Added new modules to help prevent Cross Site Request Forgery

Made changes to prevent arbitrary code exection on AdmPortal.
Issue-ID: OJSI-40

Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>

Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
diff --git a/admportal/views/mobility/vnfPreloadData.ejs b/admportal/views/mobility/vnfPreloadData.ejs
index 69f02e5..4dc7398 100644
--- a/admportal/views/mobility/vnfPreloadData.ejs
+++ b/admportal/views/mobility/vnfPreloadData.ejs
@@ -110,8 +110,9 @@
     <div class="col-md-8  col-md-push-4">
 	<form method="POST" action="/mobility/uploadVnfData" enctype="multipart/form-data">
 		<div class="form-group">
+				<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
     		<label for="dest">Upload pre processed JSON file.</label>
-    		<input name="filename" type="file" id="dest">
+    		<input name="filename" type="file" id="dest" />
     		<p class="help-block">Choose a JSON file to upload.</p>
             <button type="button" class="btn btn-default"
 				data-toggle="tooltip" data-placement="bottom"
@@ -123,8 +124,9 @@
 	<div class="col-md-4 col-md-pull-8">
 	<form method="POST" action="/preload/uploadVnfCsv" enctype="multipart/form-data">
 		<div class="form-group">
+				<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
     		<label for="dest">Upload Worksheet CSV files from the <%= preloadImportDirectory %> directory.</label>
-    		<input name="filename" type="file" id="dest" multiple>
+    		<input name="filename" type="file" id="dest" multiple />
     		<p class="help-block">Choose Worksheet CSV files to upload.</p>
 			<button type="button" class="btn btn-default" 
 				data-toggle="tooltip" data-placement="bottom" 
diff --git a/admportal/views/mobility/vnfPreloadNetworkData.ejs b/admportal/views/mobility/vnfPreloadNetworkData.ejs
index 099dcba..5d6204c 100644
--- a/admportal/views/mobility/vnfPreloadNetworkData.ejs
+++ b/admportal/views/mobility/vnfPreloadNetworkData.ejs
@@ -111,7 +111,7 @@
     <form method="POST" action="/mobility/uploadVnfNetworkData" enctype="multipart/form-data">
         <div class="form-group">
             <label for="dest">Upload pre processed JSON file.</label>
-            <input name="filename" type="file" id="dest"></input>
+            <input name="filename" type="file" id="dest" />
             <p class="help-block">Choose a JSON file to upload.</p>
             <button type="button" class="btn btn-default"
                 data-toggle="tooltip" data-placement="bottom"
@@ -125,7 +125,7 @@
     <form method="POST" action="/preload/uploadNetworkCsv" enctype="multipart/form-data">
         <div class="form-group">
             <label for="dest">Upload Worksheet CSV files from the <%= preloadImportDirectory %> directory.</label>
-            <input name="filename" type="file" id="dest" multiple></input>
+            <input name="filename" type="file" id="dest" multiple />
             <p class="help-block">Choose Worksheet CSV files to upload.</p>
             <button type="button" class="btn btn-default"
                 data-toggle="tooltip" data-placement="bottom"
diff --git a/admportal/views/mobility/vnfProfile.ejs b/admportal/views/mobility/vnfProfile.ejs
index 1a49498..a801b90 100644
--- a/admportal/views/mobility/vnfProfile.ejs
+++ b/admportal/views/mobility/vnfProfile.ejs
@@ -90,6 +90,7 @@
 	<% if(priv == 'A'){ %>
 	<div class="actions" style="padding:0px 25px;">
 	<form method="POST" action="/mobility/uploadVnfProfile" enctype="multipart/form-data">
+		<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
 		<div class="form-group">
     		<label for="dest">File input</label>
     		<input name="filename" type="file" id="dest">
diff --git a/admportal/views/pages/login.ejs b/admportal/views/pages/login.ejs
index 3a3e5e4..9da2f31 100644
--- a/admportal/views/pages/login.ejs
+++ b/admportal/views/pages/login.ejs
@@ -33,6 +33,7 @@
       <form class="form-signin" method="POST" action="/formlogin">
         <h3 class="form-signin-heading">AdminPortal Login</h3>
 
