Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal.
Issue-ID: OJSI-40
Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267
Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com>
Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
diff --git a/admportal/views/mobility/vnfPreloadData.ejs b/admportal/views/mobility/vnfPreloadData.ejs
index 69f02e5..4dc7398 100644
--- a/admportal/views/mobility/vnfPreloadData.ejs
+++ b/admportal/views/mobility/vnfPreloadData.ejs
@@ -110,8 +110,9 @@
<div class="col-md-8 col-md-push-4">
<form method="POST" action="/mobility/uploadVnfData" enctype="multipart/form-data">
<div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
<label for="dest">Upload pre processed JSON file.</label>
- <input name="filename" type="file" id="dest">
+ <input name="filename" type="file" id="dest" />
<p class="help-block">Choose a JSON file to upload.</p>
<button type="button" class="btn btn-default"
data-toggle="tooltip" data-placement="bottom"
@@ -123,8 +124,9 @@
<div class="col-md-4 col-md-pull-8">
<form method="POST" action="/preload/uploadVnfCsv" enctype="multipart/form-data">
<div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
<label for="dest">Upload Worksheet CSV files from the <%= preloadImportDirectory %> directory.</label>
- <input name="filename" type="file" id="dest" multiple>
+ <input name="filename" type="file" id="dest" multiple />
<p class="help-block">Choose Worksheet CSV files to upload.</p>
<button type="button" class="btn btn-default"
data-toggle="tooltip" data-placement="bottom"
diff --git a/admportal/views/mobility/vnfPreloadNetworkData.ejs b/admportal/views/mobility/vnfPreloadNetworkData.ejs
index 099dcba..5d6204c 100644
--- a/admportal/views/mobility/vnfPreloadNetworkData.ejs
+++ b/admportal/views/mobility/vnfPreloadNetworkData.ejs
@@ -111,7 +111,7 @@
<form method="POST" action="/mobility/uploadVnfNetworkData" enctype="multipart/form-data">
<div class="form-group">
<label for="dest">Upload pre processed JSON file.</label>
- <input name="filename" type="file" id="dest"></input>
+ <input name="filename" type="file" id="dest" />
<p class="help-block">Choose a JSON file to upload.</p>
<button type="button" class="btn btn-default"
data-toggle="tooltip" data-placement="bottom"
@@ -125,7 +125,7 @@
<form method="POST" action="/preload/uploadNetworkCsv" enctype="multipart/form-data">
<div class="form-group">
<label for="dest">Upload Worksheet CSV files from the <%= preloadImportDirectory %> directory.</label>
- <input name="filename" type="file" id="dest" multiple></input>
+ <input name="filename" type="file" id="dest" multiple />
<p class="help-block">Choose Worksheet CSV files to upload.</p>
<button type="button" class="btn btn-default"
data-toggle="tooltip" data-placement="bottom"
diff --git a/admportal/views/mobility/vnfProfile.ejs b/admportal/views/mobility/vnfProfile.ejs
index 1a49498..a801b90 100644
--- a/admportal/views/mobility/vnfProfile.ejs
+++ b/admportal/views/mobility/vnfProfile.ejs
@@ -90,6 +90,7 @@
<% if(priv == 'A'){ %>
<div class="actions" style="padding:0px 25px;">
<form method="POST" action="/mobility/uploadVnfProfile" enctype="multipart/form-data">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
<div class="form-group">
<label for="dest">File input</label>
<input name="filename" type="file" id="dest">
diff --git a/admportal/views/pages/login.ejs b/admportal/views/pages/login.ejs
index 3a3e5e4..9da2f31 100644
--- a/admportal/views/pages/login.ejs
+++ b/admportal/views/pages/login.ejs
@@ -33,6 +33,7 @@
<form class="form-signin" method="POST" action="/formlogin">
<h3 class="form-signin-heading">AdminPortal Login</h3>
+ <input type="hidden" name="_csrf" value="<%= csrfToken %>" />
<input type="text" name="email" id="email" class="form-control" placeholder="Email" required>
<input type="password" name="password" id="password" class="form-control" placeholder="Password" required>
