fixing security issues found in onap admportal

[sdnc/oam.git] / admportal / server / router / routes / sla.js

diff --git a/admportal/server/router/routes/sla.js b/admportal/server/router/routes/sla.js
index 10d6433..beba7ad 100644 (file)
--- a/admportal/server/router/routes/sla.js
+++ b/admportal/server/router/routes/sla.js
@@ -1,11 +1,15 @@
 var express = require('express');
 var router = express.Router();
-var exec = require('child_process').exec;
+
+var spawn = require('child_process').spawn;
+
 //var util = require('util');
 var fs = require('fs');
 var dbRoutes = require('./dbRoutes');
 var csp = require('./csp');
 var multer = require('multer');
+var cookieParser = require('cookie-parser');
+var csrf = require('csurf');
 var bodyParser = require('body-parser');
 //var sax = require('sax'),strict=true,parser = sax.parser(strict);
 var async = require('async');
@@ -21,9 +25,8 @@ var xmlfile='';
 
 // used for file upload button, retain original file name
 //router.use(bodyParser());
-router.use(bodyParser.urlencoded({
-  extended: true
-}));
+var csrfProtection = csrf({cookie: true});
+router.use(bodyParser.urlencoded({ extended: true }));
 //var upload = multer({ dest: process.cwd() + '/uploads/', rename: function(fieldname,filename){ return filename; } });
 
 // multer 1.1
@@ -57,313 +60,203 @@ router.use(multer({
 
 
 // GET
-router.get('/listSLA', csp.checkAuth, function(req,res) {
+router.get('/listSLA', csp.checkAuth, csrfProtection, function(req,res) {
        dbRoutes.listSLA(req,res,{code:'', msg:''} );
 });
 
-router.get('/activate', csp.checkAuth, function(req,res){
+router.get('/activate', csp.checkAuth, csrfProtection, function(req,res){
 
-       var _module = req.query.module;
-       var rpc = req.query.rpc;
-       var version = req.query.version;
-       var mode = req.query.mode;
+       var _module = req.sanitize(req.query.module);
+       var rpc = req.sanitize(req.query.rpc);
+       var version = req.sanitize(req.query.version);
+       var mode = req.sanitize(req.query.mode);
 
        var tasks = [];
-    tasks.push( function(callback) { dbRoutes.global_deactivate(req,res,_module,rpc,mode,callback); } );
-    tasks.push( function(callback) { dbRoutes.activate(req,res,_module,rpc,version,mode,callback); } );
+  tasks.push( function(callback) { dbRoutes.global_deactivate(req,res,_module,rpc,mode,callback); } );
+  tasks.push( function(callback) { dbRoutes.activate(req,res,_module,rpc,version,mode,callback); } );
        async.series(tasks,  function(err,result){
 
-                if (  err ) {
-                        dbRoutes.listSLA(req,res,{code:'failure', msg:'Failed to activate, '+ String(err) });
-         }
-                else {
-                        dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully activated directed graph.'});
-                }
+               if (  err ) {
+                       dbRoutes.listSLA(req,res,{code:'failure', msg:err });
+               }
+               else {
+                       dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully activated directed graph.'});
+               }
        });
 });
 
-router.get('/deactivate', csp.checkAuth, function(req,res){
+router.get('/deactivate', csp.checkAuth, csrfProtection, function(req,res){
 
-       var _module = req.query.module;
-       var rpc = req.query.rpc;
-       var version = req.query.version;
-       var mode = req.query.mode;
+       var _module = req.sanitize(req.query.module);
+       var rpc = req.sanitize(req.query.rpc);
+       var version = req.sanitize(req.query.version);
+       var mode = req.sanitize(req.query.mode);
 
        var tasks = [];
-    tasks.push( function(callback) { dbRoutes.deactivate(req,res,_module,rpc,version,mode,callback); } );
-    async.series(tasks,  function(err,result){
-
-         if (  err ) {
-             dbRoutes.listSLA(req,res,{code:'failure', msg:'There was an error uploading the file. '+ err });
-         }
-         else {
-             dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully deactivated directed graph.'});
-         }
-    });
+  tasks.push( function(callback) { dbRoutes.deactivate(req,res,_module,rpc,version,mode,callback); } );
+  async.series(tasks,  function(err,result){
+
+               if (  err ) {
+                       dbRoutes.listSLA(req,res,{code:'failure', msg:err });
+               }
+               else {
+                       dbRoutes.listSLA(req,res,{code:'success', msg:'Successfully deactivated directed graph.'});
+               }
+       });
 });
 
-router.get('/deleteDG', csp.checkAuth, function(req,res){
+router.get('/deleteDG', csp.checkAuth, csrfProtection, function(req,res){
 
