summaryrefslogtreecommitdiffstats
path: root/admportal/server/router/routes/sla.js
diff options
context:
space:
mode:
authorRotundo, Al (ar3165) <ar3165@att.com>2019-07-31 14:46:56 +0000
committerTimoney, Dan (dt5972) <dtimoney@att.com>2019-07-31 14:31:07 -0400
commit18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/sla.js
parent33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal. Issue-ID: OJSI-40 Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/sla.js')
-rw-r--r--admportal/server/router/routes/sla.js220
1 files changed, 85 insertions, 135 deletions
diff --git a/admportal/server/router/routes/sla.js b/admportal/server/router/routes/sla.js
index 10d64334..098cd66b 100644
--- a/admportal/server/router/routes/sla.js
+++ b/admportal/server/router/routes/sla.js
@@ -6,6 +6,8 @@ var fs = require('fs');
var dbRoutes = require('./dbRoutes');
var csp = require('./csp');
var multer = require('multer');
+var cookieParser = require('cookie-parser');
+var csrf = require('csurf');
var bodyParser = require('body-parser');
//var sax = require('sax'),strict=true,parser = sax.parser(strict);
var async = require('async');
@@ -21,9 +23,8 @@ var xmlfile='';
// used for file upload button, retain original file name
//router.use(bodyParser());
-router.use(bodyParser.urlencoded({
- extended: true
-}));
+var csrfProtection = csrf({cookie: true});
+router.use(bodyParser.urlencoded({ extended: true }));
//var upload = multer({ dest: process.cwd() + '/uploads/', rename: function(fieldname,filename){ return filename; } });
// multer 1.1
@@ -57,11 +58,11 @@ router.use(multer({
// GET
-router.get('/listSLA', csp.checkAuth, function(req,res) {
+router.get('/listSLA', csp.checkAuth, csrfProtection, function(req,res) {
dbRoutes.listSLA(req,res,{code:'', msg:''} );
});
-router.get('/activate', csp.checkAuth, function(req,res){
+router.get('/activate', csp.checkAuth, csrfProtection, function(req,res){
var _module = req.query.module;
var rpc = req.query.rpc;
@@ -82,7 +83,7 @@ router.get('/activate', csp.checkAuth, function(req,res){
});
});
-router.get('/deactivate', csp.checkAuth, function(req,res){
+router.get('/deactivate', csp.checkAuth, csrfProtection, function(req,res){
var _module = req.query.module;
var rpc = req.query.rpc;
@@ -102,7 +103,7 @@ router.get('/deactivate', csp.checkAuth, function(req,res){
});
});
-router.get('/deleteDG', csp.checkAuth, function(req,res){
+router.get('/deleteDG', csp.checkAuth, csrfProtection, function(req,res){
var _module = req.query.module;
var rpc = req.query.rpc;
@@ -122,7 +123,7 @@ router.get('/deleteDG', csp.checkAuth, function(req,res){
});
});
-router.post('/dgUpload', upload.single('filename'), function(req, res, next){
+router.post('/dgUpload', upload.single('filename'), csrfProtection, function(req, res, next){
if(req.file.originalname){
if (req.file.originalname == 0) {
@@ -188,88 +189,94 @@ router.post('/dgUpload', upload.single('filename'), function(req, res, next){
// POST
-router.post('/upload', csp.checkAuth, upload.single('filename'), function(req, res, next){
+router.post('/upload', csp.checkAuth, upload.single('filename'), csrfProtection, function(req, res, next){
console.log('file:'+ JSON.stringify(req.file));
- if(req.file.originalname){
- if (req.file.originalname.size == 0) {
- dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
- }
- fs.exists(req.file.path, function(exists) {
- if(exists) {
-
+ if(req.file.originalname)
+ {
+ if (req.file.originalname.size == 0)
+ {
+ dbRoutes.listSLA(req,res,
+ { code:'danger', msg:'There was an error uploading the file, please try again.'});
+ }
+ fs.exists(req.file.path, function(exists)
+ {
+ if(exists)
+ {
// parse xml
- try {
+ try
+ {
//dbRoutes.checkSvcLogic(req,res);
var currentDB = dbRoutes.getCurrentDB();
- var file_buf = fs.readFileSync(req.file.path, "utf8");
+ var file_buf = fs.readFileSync(req.file.path, "utf8");
- // call Dan's svclogic shell script from here
- var commandToExec = process.cwd()
- + "/shell/svclogic.sh load "
+ // call svclogic shell script from here
+ var commandToExec = process.cwd() + "/shell/svclogic.sh load "
+ req.file.path + " "
- + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB;
+ + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB;
- console.log("commandToExec:" + commandToExec);
- child = exec(commandToExec ,function (error,stdout,stderr){
- if(error){
- console.error("error:" + error);
+ console.log("commandToExec:" + commandToExec);
+ child = exec(commandToExec ,function (error,stdout,stderr)
+ {
+ if(error)
+ {
+ console.error("error:" + error);
dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
return;
- }
- if(stderr){
- console.error("stderr:" + JSON.stringify(stderr,null,2));
- var s_stderr = JSON.stringify(stderr);
- if ( s_stderr.indexOf("Saving") > -1 )
- {
- dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'});
- }else {
- dbRoutes.listSLA(req,res,{code:'failure', msg:stderr});
- }
- return;
- }
- if(stdout){
- console.log("stderr:" + stdout);
+ }
+ if(stderr){