diff --git a/admportal/views/pages/signup.ejs b/admportal/views/pages/signup.ejs
index 03ac7bc..2a03953 100644
--- a/admportal/views/pages/signup.ejs
+++ b/admportal/views/pages/signup.ejs
@@ -33,6 +33,7 @@
<form class="form-signin" method="POST" action="/formSignUp">
<h3 class="form-signin-heading">AdminPortal Signup</h3>
+ <input type="hidden" name="_csrf" value="<%= csrfToken %>" />
<input type="email" name="nf_email" id="nf_email" class="form-control" placeholder="Email Address" required>
<input type="password" name="nf_password" id="nf_password" class="form-control" placeholder="Password" required>
diff --git a/admportal/views/partials/new_parameter.ejs b/admportal/views/partials/new_parameter.ejs
index b6d1f5b..4a2c0fe 100644
--- a/admportal/views/partials/new_parameter.ejs
+++ b/admportal/views/partials/new_parameter.ejs
@@ -1,36 +1,37 @@
- <div class="modal fade" id="new_parameter" tabindex="-1" role="dialog"
+<div class="modal fade" id="new_parameter" tabindex="-1" role="dialog"
aria-labelledby="new_parameter_label" aria-hidden="true">
- <div class="modal-dialog">
- <div class="modal-content">
- <div class="modal-header">
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
- <h4 class="modal-title">Add Parameter</h4>
- </div>
- <div class="modal-body">
- <form name="addForm" role="form" action="/admin/addParameter" method="POST">
- <div class="form-group">
- <label for="nf_name">*Name</label>
- <input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)">
- </div>
- <div class="form-group">
- <label for="nf_value">*Value</label>
- <input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)">
- </div>
- <div class="form-group">
- <label for="nf_category">Category</label>
- <input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)">
- </div>
- <div class="form-group">
- <label for="nf_memo">Memo</label>
- <input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)">
- </div>
- <div class="form-group">
- <input type="hidden" name="nf_action" id="nf_action">
- <button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
- <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
- </div>
- </form>
- </div>
- </div>
- </div>
- </div>
+ <div class="modal-dialog">
+ <div class="modal-content">
+ <div class="modal-header">
+ <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
+ <h4 class="modal-title">Add Parameter</h4>
+ </div>
+ <div class="modal-body">
+ <form name="addForm" role="form" action="/admin/addParameter" method="POST">
+ <div class="form-group">
+ <label for="nf_name">*Name</label>
+ <input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)" />
+ </div>
+ <div class="form-group">
+ <label for="nf_value">*Value</label>
+ <input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)" />
+ </div>
+ <div class="form-group">
+ <label for="nf_category">Category</label>
+ <input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)" />
+ </div>
+ <div class="form-group">
+ <label for="nf_memo">Memo</label>
+ <input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)" />
+ </div>
+ <div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <input type="hidden" name="nf_action" id="nf_action">
+ <button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
+ <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+ </div>
+ </form>
+ </div>
+ </div>
+ </div>
+</div>
diff --git a/admportal/views/partials/newuserform.ejs b/admportal/views/partials/newuserform.ejs
index 6045994..61bf2dd 100644
--- a/admportal/views/partials/newuserform.ejs
+++ b/admportal/views/partials/newuserform.ejs
@@ -1,32 +1,33 @@
-<div class="modal fade" id="newUserModal" tabindex="-1" role="dialog" aria-labelledby="newUserModalLabel" aria-hidden="true">
+<div class="modal fade" id="new_user" tabindex="-1" role="dialog" aria-labelledby="new_user" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
- <h4 class="modal-title" id="newUserModalLabel">New User</h4>
+ <h4 class="modal-title">New User</h4>