+				<input type="hidden" name="_csrf" value="<%= csrfToken %>" />
         <input type="text" name="email" id="email" class="form-control" placeholder="Email" required>
         <input type="password" name="password" id="password" class="form-control" placeholder="Password" required>
 
diff --git a/admportal/views/pages/signup.ejs b/admportal/views/pages/signup.ejs
index 03ac7bc..2a03953 100644
--- a/admportal/views/pages/signup.ejs
+++ b/admportal/views/pages/signup.ejs
@@ -33,6 +33,7 @@
       <form class="form-signin" method="POST" action="/formSignUp">
         <h3 class="form-signin-heading">AdminPortal Signup</h3>
 
+				<input type="hidden" name="_csrf" value="<%= csrfToken %>" />
         <input type="email" name="nf_email" id="nf_email" class="form-control" placeholder="Email Address" required>
         <input type="password" name="nf_password" id="nf_password" class="form-control" placeholder="Password" required>
 
diff --git a/admportal/views/partials/new_parameter.ejs b/admportal/views/partials/new_parameter.ejs
index b6d1f5b..4a2c0fe 100644
--- a/admportal/views/partials/new_parameter.ejs
+++ b/admportal/views/partials/new_parameter.ejs
@@ -1,36 +1,37 @@
-   <div class="modal fade" id="new_parameter" tabindex="-1" role="dialog" 
+<div class="modal fade" id="new_parameter" tabindex="-1" role="dialog" 
 		aria-labelledby="new_parameter_label" aria-hidden="true">
-      <div class="modal-dialog">
-        <div class="modal-content">
-          <div class="modal-header">
-            <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-            <h4 class="modal-title">Add Parameter</h4>
-          </div>
-          <div class="modal-body">
-            <form name="addForm" role="form" action="/admin/addParameter" method="POST">
-              <div class="form-group">
-                <label for="nf_name">*Name</label>
-                <input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)">
-              </div>
-              <div class="form-group">
-                <label for="nf_value">*Value</label>
-                <input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)">
-              </div>
-              <div class="form-group">
-                <label for="nf_category">Category</label>
-                <input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)">
-              </div>
-              <div class="form-group">
-                <label for="nf_memo">Memo</label>
-                <input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)">
-              </div>
-			  <div class="form-group">
-                  <input type="hidden" name="nf_action" id="nf_action">
-                  <button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
-                  <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
-              </div>
-           </form>
-          </div>
-      </div>
-    </div>
-  </div>
+	<div class="modal-dialog">
+		<div class="modal-content">
+			<div class="modal-header">
+				<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+				<h4 class="modal-title">Add Parameter</h4>
+			</div>
+			<div class="modal-body">
+				<form name="addForm" role="form" action="/admin/addParameter" method="POST">
+					<div class="form-group">
+						<label for="nf_name">*Name</label>
+						<input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)" />
+					</div>
+					<div class="form-group">
+						<label for="nf_value">*Value</label>
+						<input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)" />
+					</div>
+					<div class="form-group">
+						<label for="nf_category">Category</label>
+						<input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)" />
+					</div>
+					<div class="form-group">
+						<label for="nf_memo">Memo</label>
+						<input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)" />
+					</div>
+					<div class="form-group">
+						<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+          	<input type="hidden" name="nf_action" id="nf_action">
+          	<button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
+          	<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+        	</div>
+        </form>
+			</div>
+		</div>
+	</div>
+</div>
diff --git a/admportal/views/partials/newuserform.ejs b/admportal/views/partials/newuserform.ejs
index 6045994..61bf2dd 100644
--- a/admportal/views/partials/newuserform.ejs
+++ b/admportal/views/partials/newuserform.ejs
@@ -1,32 +1,33 @@
-<div class="modal fade" id="newUserModal" tabindex="-1" role="dialog" aria-labelledby="newUserModalLabel" aria-hidden="true">
+<div class="modal fade" id="new_user" tabindex="-1" role="dialog" aria-labelledby="new_user" aria-hidden="true">
       <div class="modal-dialog">
         <div class="modal-content">
           <div class="modal-header">
             <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-            <h4 class="modal-title" id="newUserModalLabel">New User</h4>
+            <h4 class="modal-title">New User</h4>
           </div>
           <div class="modal-body">
             <form id="addForm" name="addForm" role="form" action="/user/addUser" method="POST">
               <div class="form-group">
-                <label for="email">Email</label>
-                <input type="email" class="form-control" name="nf_email" id="nf_email">
+                <label for="nf_email">Email</label>
+                <input type="email" class="form-control" name="nf_email" id="nf_email" placeholder="varchar(64)" maxlength="64" />
               </div>
               <div class="form-group">
                 <label for="nf_password">Password</label>
-                <input type="password" class="form-control" name="nf_password" id="nf_password">
