diff options
author | Rotundo, Al (ar3165) <ar3165@att.com> | 2019-07-31 14:46:56 +0000 |
---|---|---|
committer | Timoney, Dan (dt5972) <dtimoney@att.com> | 2019-07-31 14:31:07 -0400 |
commit | 18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch) | |
tree | 39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/sla.js | |
parent | 33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff) |
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal.
Issue-ID: OJSI-40
Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>
Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/sla.js')
-rw-r--r-- | admportal/server/router/routes/sla.js | 220 |
1 files changed, 85 insertions, 135 deletions
diff --git a/admportal/server/router/routes/sla.js b/admportal/server/router/routes/sla.js index 10d64334..098cd66b 100644 --- a/admportal/server/router/routes/sla.js +++ b/admportal/server/router/routes/sla.js @@ -6,6 +6,8 @@ var fs = require('fs'); var dbRoutes = require('./dbRoutes'); var csp = require('./csp'); var multer = require('multer'); +var cookieParser = require('cookie-parser'); +var csrf = require('csurf'); var bodyParser = require('body-parser'); //var sax = require('sax'),strict=true,parser = sax.parser(strict); var async = require('async'); @@ -21,9 +23,8 @@ var xmlfile=''; // used for file upload button, retain original file name //router.use(bodyParser()); -router.use(bodyParser.urlencoded({ - extended: true -})); +var csrfProtection = csrf({cookie: true}); +router.use(bodyParser.urlencoded({ extended: true })); //var upload = multer({ dest: process.cwd() + '/uploads/', rename: function(fieldname,filename){ return filename; } }); // multer 1.1 @@ -57,11 +58,11 @@ router.use(multer({ // GET -router.get('/listSLA', csp.checkAuth, function(req,res) { +router.get('/listSLA', csp.checkAuth, csrfProtection, function(req,res) { dbRoutes.listSLA(req,res,{code:'', msg:''} ); }); -router.get('/activate', csp.checkAuth, function(req,res){ +router.get('/activate', csp.checkAuth, csrfProtection, function(req,res){ var _module = req.query.module; var rpc = req.query.rpc; @@ -82,7 +83,7 @@ router.get('/activate', csp.checkAuth, function(req,res){ }); }); -router.get('/deactivate', csp.checkAuth, function(req,res){ +router.get('/deactivate', csp.checkAuth, csrfProtection, function(req,res){ var _module = req.query.module; var rpc = req.query.rpc; @@ -102,7 +103,7 @@ router.get('/deactivate', csp.checkAuth, function(req,res){ }); }); -router.get('/deleteDG', csp.checkAuth, function(req,res){ +router.get('/deleteDG', csp.checkAuth, csrfProtection, function(req,res){ var _module = req.query.module; var rpc = req.query.rpc; @@ -122,7 +123,7 @@ router.get('/deleteDG', csp.checkAuth, function(req,res){ }); }); -router.post('/dgUpload', upload.single('filename'), function(req, res, next){ +router.post('/dgUpload', upload.single('filename'), csrfProtection, function(req, res, next){ if(req.file.originalname){ if (req.file.originalname == 0) { @@ -188,88 +189,94 @@ router.post('/dgUpload', upload.single('filename'), function(req, res, next){ // POST -router.post('/upload', csp.checkAuth, upload.single('filename'), function(req, res, next){ +router.post('/upload', csp.checkAuth, upload.single('filename'), csrfProtection, function(req, res, next){ console.log('file:'+ JSON.stringify(req.file)); - if(req.file.originalname){ - if (req.file.originalname.size == 0) { - dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'}); - } - fs.exists(req.file.path, function(exists) { - if(exists) { - + if(req.file.originalname) + { + if (req.file.originalname.size == 0) + { + dbRoutes.listSLA(req,res, + { code:'danger', msg:'There was an error uploading the file, please try again.'}); + } + fs.exists(req.file.path, function(exists) + { + if(exists) + { // parse xml - try { + try + { //dbRoutes.checkSvcLogic(req,res); var currentDB = dbRoutes.getCurrentDB(); - var file_buf = fs.readFileSync(req.file.path, "utf8"); + var file_buf = fs.readFileSync(req.file.path, "utf8"); - // call Dan's svclogic shell script from here - var commandToExec = process.cwd() - + "/shell/svclogic.sh load " + // call svclogic shell script from here + var commandToExec = process.cwd() + "/shell/svclogic.sh load " + req.file.path + " " - + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB; + + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB; - console.log("commandToExec:" + commandToExec); - child = exec(commandToExec ,function (error,stdout,stderr){ - if(error){ - console.error("error:" + error); + console.log("commandToExec:" + commandToExec); + child = exec(commandToExec ,function (error,stdout,stderr) + { + if(error) + { + console.error("error:" + error); dbRoutes.listSLA(req,res,{code:'failure',msg:error} ); return; - } - if(stderr){ - console.error("stderr:" + JSON.stringify(stderr,null,2)); - var s_stderr = JSON.stringify(stderr); - if ( s_stderr.indexOf("Saving") > -1 ) - { - dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'}); - }else { - dbRoutes.listSLA(req,res,{code:'failure', msg:stderr}); - } - return; - } - if(stdout){ - console.log("stderr:" + stdout); + } + if(stderr){ + console.error("stderr:" + JSON.stringify(stderr,null,2)); + var s_stderr = JSON.stringify(stderr); + if ( s_stderr.indexOf("Saving") > -1 ) + { + dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'}); + }else { + dbRoutes.listSLA(req,res,{code:'failure', msg:stderr}); + } + return; + } + if(stdout){ + console.log("stderr:" + stdout); dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'}); - return; + return; } // remove the grave accents, the sax parser does not like them //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close(); //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res); //dbRoutes.listSLA(req,res, resultObj); - }); - } catch(ex) { - // keep 'em silent - console.error("error:" + ex); - dbRoutes.listSLA(req,res,{code:'failure',msg:ex} ); - } - - } else { - dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'}); - } - }); + }); + } catch(ex) { + // keep 'em silent + console.error("error:" + ex); + dbRoutes.listSLA(req,res,{code:'failure',msg:ex} ); + } + } + else { + dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'}); + } + }); } else { dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'}); } }); -router.get('/printAsXml', csp.checkAuth, function(req,res){ +router.get('/printAsXml', csp.checkAuth, csrfProtection, function(req,res){ try { //dbRoutes.checkSvcLogic(req,res); var _module = req.query.module; - var rpc = req.query.rpc; - var version = req.query.version; - var mode = req.query.mode; + var rpc = req.query.rpc; + var version = req.query.version; + var mode = req.query.mode; var currentDB = dbRoutes.getCurrentDB(); - // call Dan's svclogic shell script from here - var commandToExec = process.cwd() + // call Dan's svclogic shell script from here + var commandToExec = process.cwd() + "/shell/svclogic.sh get-source " + _module + " " + rpc + " " @@ -279,91 +286,34 @@ router.get('/printAsXml', csp.checkAuth, function(req,res){ console.log("commandToExec:" + commandToExec); - child = exec(commandToExec , {maxBuffer: 1024*5000}, function (error,stdout,stderr){ - if(error){ + child = exec(commandToExec , {maxBuffer: 1024*5000}, function (error,stdout,stderr){ + if(error){ console.error("error:" + error); - dbRoutes.listSLA(req,res,{code:'failure',msg:error} ); + dbRoutes.listSLA(req,res,{code:'failure',msg:error} ); return; - } - //if(stderr){ - //logger.info("stderr:" + stderr); - //} - if(stdout){ - console.log("OUTPUT:" + stdout); - res.render('sla/printasxml', {result:{code:'success', - msg:'Module : ' + _module + '\n' + + } + //if(stderr){ + //logger.info("stderr:" + stderr); + //} + if(stdout){ + console.log("OUTPUT:" + stdout); + res.render('sla/printasxml', {result:{code:'success', + msg:'Module : ' + _module + '\n' + 'RPC : ' + rpc + '\n' + 'Mode : ' + mode + '\n' + 'Version: ' + version + '\n\n' + stdout}, header:process.env.MAIN_MENU}); - } - - // remove the grave accents, the sax parser does not like them - //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close(); - //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res); - //dbRoutes.listSLA(req,res, resultObj); - }); - } catch(ex) { + } + + // remove the grave accents, the sax parser does not like them + //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close(); + //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res); + //dbRoutes.listSLA(req,res, resultObj); + }); + } catch(ex) { console.error("error:" + ex); dbRoutes.listSLA(req,res,{code:'failure',msg:ex} ); - } + } }); -router.get('/printAsGv', csp.checkAuth, function(req,res){ - - try { - //dbRoutes.checkSvcLogic(req,res); - - var _module = req.query.module; - var rpc = req.query.rpc; - var version = req.query.version; - var mode = req.query.mode; - var currentDB = dbRoutes.getCurrentDB(); -console.log('currentDB='+currentDB); - - // call Dan's svclogic shell script from here - var commandToExec = process.cwd() - + "/shell/svclogic.sh print " - + _module + " " - + rpc + " " - + mode + " " - + version + " " - + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB - + " | dot -Tpng"; - - console.log("commandToExec:" + commandToExec); - - child = exec(commandToExec , - {encoding:'base64',maxBuffer:5000*1024}, function (error,stdout,stderr){ - if(error){ - console.error("error:" + error); - dbRoutes.listSLA(req,res,{code:'failure',msg:error} ); - return; - } - if(stderr){ - console.error("stderr:" + stderr); - } - if(stdout){ - //logger.info("OUTPUT:" + stdout); - //res.render('sla/printasgv', result = {code:'success', - //msg:new Buffer(stdout,'base64')} ); - res.render('sla/printasgv', {result:{code:'success', - module: _module, - rpc: rpc, - version: version, - mode:mode, - msg:stdout}, header:process.env.MAIN_MENU}); - } - - // remove the grave accents, the sax parser does not like them - //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close(); - //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res); - //dbRoutes.listSLA(req,res, resultObj); - }); - } catch(ex) { - console.error("error:" + ex); - dbRoutes.listSLA(req,res,{code:'failure',msg:ex} ); - } - -}); module.exports = router; |