</div>
<div class="modal-body">
<form id="addForm" name="addForm" role="form" action="/user/addUser" method="POST">
<div class="form-group">
- <label for="email">Email</label>
- <input type="email" class="form-control" name="nf_email" id="nf_email">
+ <label for="nf_email">Email</label>
+ <input type="email" class="form-control" name="nf_email" id="nf_email" placeholder="varchar(64)" maxlength="64" />
</div>
<div class="form-group">
<label for="nf_password">Password</label>
- <input type="password" class="form-control" name="nf_password" id="nf_password">
+ <input type="password" class="form-control" name="nf_password" id="nf_password" />
</div>
<div class="form-group">
<label for="nf_confirm_password">Confirm Password</label>
- <input type="password" class="form-control" name="nf_confirm_password" id="nf_confirm_password">
+ <input type="password" class="form-control" name="nf_confirm_password" id="nf_confirm_password" />
</div>
<div class="form-group">
- <label for="privilege">Privilege</label>
+ <label for="nf_privilege">Privilege</label>
<select class="form-control" name="nf_privilege" id="nf_privilege">
<option value=admin>Administrator</option>
<option value=readonly>Readonly</option>
</select>
</div>
<div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
<button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
</div>
diff --git a/admportal/views/partials/update_parameter.ejs b/admportal/views/partials/update_parameter.ejs
index c0ef57d..257f657 100644
--- a/admportal/views/partials/update_parameter.ejs
+++ b/admportal/views/partials/update_parameter.ejs
@@ -25,6 +25,7 @@
<input maxlength="128" type="text" class="form-control" name="uf_memo" id="uf_memo" placeholder="varchar(128)">
</div>
<div class="form-group">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
<input type="hidden" name="nf_action" id="nf_action">
<input type="hidden" name="uf_key_name" id="uf_key_name">
<button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
diff --git a/admportal/views/partials/userform.ejs b/admportal/views/partials/userform.ejs
index fae52ad..f882c6d 100644
--- a/admportal/views/partials/userform.ejs
+++ b/admportal/views/partials/userform.ejs
@@ -1,41 +1,42 @@
- <div class="modal fade" id="myUserModal" tabindex="-1" role="dialog" aria-labelledby="myUserModalLabel" aria-hidden="true">
- <div class="modal-dialog">
- <div class="modal-content">
- <div class="modal-header">
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
- <h4 class="modal-title" id="myUserModalLabel">Update User</h4>
- </div>
- <div class="modal-body">
- <form id="updateForm" name="updateForm" role="form" action="/user/updateUser" method="POST">
- <div class="form-group">
- <label for="uf_email">attuid</label>
- <input type="email" class="form-control" name="uf_email" id="uf_email">
- </div>
- <div class="form-group">
- <label for="uf_password">Password</label>
- <input type="password" class="form-control" name="uf_password" id="uf_password">
- </div>
- <div class="form-group">
- <label for="uf_confirm_password">Confirm Password</label>
- <input type="password" class="form-control" name="uf_confirm_password" id="uf_confirm_password">
- </div>
- <div class="form-group">
- <label for="privilege">Privilege</label>
- <select class="form-control" name="uf_privilege" id="uf_privilege">
- <option value=admin>Administrator</option>
- <option value=readonly>Readonly</option>
- </select>
- </div>
- <div class="form-group">
- <input type="hidden" name="uf_action" id="uf_action">
- <input type="hidden" name="uf_key_email" id="uf_key_email">
- <button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
- <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
- </div>
- </form>
- </div>
- </div>
- </div>
- </div>
+<div class="modal fade" id="myUserModal" tabindex="-1" role="dialog" aria-labelledby="myUserModalLabel" aria-hidden="true">
+ <div class="modal-dialog">