+                <input type="password" class="form-control" name="nf_password" id="nf_password" />
               </div>
               <div class="form-group">
                 <label for="nf_confirm_password">Confirm Password</label>
-                <input type="password" class="form-control" name="nf_confirm_password" id="nf_confirm_password">
+                <input type="password" class="form-control" name="nf_confirm_password" id="nf_confirm_password" />
               </div>
               <div class="form-group">
-                <label for="privilege">Privilege</label>
+                <label for="nf_privilege">Privilege</label>
                 <select class="form-control" name="nf_privilege" id="nf_privilege">
                     <option value=admin>Administrator</option>
                     <option value=readonly>Readonly</option>
                 </select>
               </div>
               <div class="form-group">
+								<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
                 <button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
 		<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
               </div>
diff --git a/admportal/views/partials/update_parameter.ejs b/admportal/views/partials/update_parameter.ejs
index c0ef57d..257f657 100644
--- a/admportal/views/partials/update_parameter.ejs
+++ b/admportal/views/partials/update_parameter.ejs
@@ -25,6 +25,7 @@
                 <input maxlength="128" type="text" class="form-control" name="uf_memo" id="uf_memo" placeholder="varchar(128)">
               </div>
 			  <div class="form-group">
+					<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
                   <input type="hidden" name="nf_action" id="nf_action">
                   <input type="hidden" name="uf_key_name" id="uf_key_name">
                   <button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
diff --git a/admportal/views/partials/userform.ejs b/admportal/views/partials/userform.ejs
index fae52ad..f882c6d 100644
--- a/admportal/views/partials/userform.ejs
+++ b/admportal/views/partials/userform.ejs
@@ -1,41 +1,42 @@
-   <div class="modal fade" id="myUserModal" tabindex="-1" role="dialog" aria-labelledby="myUserModalLabel" aria-hidden="true">
-      <div class="modal-dialog">
-        <div class="modal-content">
-          <div class="modal-header">
-            <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-            <h4 class="modal-title" id="myUserModalLabel">Update User</h4>
-          </div>
-          <div class="modal-body">
-            <form id="updateForm" name="updateForm" role="form" action="/user/updateUser" method="POST">
-              <div class="form-group">
-                <label for="uf_email">attuid</label>
-                <input type="email" class="form-control" name="uf_email" id="uf_email">
-              </div>
-              <div class="form-group">
-                <label for="uf_password">Password</label>
-                <input type="password" class="form-control" name="uf_password" id="uf_password">
-              </div>
-              <div class="form-group">
-                <label for="uf_confirm_password">Confirm Password</label>
-                <input type="password" class="form-control" name="uf_confirm_password" id="uf_confirm_password">
-              </div>
-              <div class="form-group">
-                <label for="privilege">Privilege</label>
-                <select class="form-control" name="uf_privilege" id="uf_privilege">
-                    <option value=admin>Administrator</option>
-                    <option value=readonly>Readonly</option>
-                </select>
-              </div>
-              <div class="form-group">
-		<input type="hidden" name="uf_action" id="uf_action">
-		<input type="hidden" name="uf_key_email" id="uf_key_email">
-                <button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
-		<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
-              </div>
-           </form>
-          </div>
-      </div>
-    </div>
-  </div>
+<div class="modal fade" id="myUserModal" tabindex="-1" role="dialog" aria-labelledby="myUserModalLabel" aria-hidden="true">
+	<div class="modal-dialog">
+		<div class="modal-content">
+			<div class="modal-header">
+				<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+				<h4 class="modal-title" id="myUserModalLabel">Update User</h4>
+			</div>
+			<div class="modal-body">
+				<form id="updateForm" name="updateForm" role="form" action="/user/updateUser" method="POST">
+					<div class="form-group">
+						<label for="uf_email">Email</label>
+						<input type="email" class="form-control" name="uf_email" id="uf_email" />
+					</div>
+					<div class="form-group">
+						<label for="uf_password">Password</label>
+						<input type="password" class="form-control" name="uf_password" id="uf_password" />
+					</div>
+					<div class="form-group">
+						<label for="uf_confirm_password">Confirm Password</label>
+						<input type="password" class="form-control" name="uf_confirm_password" id="uf_confirm_password" />
+					</div>
+					<div class="form-group">
+						<label for="uf_privilege">Privilege</label>
+						<select class="form-control" name="uf_privilege" id="uf_privilege">
+							<option value=admin>Administrator</option>
+							<option value=readonly>Readonly</option>
+						</select>
+					</div>
+					<div class="form-group">
+						<input type="hidden" name="uf_action" id="uf_action" />
+						<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+						<input type="hidden" name="uf_key_email" id="uf_key_email" />
+						<button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
+						<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+					</div>
+				</form>
+			</div>
+		</div>
+	</div>
+</div>
 