-       var _module = req.query.module;
-       var rpc = req.query.rpc;
-       var version = req.query.version;
-       var mode = req.query.mode;
+       var _module = req.sanitize(req.query.module);
+       var rpc = req.sanitize(req.query.rpc);
+       var version = req.sanitize(req.query.version);
+       var mode = req.sanitize(req.query.mode);
 
        var tasks = [];
-    tasks.push( function(callback) { dbRoutes.deleteDG(req,res,_module,rpc,version,mode,callback); } );
-    async.series(tasks,  function(err,result){
-
-         if (  err ) {
-             dbRoutes.listSLA(req,res,{ code:'failure', msg:'There was an error uploading the file. '+ err });
-         }
-         else {
-             dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully deleted directed graph.'});
-         }
-    });
-});
-
-router.post('/dgUpload', upload.single('filename'), function(req, res, next){
-
-    if(req.file.originalname){
-        if (req.file.originalname == 0) {
-                       
-            dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
-        }
-        fs.exists(req.file.path, function(exists) {
-            if(exists) {
-
-                // parse xml
-                try {
-                                       //dbRoutes.checkSvcLogic(req,res);
-
-                    var file_buf = fs.readFileSync(req.file.path, "utf8");
-
-                    // call Dan's svclogic shell script from here
-                                        var currentDB = dbRoutes.getCurrentDB();
-                     var commandToExec = process.cwd()
-                        + "/shell/svclogic.sh load "
-                        + req.file.path + " "
-                        + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB;
-
-                    console.log("commandToExec:" + commandToExec);
-                    child = exec(commandToExec ,function (error,stdout,stderr){
-                        if(error){
-                            console.error("error:" + error);
-                                                       //res.type('text/html').status(400).send( error);
-                                                       //return;
-                        }
-                        if(stderr){
-                                                       res.status(400).send(stderr);
-                                                       return;
-                        }
-                        if(stdout){
-                                                       res.status(200).send( new Buffer('Success'));
-                                                       return;
-                        }
-
-                        // remove the grave accents, the sax parser does not like them
-                        //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
-                        //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
-                        //dbRoutes.listSLA(req,res, resultObj);
-                    });
-                } catch(ex) {
-                    // keep 'em silent
-                    console.error('sax error:'+ex);
-                                       res.status(400).send(ex);
-                                       return;
-                }
-
-            } else {
-                               res.status(400).send(new Buffer('Cannot find file.'));
-                               return;
-                       
-            }
-        });
-    }
-    else {
-               res.status(400).send(new Buffer('file does not exist\n'));
-    }
-       return;
+  tasks.push( function(callback) { dbRoutes.deleteDG(req,res,_module,rpc,version,mode,callback); } );
+  async.series(tasks,  function(err,result){
+
+               if (  err ) {
+                       dbRoutes.listSLA(req,res,{code:'failure', msg:'There was an deleting the directed graph. '+ err });
+               }
+               else {
+                       dbRoutes.listSLA(req,res,{code:'success', msg:'Successfully deleted directed graph.'});
+               }
+       });
 });
 
-
 // POST
-router.post('/upload', csp.checkAuth, upload.single('filename'),  function(req, res, next){
+router.post('/upload', csp.checkAuth, upload.single('filename'), csrfProtection, function(req, res, next){
+
+       var _lstdout = "";
+       var _lstderr = "";
+       console.log('file:'+ JSON.stringify(req.file));
+
+       if(req.file.originalname)
+       {
+               if (req.file.originalname.size == 0)
+               {
+                       dbRoutes.listSLA(req,res, {code:'danger', msg:'There was an error uploading the file, please try again.'});
+               }
+               fs.exists(req.file.path, function(exists)
+               {
+                       if(exists)
+                       {
+                               // parse xml
+                               try 
+                               {
+                                       var currentDB = dbRoutes.getCurrentDB();
+                                       var file_buf = fs.readFileSync(req.file.path, "utf8");
 
-console.log('file:'+ JSON.stringify(req.file));
+                                       // call svclogic shell script from here
+                                       var commandToExec = process.cwd() + "/shell/svclogic.sh";
 
-       if(req.file.originalname){
-        if (req.file.originalname.size == 0) {
-                       dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
-        }
-        fs.exists(req.file.path, function(exists) {
-            if(exists) {
+                                       console.log('filepath: ' + req.file.path);
+          console.log('prop: ' + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB);
+                                       console.log("commandToExec:" + commandToExec);
 