+ <div class="modal-content">
+ <div class="modal-header">
+ <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
+ <h4 class="modal-title" id="myUserModalLabel">Update User</h4>
+ </div>
+ <div class="modal-body">
+ <form id="updateForm" name="updateForm" role="form" action="/user/updateUser" method="POST">
+ <div class="form-group">
+ <label for="uf_email">Email</label>
+ <input type="email" class="form-control" name="uf_email" id="uf_email" />
+ </div>
+ <div class="form-group">
+ <label for="uf_password">Password</label>
+ <input type="password" class="form-control" name="uf_password" id="uf_password" />
+ </div>
+ <div class="form-group">
+ <label for="uf_confirm_password">Confirm Password</label>
+ <input type="password" class="form-control" name="uf_confirm_password" id="uf_confirm_password" />
+ </div>
+ <div class="form-group">
+ <label for="uf_privilege">Privilege</label>
+ <select class="form-control" name="uf_privilege" id="uf_privilege">
+ <option value=admin>Administrator</option>
+ <option value=readonly>Readonly</option>
+ </select>
+ </div>
+ <div class="form-group">
+ <input type="hidden" name="uf_action" id="uf_action" />
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <input type="hidden" name="uf_key_email" id="uf_key_email" />
+ <button type="button" class="btn btn-primary" onclick="submitUserAdmin(this.form);">Submit</button>
+ <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+ </div>
+ </form>
+ </div>
+ </div>
+ </div>
+</div>
diff --git a/admportal/views/partials/vnf_profile.ejs b/admportal/views/partials/vnf_profile.ejs
index d67cf1a..f513219 100644
--- a/admportal/views/partials/vnf_profile.ejs
+++ b/admportal/views/partials/vnf_profile.ejs
@@ -21,9 +21,10 @@
<input type="text" class="form-control" name="nf_equipment_role" id="nf_equipment_role" maxlength="11" placeholder="varchar(80)">
</div>
<div class="form-group">
- <input type="hidden" name="nf_action" id="nf_action">
- <button type="button" class="btn btn-primary" onclick="addVnfProfile(this.form);">Submit</button>
- <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+ <input type="hidden" name="nf_action" id="nf_action">
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <button type="button" class="btn btn-primary" onclick="addVnfProfile(this.form);">Submit</button>
+ <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
</div>
</form>
</div>
diff --git a/admportal/views/sla/list.ejs b/admportal/views/sla/list.ejs
index 10bd4f4..575e206 100644
--- a/admportal/views/sla/list.ejs
+++ b/admportal/views/sla/list.ejs
@@ -40,79 +40,73 @@
<div class="container-fluid">
<table id="sla" class="table table-hover table-condensed">
- <thead>
- <tr>
- <th>Module</th>
- <th>RPC</th>
- <th>Version</th>
- <th>Mode</th>
- <th>Active</th>
- <% if(priv == 'A') { %>
- <th>Activate/Deactive</th>
- <% } %>
- <th>Display</th>
- <th>XML code</th>
- <% if(priv=='A') { %>
- <th>Delete</th>
- <% } %>
- </tr>
- </thead>
- <tbody>
- <% var i=0; rows.forEach( function(row) { %>
- <tr>
- <td><%= row.module %></td>
- <td><%= row.rpc %></td>
- <td><%= row.version %></td>
- <td><%= row.mode %></td>
- <td><%= row.active %></td>
- <% if ( priv == 'A' ) {
- if (row.active == "Y") { %>
- <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('deactivate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Deactivate</button> </td>
- <% } else { %>
- <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('activate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Activate</button></td>
- <% } %>
- <% } %>
- <td>
- <button type="button" class="btn btn-default btn-xs"
- onclick='location.assign("/sla/printAsGv?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>Display</button>
- </td>
- <td>
- <button type="button" class="btn btn-default btn-xs"
- onclick='location.assign("/sla/printAsXml?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>XML code</button>
- </td>
- <% if ( priv == 'A' ) { %>