 
diff --git a/admportal/views/partials/vnf_profile.ejs b/admportal/views/partials/vnf_profile.ejs
index d67cf1a..f513219 100644
--- a/admportal/views/partials/vnf_profile.ejs
+++ b/admportal/views/partials/vnf_profile.ejs
@@ -21,9 +21,10 @@
                 <input type="text" class="form-control" name="nf_equipment_role" id="nf_equipment_role" maxlength="11" placeholder="varchar(80)">
               </div>
               <div class="form-group">
-				<input type="hidden" name="nf_action" id="nf_action">
-				<button type="button" class="btn btn-primary" onclick="addVnfProfile(this.form);">Submit</button>
-				<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+								<input type="hidden" name="nf_action" id="nf_action">
+								<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+								<button type="button" class="btn btn-primary" onclick="addVnfProfile(this.form);">Submit</button>
+								<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
               </div>
            </form>
           </div>
diff --git a/admportal/views/sla/list.ejs b/admportal/views/sla/list.ejs
index 10bd4f4..575e206 100644
--- a/admportal/views/sla/list.ejs
+++ b/admportal/views/sla/list.ejs
@@ -40,79 +40,73 @@
 
 <div class="container-fluid">
 	<table id="sla" class="table table-hover table-condensed">
-      <thead>
-        <tr>
-		  <th>Module</th>
-          <th>RPC</th>
-          <th>Version</th>
-          <th>Mode</th>
-          <th>Active</th>
-		  <% if(priv == 'A') { %>
-          <th>Activate/Deactive</th>
-		  <% } %>
-          <th>Display</th>
-          <th>XML code</th>
-		  <% if(priv=='A') { %>
-          <th>Delete</th>
-		  <% } %>
-        </tr>
-      </thead>
-      <tbody>
-      <% var i=0; rows.forEach( function(row) { %> 
-        <tr>
-            <td><%= row.module %></td>
-            <td><%= row.rpc %></td>
-            <td><%= row.version %></td>
-            <td><%= row.mode %></td>
-            <td><%= row.active %></td>
-			<% if ( priv == 'A' ) { 
-            	if (row.active == "Y") { %>
-              		<td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('deactivate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Deactivate</button> </td>
-				<% } else { %>
-              		<td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('activate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Activate</button></td>
-				<% } %>
-			<% } %>
-            <td>
-				<button type="button" class="btn btn-default btn-xs"
-              	onclick='location.assign("/sla/printAsGv?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>Display</button>
-			</td>
-			<td>
-				<button type="button" class="btn btn-default btn-xs"
-              	onclick='location.assign("/sla/printAsXml?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>XML code</button>
-            </td>
-			<% if ( priv == 'A' ) { %>
-            <td>
-				<button type="button" class="btn btn-default btn-xs"
+	<thead>
+	<tr>
+		<th>Module</th>
+		<th>RPC</th>
+		<th>Version</th>
+		<th>Mode</th>
+		<th>Active</th>
+		<% if(priv == 'A') { %>
+		<th>Activate/Deactive</th>
+		<% } %>
+		<th>XML code</th>
+		<% if(priv=='A') { %>
+		<th>Delete</th>
+		<% } %>
+	</tr>
+	</thead>
+	<tbody>
+	<% var i=0; rows.forEach( function(row) { %> 
+	<tr>
+		<td><%= row.module %></td>
+		<td><%= row.rpc %></td>
+		<td><%= row.version %></td>
+		<td><%= row.mode %></td>
+		<td><%= row.active %></td>
+		<% if ( priv == 'A' ) { 
+			if (row.active == "Y") { %>
+		<td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('deactivate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Deactivate</button> </td>
+		<% } else { %>
+		<td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('activate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Activate</button></td>
+		<% } %>
+		<% } %>
+		<td>
+			<button type="button" class="btn btn-default btn-xs"
+				onclick='location.assign("/sla/printAsXml?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>XML code</button>
+		</td>
+		<% if ( priv == 'A' ) { %>
+		<td>
+			<button type="button" class="btn btn-default btn-xs"
 				onclick="deleteGraph('<%=row.module %>',
-						'<%=row.rpc %>', '<%=row.version %>','<%=row.mode %>');">Delete</button>
-			</td>
-			<% } %>
-        </tr>
-    <% i++; }); %>
-      </tbody>
-    </table>
+				'<%=row.rpc %>', '<%=row.version %>','<%=row.mode %>');">Delete</button>
+		</td>
+		<% } %>
+	</tr>
+	<% i++; }); %>
+	</tbody>
+	</table>
 
