diff options
| author |   Rotundo, Al (ar3165) <ar3165@att.com> | 2019-07-31 14:46:56 +0000 |
|---|---|---|
| committer |   Timoney, Dan (dt5972) <dtimoney@att.com> | 2019-07-31 14:31:07 -0400 |
| commit | 18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch) | |
| tree | 39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/server/router/routes/user.js | |
| parent | 33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff) | |
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal.
Issue-ID: OJSI-40
Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>
Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/server/router/routes/user.js')
| -rw-r--r-- | admportal/server/router/routes/user.js | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/admportal/server/router/routes/user.js b/admportal/server/router/routes/user.js index 40d3437c..df5f8607 100644 --- a/admportal/server/router/routes/user.js +++ b/admportal/server/router/routes/user.js @@ -5,8 +5,13 @@ var util = require('util'); var fs = require('fs'); var dbRoutes = require('./dbRoutes'); var csp = require('./csp'); +var cookieParser = require('cookie-parser'); +var csrf = require('csurf'); var bodyParser = require('body-parser'); -var sax = require('sax'),strict=true,parser = sax.parser(strict); +//var sax = require('sax'),strict=true,parser = sax.parser(strict); + +var csrfProtection = csrf({cookie: true}); +router.use(cookieParser()); // SVC_LOGIC table columns var _module=''; // cannot use module its a reserved word @@ -17,16 +22,21 @@ var xmlfile=''; //router.use(bodyParser()); -router.use(bodyParser.urlencoded({ - extended: true -})); +router.use(bodyParser.urlencoded({ extended: true })); // GET router.get('/listUsers', csp.checkAuth, function(req,res) { dbRoutes.listUsers(req,res, {user:req.session.loggedInAdmin,code:'', msg:''} ); }); -router.get('/deleteUser', csp.checkAuth, function(req,res) { +// POST +router.post('/updateUser', csp.checkAuth, csrfProtection, function(req,res,next){ + dbRoutes.updateUser(req,res,{code:'',msg:''}); +}); +router.post('/addUser', csp.checkAuth, csrfProtection, function(req,res) { + dbRoutes.addUser(req,res, {code:'', msg:''} ); +}); +router.get('/deleteUser', csp.checkAuth, csrfProtection, function(req,res) { dbRoutes.deleteUser(req,res, {code:'', msg:''} ); }); @@ -93,13 +103,6 @@ parser.onend = function () { */ -// POST -router.post('/updateUser', csp.checkAuth, function(req,res,next){ - dbRoutes.updateUser(req,res,{code:'',msg:''}); -}); -router.post('/addUser', csp.checkAuth, function(req,res) { - dbRoutes.addUser(req,res, {code:'', msg:''} ); -}); //router.post('/upload', csp.checkAuth, function(req, res, next){ |