- <td>
- <button type="button" class="btn btn-default btn-xs"
+ <thead>
+ <tr>
+ <th>Module</th>
+ <th>RPC</th>
+ <th>Version</th>
+ <th>Mode</th>
+ <th>Active</th>
+ <% if(priv == 'A') { %>
+ <th>Activate/Deactive</th>
+ <% } %>
+ <th>XML code</th>
+ <% if(priv=='A') { %>
+ <th>Delete</th>
+ <% } %>
+ </tr>
+ </thead>
+ <tbody>
+ <% var i=0; rows.forEach( function(row) { %>
+ <tr>
+ <td><%= row.module %></td>
+ <td><%= row.rpc %></td>
+ <td><%= row.version %></td>
+ <td><%= row.mode %></td>
+ <td><%= row.active %></td>
+ <% if ( priv == 'A' ) {
+ if (row.active == "Y") { %>
+ <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('deactivate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Deactivate</button> </td>
+ <% } else { %>
+ <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('activate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Activate</button></td>
+ <% } %>
+ <% } %>
+ <td>
+ <button type="button" class="btn btn-default btn-xs"
+ onclick='location.assign("/sla/printAsXml?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>XML code</button>
+ </td>
+ <% if ( priv == 'A' ) { %>
+ <td>
+ <button type="button" class="btn btn-default btn-xs"
onclick="deleteGraph('<%=row.module %>',
- '<%=row.rpc %>', '<%=row.version %>','<%=row.mode %>');">Delete</button>
- </td>
- <% } %>
- </tr>
- <% i++; }); %>
- </tbody>
- </table>
+ '<%=row.rpc %>', '<%=row.version %>','<%=row.mode %>');">Delete</button>
+ </td>
+ <% } %>
+ </tr>
+ <% i++; }); %>
+ </tbody>
+ </table>
<% if(priv == 'A') { %>
<div class="actions" style="padding:0px 25px;">
<form method="POST" action="/sla/upload" enctype="multipart/form-data">
<div class="form-group">
- <label for="dest">File input</label>
- <input name="filename" type="file" id="dest">
- <p class="help-block">Choose a file to upload.</p>
- </div>
- <%
- if ( priv == 'A' )
- {
- %>
- <button type="button" class="btn btn-default"
- onclick="uploadFile(this.form);">Upload File</button>
- <% } else { %>
- <button type="button" class="btn btn-default disabled"
- onclick="uploadFile(this.form);">Upload File</button>
- <% } %>
+ <label for="dest">File input</label>
+ <input name="filename" type="file" id="dest" />
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <p class="help-block">Choose a file to upload.</p>
+ </div>
+ <% if ( priv == 'A' ) { %>
+ <button type="button" class="btn btn-default"
+ onclick="uploadFile(this.form);">Upload File</button>
+ <% } else { %>
+ <button type="button" class="btn btn-default disabled"
+ onclick="uploadFile(this.form);">Upload File</button>
+ <% } %>
</form>
</div>
<% } %>
+
</div>
diff --git a/admportal/views/user/list.ejs b/admportal/views/user/list.ejs
index 947a811..ec650b0 100644
--- a/admportal/views/user/list.ejs
+++ b/admportal/views/user/list.ejs
@@ -43,7 +43,7 @@
<div class="container-fluid">
<div class="actions" style="padding:15px 0px;">
<% if(priv == 'A') { %>
- <button class="btn btn-primary" data-toggle="modal" data-target="#newUserModal">Add User</button>
+ <button class="btn btn-primary" data-toggle="modal" data-target="#new_user">Add User</button>
<% } %>
</div>
@@ -75,14 +75,14 @@
<% } %>
</td>
<% if(priv == 'A') { %>
- <td><form name="rowform">
- <input type="hidden" name="rfemail" id="rfemail" value="<%= row.email %>"</input>
+ <td>
+ <form name="rowform">
+ <button type="button" class="btn btn-default btn-xs"
+ onclick="updateRequest('<%=row.email %>', '<%=row.password %>', '<%=row.privilege %>');">Update</button>
+ <button type="button" class="btn btn-default btn-xs"
+ onclick="deleteRequest('<%=row.email %>');">Delete</button>
</form>
- <button type="button" class="btn btn-default btn-xs"
- onclick="updateRequest('<%=row.email %>', '<%=row.password %>', '<%=row.privilege %>');">Update</button>
- <button type="button" class="btn btn-default btn-xs"
- onclick="deleteRequest('<%=row.email %>');">Delete</button>
- </td>
+ </td>
<% } %>
</tr>
<% }); }; %>