null || req.session == undefined 
 		|| req.session.loggedInAdmin == null || req.session.loggedInAdmin == undefined)
 	{
-		// nothing else to do but log them back in, or they may
-		// be coming from the graph tool
 		console.log("loggedInAdmin not found.session timed out.");
-		res.render('pages/login');
-		return false;
+		res.redirect('/login');
+		//res.render('pages/login');
+		return;
 	}
+	console.log("cookie is:  " + JSON.stringify(req.session.loggedInAdmin));
 	next();
+	return;
 }
 
 function checkPriv(req,res,next)