+ console.error("stderr:" + JSON.stringify(stderr,null,2));
+ var s_stderr = JSON.stringify(stderr);
+ if ( s_stderr.indexOf("Saving") > -1 )
+ {
+ dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'});
+ }else {
+ dbRoutes.listSLA(req,res,{code:'failure', msg:stderr});
+ }
+ return;
+ }
+ if(stdout){
+ console.log("stderr:" + stdout);
dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'});
- return;
+ return;
}
// remove the grave accents, the sax parser does not like them
//parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
//dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
//dbRoutes.listSLA(req,res, resultObj);
- });
- } catch(ex) {
- // keep 'em silent
- console.error("error:" + ex);
- dbRoutes.listSLA(req,res,{code:'failure',msg:ex} );
- }
-
- } else {
- dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
- }
- });
+ });
+ } catch(ex) {
+ // keep 'em silent
+ console.error("error:" + ex);
+ dbRoutes.listSLA(req,res,{code:'failure',msg:ex} );
+ }
+ }
+ else {
+ dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
+ }
+ });
}
else {
dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
}
});
-router.get('/printAsXml', csp.checkAuth, function(req,res){
+router.get('/printAsXml', csp.checkAuth, csrfProtection, function(req,res){
try {
//dbRoutes.checkSvcLogic(req,res);
var _module = req.query.module;
- var rpc = req.query.rpc;
- var version = req.query.version;
- var mode = req.query.mode;
+ var rpc = req.query.rpc;
+ var version = req.query.version;
+ var mode = req.query.mode;
var currentDB = dbRoutes.getCurrentDB();
- // call Dan's svclogic shell script from here
- var commandToExec = process.cwd()
+ // call Dan's svclogic shell script from here
+ var commandToExec = process.cwd()
+ "/shell/svclogic.sh get-source "
+ _module + " "
+ rpc + " "
@@ -279,91 +286,34 @@ router.get('/printAsXml', csp.checkAuth, function(req,res){
console.log("commandToExec:" + commandToExec);
- child = exec(commandToExec , {maxBuffer: 1024*5000}, function (error,stdout,stderr){
- if(error){
+ child = exec(commandToExec , {maxBuffer: 1024*5000}, function (error,stdout,stderr){
+ if(error){
console.error("error:" + error);
- dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
+ dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
return;
- }
- //if(stderr){
- //logger.info("stderr:" + stderr);
- //}
- if(stdout){
- console.log("OUTPUT:" + stdout);
- res.render('sla/printasxml', {result:{code:'success',
- msg:'Module : ' + _module + '\n' +
+ }
+ //if(stderr){
+ //logger.info("stderr:" + stderr);
+ //}
+ if(stdout){
+ console.log("OUTPUT:" + stdout);
+ res.render('sla/printasxml', {result:{code:'success',
+ msg:'Module : ' + _module + '\n' +
'RPC : ' + rpc + '\n' +
'Mode : ' + mode + '\n' +
'Version: ' + version + '\n\n' + stdout}, header:process.env.MAIN_MENU});
- }
-
- // remove the grave accents, the sax parser does not like them
- //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
- //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
- //dbRoutes.listSLA(req,res, resultObj);
- });
- } catch(ex) {
+ }
+
+ // remove the grave accents, the sax parser does not like them
+ //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
+ //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
+ //dbRoutes.listSLA(req,res, resultObj);
+ });
+ } catch(ex) {
console.error("error:" + ex);
dbRoutes.listSLA(req,res,{code:'failure',msg:ex} );
- }
+ }
});
-router.get('/printAsGv', csp.checkAuth, function(req,res){
-
- try {
- //dbRoutes.checkSvcLogic(req,res);
-
- var _module = req.query.module;
- var rpc = req.query.rpc;
- var version = req.query.version;
- var mode = req.query.mode;
- var currentDB = dbRoutes.getCurrentDB();
-console.log('currentDB='+currentDB);
-
- // call Dan's svclogic shell script from here
- var commandToExec = process.cwd()
- + "/shell/svclogic.sh print "
- + _module + " "
- + rpc + " "
- + mode + " "
- + version + " "
- + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB
- + " | dot -Tpng";
-
- console.log("commandToExec:" + commandToExec);
-
- child = exec(commandToExec ,
- {encoding:'base64',maxBuffer:5000*1024}, function (error,stdout,stderr){
- if(error){
- console.error("error:" + error);
- dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
- return;
- }
- if(stderr){
- console.error("stderr:" + stderr);
- }
- if(stdout){
- //logger.info("OUTPUT:" + stdout);
- //res.render('sla/printasgv', result = {code:'success',
- //msg:new Buffer(stdout,'base64')} );
- res.render('sla/printasgv', {result:{code:'success',
- module: _module,
- rpc: rpc,
- version: version,
- mode:mode,
- msg:stdout}, header:process.env.MAIN_MENU});
- }
-
- // remove the grave accents, the sax parser does not like them
- //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
- //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
- //dbRoutes.listSLA(req,res, resultObj);
- });
- } catch(ex) {
- console.error("error:" + ex);
- dbRoutes.listSLA(req,res,{code:'failure',msg:ex} );
- }
-
-});
module.exports = router;