aboutsummaryrefslogtreecommitdiffstats
path: root/admportal/views/partials
diff options
context:
space:
mode:
authorRotundo, Al (ar3165) <ar3165@att.com>2019-07-31 14:46:56 +0000
committerTimoney, Dan (dt5972) <dtimoney@att.com>2019-07-31 14:31:07 -0400
commit18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/views/partials
parent33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal. Issue-ID: OJSI-40 Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/views/partials')
-rw-r--r--admportal/views/partials/new_parameter.ejs71
-rw-r--r--admportal/views/partials/newuserform.ejs15
-rw-r--r--admportal/views/partials/update_parameter.ejs1
-rw-r--r--admportal/views/partials/userform.ejs79
-rw-r--r--admportal/views/partials/vnf_profile.ejs7
5 files changed, 89 insertions, 84 deletions
diff --git a/admportal/views/partials/new_parameter.ejs b/admportal/views/partials/new_parameter.ejs
index b6d1f5be..4a2c0fe3 100644
--- a/admportal/views/partials/new_parameter.ejs
+++ b/admportal/views/partials/new_parameter.ejs
@@ -1,36 +1,37 @@
- <div class="modal fade" id="new_parameter" tabindex="-1" role="dialog"
+<div class="modal fade" id="new_parameter" tabindex="-1" role="dialog"
aria-labelledby="new_parameter_label" aria-hidden="true">
- <div class="modal-dialog">
- <div class="modal-content">
- <div class="modal-header">
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
- <h4 class="modal-title">Add Parameter</h4>
- </div>
- <div class="modal-body">
- <form name="addForm" role="form" action="/admin/addParameter" method="POST">
- <div class="form-group">
- <label for="nf_name">*Name</label>
- <input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)">
- </div>
- <div class="form-group">
- <label for="nf_value">*Value</label>
- <input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)">
- </div>
- <div class="form-group">
- <label for="nf_category">Category</label>
- <input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)">
- </div>
- <div class="form-group">
- <label for="nf_memo">Memo</label>
- <input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)">
- </div>
- <div class="form-group">
- <input type="hidden" name="nf_action" id="nf_action">
- <button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
- <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
- </div>
- </form>
- </div>
- </div>
- </div>
- </div>
+ <div class="modal-dialog">
+ <div class="modal-content">
+ <div class="modal-header">
+ <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+ <h4 class="modal-title">Add Parameter</h4>
+ </div>
+ <div class="modal-body">
+ <form name="addForm" role="form" action="/admin/addParameter" method="POST">
+ <div class="form-group">
+ <label for="nf_name">*Name</label>
+ <input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)" />
+ </div>
+ <div class="form-group">
+ <label for="nf_value">*Value</label>
+ <input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)" />
+ </div>
+ <div class="form-group">
+ <label for="nf_category">Category</label>
+ <input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)" />
+ </div>
+ <div class="form-group">
+ <label for="nf_memo">Memo</label>
+ <input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)" />
+ </div>
+ <div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <input type="hidden" name="nf_action" id="nf_action">
+ <button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
+ <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+ </div>
+ </form>
+ </div>
+ </div>
+ </div>
+</div>
diff --git a/admportal/views/partials/newuserform.ejs b/admportal/views/partials/newuserform.ejs
index 60459947..61bf2ddc 100644
--- a/admportal/views/partials/newuserform.ejs
+++ b/admportal/views/partials/newuserform.ejs
@@ -1,32 +1,33 @@
-<div class="modal fade" id="newUserModal" tabindex="-1" role="dialog" aria-labelledby="newUserModalLabel" aria-hidden="true">
+<div class="modal fade" id="new_user" tabindex="-1" role="dialog" aria-labelledby="new_user" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
- <h4 class="modal-title" id="newUserModalLabel">New User</h4>
+ <h4 class="modal-title">New User</h4>
</div>
<div class="modal-body">
<form id="addForm" name="addForm" role="form" action="/user/addUser" method="POST">
<div class="form-group">
- <label for="email">Email</label>
- <input type="email" class="form-control" name="nf_email" id="nf_email">
+ <label for="nf_email">Email</label>
+ <input type="email" class="form-control" name="nf_email" id="nf_email" placeholder="varchar(64)" maxlength="64" />
</div>
<div class="form-group">
<label for="nf_password">Password</label>
- <input type="password" class="form-control" name="nf_password" id="nf_password">
+ <input type="password" class="form-control" name="nf_password" id="nf_password" />
</div>
<div class="form-group">
<label for="nf_confirm_password">Confirm Password</label>
- <input type="password" class="form-control" name="nf_confirm_password" id="nf_confirm_password">
+ <input type="password" class="form-control" name="nf_confirm_password" id="nf_confirm_password" />
</div>
<div class="form-group">
- <label for="privilege">Privilege</label>
+ <label for="nf_privilege">Privilege</label>