 	<% if(priv == 'A') { %>
 	<div class="actions" style="padding:0px 25px;">
 	<form method="POST" action="/sla/upload" enctype="multipart/form-data">
 		<div class="form-group">
-    		<label for="dest">File input</label>
-    		<input name="filename" type="file" id="dest">
-    		<p class="help-block">Choose a file to upload.</p>
-  		</div>
-		<%
-        if ( priv == 'A' )
-        {
-        %>
-	        <button type="button" class="btn btn-default"
-                    onclick="uploadFile(this.form);">Upload File</button>
-        <% } else { %>
-            <button type="button" class="btn btn-default disabled"
-                    onclick="uploadFile(this.form);">Upload File</button>
-        <% } %>
+			<label for="dest">File input</label>
+			<input name="filename" type="file" id="dest" />
+			<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+			<p class="help-block">Choose a file to upload.</p>
+		</div>
+		<% if ( priv == 'A' ) { %>
+		<button type="button" class="btn btn-default"
+			onclick="uploadFile(this.form);">Upload File</button>
+		<% } else { %>
+		<button type="button" class="btn btn-default disabled"
+			onclick="uploadFile(this.form);">Upload File</button>
+		<% } %>
 	</form>
 	</div>
 	<% } %>
+
 </div>
 
 
diff --git a/admportal/views/user/list.ejs b/admportal/views/user/list.ejs
index 947a811..ec650b0 100644
--- a/admportal/views/user/list.ejs
+++ b/admportal/views/user/list.ejs
@@ -43,7 +43,7 @@
 <div class="container-fluid">
     <div class="actions" style="padding:15px 0px;">
 	<% if(priv == 'A') { %>
-    	<button class="btn btn-primary" data-toggle="modal" data-target="#newUserModal">Add User</button>
+    	<button class="btn btn-primary" data-toggle="modal" data-target="#new_user">Add User</button>
 	<% } %>
 
     </div>
@@ -75,14 +75,14 @@
 				<% } %>
 			</td> 
 			<% if(priv == 'A') { %>
-			<td><form name="rowform">
-				<input type="hidden" name="rfemail" id="rfemail" value="<%= row.email %>"</input>
+			<td>
+				<form name="rowform">
+					<button type="button" class="btn btn-default btn-xs"
+						onclick="updateRequest('<%=row.email %>', '<%=row.password %>', '<%=row.privilege %>');">Update</button>
+					<button type="button" class="btn btn-default btn-xs"
+						onclick="deleteRequest('<%=row.email %>');">Delete</button>
 				</form>
-				<button type="button" class="btn btn-default btn-xs"
-                onclick="updateRequest('<%=row.email %>', '<%=row.password %>', '<%=row.privilege %>');">Update</button>
-				<button type="button" class="btn btn-default btn-xs"
-                onclick="deleteRequest('<%=row.email %>');">Delete</button>
-            </td>
+			</td>
 			<% } %>
 			</tr>
     <% }); }; %>