Added new modules to help prevent Cross Site Request Forgery

Made changes to prevent arbitrary code exection on AdmPortal.
Issue-ID: OJSI-40

Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>

Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04

1 files changed, 44 insertions, 57 deletions

diff --git a/admportal/server/router/routes/preload.js b/admportal/server/router/routes/preload.js
index fd41bb44..522c6daa 100644
--- a/admportal/server/router/routes/preload.js
+++ b/admportal/server/router/routes/preload.js
@@ -16,8 +16,6 @@ var vnf = require('./vnf');
 var network = require('./network');
 var moment = require('moment');
 
-
-
 // pass host, username and password to ODL
 // target host for ODL request
 var username = properties.odlUser;
@@ -35,14 +33,17 @@ var options = {
         strictSSL: false
 };
 
-// multer 1.1
+// multer 
 var unixTime = moment().unix();
 var storage = multer.diskStorage({
   destination: function (req, file, cb) {
     cb(null, process.cwd() + '/uploads/')
+		return;
   },
   filename: function (req, file, cb) {
+console.log('filename');
     cb(null, unixTime + "." + file.originalname )
+		return;
   }
 });
 
@@ -54,98 +55,84 @@ var upload = multer({
 			return cb(null,false);
 		}
 		cb(null,true);
+		return;
 	}
 });
 
 router.post('/uploadVnfCsv', csp.checkAuth, upload.array('filename'), function(req, res)
 {
-	console.log('files:'+ JSON.stringify(req.files,null,4));
-
-	var tasks = []
-    var msgArray = new Array();
-    var privilegeObj = req.session.loggedInAdmin;
-	
+  var msgArray = new Array();
 	var privilegeObj = req.session.loggedInAdmin;
 	var tasks = [];
 
 	tasks.push ( function(callback) { vnf.go(req,res,callback,''); } );
 	tasks.push ( function(arg1,arg2,callback) { formatVnfInsertStatement(arg1,arg2,req,res,callback); } );
-    tasks.push( function(arg1, callback) { dbRoutes.addRow(arg1,req,res,callback); } );
+  tasks.push( function(arg1, callback) { dbRoutes.addRow(arg1,req,res,callback); } );
 	async.waterfall(tasks, function(err,result)
 	{	
-		 if(err){
-         	msgArray.push(err);
-            dbRoutes.getVnfData(req,res,{code:'failure', msg:msgArray},privilegeObj);
-            return;
-        }
-        else {
-        	//logger.debug('Successfully uploaded ' + req.session.worksheetFilename);
-        	msgArray.push('Successfully uploaded file.' );
-            dbRoutes.getVnfData(req,res,{code:'success', msg:msgArray},privilegeObj);
-            return;
-        }
+		if(err){
+			msgArray.push(err);
+			dbRoutes.getVnfData(req,res,{code:'failure', msg:msgArray},privilegeObj);
+			return;
+		}
+		else {
+			msgArray.push('Successfully uploaded file.' );
+			dbRoutes.getVnfData(req,res,{code:'success', msg:msgArray},privilegeObj);
+			return;
+		}
 	});
-
 });
 
 router.post('/uploadNetworkCsv', csp.checkAuth, upload.array('filename'), function(req, res)
 {
-    console.log('files:'+ JSON.stringify(req.files,null,4));
-
-    var tasks = []
-    var msgArray = new Array();
-    var privilegeObj = req.session.loggedInAdmin;
-
-    var privilegeObj = req.session.loggedInAdmin;
-    var tasks = [];
+	console.log('uploadNetworkCsv');
 
-    tasks.push ( function(callback) { network.go(req,res,callback,''); } );
-    tasks.push ( function(arg1,arg2,callback) { formatNetworkInsertStatement(arg1,arg2,req,res,callback); } );
-    tasks.push( function(arg1, callback) { dbRoutes.addRow(arg1,req,res,callback); } );
-    async.waterfall(tasks, function(err,result)
-    {
-         if(err){
-            msgArray.push(err);
-            dbRoutes.getVnfNetworkData(req,res,{code:'failure', msg:msgArray},privilegeObj);
-            return;
-        }
-        else {
-            //logger.debug('Successfully uploaded ' + req.session.worksheetFilename);
-            msgArray.push('Successfully uploaded file.' );
-            dbRoutes.getVnfNetworkData(req,res,{code:'success', msg:msgArray},privilegeObj);
-            return;
-        }
-    });
+	var msgArray = new Array();
+	var privilegeObj = req.session.loggedInAdmin;
+	var tasks = [];
 
+	tasks.push ( function(callback) { network.go(req,res,callback,''); } );
+	tasks.push ( function(arg1,arg2,callback) { formatNetworkInsertStatement(arg1,arg2,req,res,callback); } );
+	tasks.push( function(arg1, callback) { dbRoutes.addRow(arg1,req,res,callback); } );
+	async.waterfall(tasks, function(err,result)
+	{
+		if(err){
+			console.log('ERROR:' + err);
+			msgArray.push(err);
+			dbRoutes.getVnfNetworkData(req,res,{code:'failure', msg:msgArray},privilegeObj);
+		}
+		else {
+			msgArray.push('Successfully uploaded file.' );
+			dbRoutes.getVnfNetworkData(req,res,{code:'success', msg:msgArray},privilegeObj);
+		}
+	});
 });
 
 
 function formatVnfInsertStatement(content,filename,req,res,callback)
 {
-     //var newstr = JSON.stringify(content).replace(/\\\"/g,'\\\\\\"');
-     //var ins_str = newstr.replace("\r\n ", "\\r\\n");
-     var newstr = JSON.stringify(content);
-     var enc_str = encodeURI(newstr);
-	 var sql = "INSERT INTO PRE_LOAD_VNF_DATA "
+	var newstr = JSON.stringify(content);
+	var enc_str = encodeURI(newstr);
+	var sql = "INSERT INTO PRE_LOAD_VNF_DATA "
 		+ "(filename,preload_data) VALUES ("
 		+ "'"+ filename + "',"
 		+ "'" + enc_str + "')";
 
 	callback(null,sql);
+	return;
 }
 
 function formatNetworkInsertStatement(content,filename,req,res,callback)
 {
-     var newstr = JSON.stringify(content);
-     var enc_str = encodeURI(newstr);
-	 var sql = "INSERT INTO PRE_LOAD_VNF_NETWORK_DATA "
+	var newstr = JSON.stringify(content);
+	var enc_str = encodeURI(newstr);
+	var sql = "INSERT INTO PRE_LOAD_VNF_NETWORK_DATA "
 		+ "(filename,preload_data) VALUES ("
 		+ "'"+ filename + "',"
 		+ "'" + enc_str + "')";
 
 	callback(null,sql);
+	return;
 }
 
-
-
 module.exports = router;