<select class="form-control" name="nf_privilege" id="nf_privilege">
<option value=admin>Administrator</option>
<option value=readonly>Readonly</option>
</select>
</div>
<div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
<button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
</div>
diff --git a/admportal/views/partials/update_parameter.ejs b/admportal/views/partials/update_parameter.ejs
index c0ef57d2..257f657e 100644
--- a/admportal/views/partials/update_parameter.ejs
+++ b/admportal/views/partials/update_parameter.ejs
@@ -25,6 +25,7 @@
<input maxlength="128" type="text" class="form-control" name="uf_memo" id="uf_memo" placeholder="varchar(128)">
</div>
<div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
<input type="hidden" name="nf_action" id="nf_action">
<input type="hidden" name="uf_key_name" id="uf_key_name">
<button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
diff --git a/admportal/views/partials/userform.ejs b/admportal/views/partials/userform.ejs
index fae52ad2..f882c6d0 100644
--- a/admportal/views/partials/userform.ejs
+++ b/admportal/views/partials/userform.ejs
@@ -1,41 +1,42 @@
- <div class="modal fade" id="myUserModal" tabindex="-1" role="dialog" aria-labelledby="myUserModalLabel" aria-hidden="true">
- <div class="modal-dialog">
- <div class="modal-content">
- <div class="modal-header">
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
- <h4 class="modal-title" id="myUserModalLabel">Update User</h4>
- </div>
- <div class="modal-body">
- <form id="updateForm" name="updateForm" role="form" action="/user/updateUser" method="POST">
- <div class="form-group">
- <label for="uf_email">attuid</label>
- <input type="email" class="form-control" name="uf_email" id="uf_email">
- </div>
- <div class="form-group">
- <label for="uf_password">Password</label>
- <input type="password" class="form-control" name="uf_password" id="uf_password">
- </div>
- <div class="form-group">
- <label for="uf_confirm_password">Confirm Password</label>
- <input type="password" class="form-control" name="uf_confirm_password" id="uf_confirm_password">
- </div>
- <div class="form-group">
- <label for="privilege">Privilege</label>
- <select class="form-control" name="uf_privilege" id="uf_privilege">
- <option value=admin>Administrator</option>
- <option value=readonly>Readonly</option>
- </select>
- </div>
- <div class="form-group">
- <input type="hidden" name="uf_action" id="uf_action">
- <input type="hidden" name="uf_key_email" id="uf_key_email">
- <button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
- <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
- </div>
- </form>
- </div>
- </div>
- </div>
- </div>
+<div class="modal fade" id="myUserModal" tabindex="-1" role="dialog" aria-labelledby="myUserModalLabel" aria-hidden="true">
+ <div class="modal-dialog">
+ <div class="modal-content">
+ <div class="modal-header">
+ <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+ <h4 class="modal-title" id="myUserModalLabel">Update User</h4>
+ </div>
+ <div class="modal-body">
+ <form id="updateForm" name="updateForm" role="form" action="/user/updateUser" method="POST">
+ <div class="form-group">
+ <label for="uf_email">Email</label>
+ <input type="email" class="form-control" name="uf_email" id="uf_email" />
+ </div>
+ <div class="form-group">
+ <label for="uf_password">Password</label>
+ <input type="password" class="form-control" name="uf_password" id="uf_password" />
+ </div>
+ <div class="form-group">
+ <label for="uf_confirm_password">Confirm Password</label>
+ <input type="password" class="form-control" name="uf_confirm_password" id="uf_confirm_password" />
+ </div>
+ <div class="form-group">
+ <label for="uf_privilege">Privilege</label>
+ <select class="form-control" name="uf_privilege" id="uf_privilege">
+ <option value=admin>Administrator</option>
+ <option value=readonly>Readonly</option>
+ </select>
+ </div>
+ <div class="form-group">
+ <input type="hidden" name="uf_action" id="uf_action" />
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <input type="hidden" name="uf_key_email" id="uf_key_email" />
+ <button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
+ <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+ </div>
+ </form>
+ </div>
+ </div>
+ </div>
+</div>
diff --git a/admportal/views/partials/vnf_profile.ejs b/admportal/views/partials/vnf_profile.ejs
index d67cf1a6..f5132191 100644
--- a/admportal/views/partials/vnf_profile.ejs
+++ b/admportal/views/partials/vnf_profile.ejs
@@ -21,9 +21,10 @@
<input type="text" class="form-control" name="nf_equipment_role" id="nf_equipment_role" maxlength="11" placeholder="varchar(80)">
</div>
<div class="form-group">
- <input type="hidden" name="nf_action" id="nf_action">
- <button type="button" class="btn btn-primary" onclick="addVnfProfile(this.form);">Submit</button>
- <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+ <input type="hidden" name="nf_action" id="nf_action">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <button type="button" class="btn btn-primary" onclick="addVnfProfile(this.form);">Submit</button>
+ <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
</div>
</form>
</div>