-                               // parse xml
-                               try {
-                                       //dbRoutes.checkSvcLogic(req,res);
-
-                                       var currentDB = dbRoutes.getCurrentDB();
-                               var file_buf = fs.readFileSync(req.file.path, "utf8");
-
-                                       // call Dan's svclogic shell script from here
-                                        var commandToExec = process.cwd()
-                               + "/shell/svclogic.sh load "
-                                               + req.file.path + " "
-                        + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB;
-
-                               console.log("commandToExec:" + commandToExec);
-                               child = exec(commandToExec ,function (error,stdout,stderr){
-                               if(error){
-                                       console.error("error:" + error);
-                                                       dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
-                                                       return;
-                               }
-                        if(stderr){
-                            console.error("stderr:" + JSON.stringify(stderr,null,2));
-                            var s_stderr = JSON.stringify(stderr);
-                            if ( s_stderr.indexOf("Saving") > -1 )
-                            {
-                                dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'});
-                            }else {
-                                dbRoutes.listSLA(req,res,{code:'failure', msg:stderr});
-                            }
-                            return;
-                        }
-                               if(stdout){
-                                       console.log("stderr:" + stdout);
+                                       child = spawn(commandToExec, ['load', req.file.path, process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB]);
+                                       child.on('error', function(error){
+                                               console.log('error: '+error);
+                                               dbRoutes.listSLA(req,res,{code:'failure', msg:error});
+                                               return;
+                                       });
+                                       child.stdout.on('data', function(data) {
+                                               console.log('stdout: ' + data);
+                                               _lstdout = _lstdout.concat(data);
+                                       });
+                                       child.stderr.on('data', function(data) {
+                                               console.log("stderr:" + data);
+                                               _lstderr = _lstderr.concat(data);
+                                       });
+                                       child.on('exit', function(code,signal){
+                                               console.log('code: ' + code);
+                                               console.log('stdout: [[' + _lstdout + ']]');
+                                               console.log('stderr: [[' + _lstderr + ']]');
+                                               if ( _lstderr.indexOf("Saving") > -1 )
+                                               {
                                                        dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'});
-                            return;
                                                }
-
-                                               // remove the grave accents, the sax parser does not like them
-                                       //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
-                                               //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
-                                               //dbRoutes.listSLA(req,res, resultObj);
+                                               else
+                                               {
+                                                       dbRoutes.listSLA(req,res,{code:'failure', msg:_lstderr} );
+                                               }
+                                               return;
                                        });
                                } catch(ex) {
-                               // keep 'em silent
-                       console.error("error:" + ex);
+                                       console.log("error: " + ex);
                                        dbRoutes.listSLA(req,res,{code:'failure',msg:ex} );
+                                       return;
                                }
-
-            } else {
-                               dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
-            }
-        });
+                       }
+                       else {
+                               dbRoutes.listSLA(req,res,{code:'danger', msg:'There was an error uploading the file, please try again.'});
+                               return;
+                       }
+               });
        }
        else {
-               dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'});
+               dbRoutes.listSLA(req,res,{code:'danger', msg:'There was an error uploading the file, please try again.'});
+               return;
        }
 });
 
-router.get('/printAsXml', csp.checkAuth, function(req,res){
+router.get('/printAsXml', csp.checkAuth, csrfProtection, function(req,res){
 
        try {
-               //dbRoutes.checkSvcLogic(req,res);
-
+               var _lstdout = "";
+               var _lstderr = "";
                var _module = req.query.module;
-       var rpc = req.query.rpc;
-       var version = req.query.version;
-       var mode = req.query.mode;
+    var rpc = req.query.rpc;
+    var version = req.query.version;
+    var mode = req.query.mode;
                var currentDB = dbRoutes.getCurrentDB();
 
-       // call Dan's svclogic shell script from here
-       var commandToExec = process.cwd()
-                       + "/shell/svclogic.sh get-source "
-            + _module + " "
-            + rpc + " "
-            + mode + " "
-            + version + " "
-            + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB;
-
+    // call Dan's svclogic shell script from here
+    var commandToExec = process.cwd() + "/shell/svclogic.sh";
                console.log("commandToExec:" + commandToExec);
-
-        child = exec(commandToExec , {maxBuffer: 1024*5000}, function (error,stdout,stderr){
-               if(error){
-                               console.error("error:" + error);
-                dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
-                               return;
-            }
-            //if(stderr){
-               //logger.info("stderr:" + stderr);
-            //}
-            if(stdout){
-                console.log("OUTPUT:" + stdout);
-                res.render('sla/printasxml', {result:{code:'success', 
+               console.log("_mode: " + _module);
+               console.log("rpc: " + rpc);
+               console.log("version: " + version);
+               console.log("currentDB: " +  process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB);
+
+    child = spawn(commandToExec, ['get-source', _module, rpc, mode, version, process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB], {maxBuffer: 1024*5000});
+               child.on('error', function(error){
+                       console.log("error: " + error);
+                       dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
+                       return;
+               });
+               child.stderr.on('data', function(data){
+                       console.log('stderr: ' + data);
+                       _lstderr = _lstderr.concat(data);
+               });
+               child.stdout.on('data', function(data){
+                       console.log("OUTPUT:" + data);
+                       _lstdout = _lstdout.concat(data);
+               });
+               child.on('exit', function(code,signal){
+
+                       console.log('code: ' + code);
+                       console.log('close:stdout: ' + _lstdout);
+                       console.log('close:stderr: ' + _lstderr);
+
+                       if ( code != 0 ){
+                               dbRoutes.listSLA(req,res,{code:'failure',msg:_lstderr} );
+                       }
+                       else {
+                               res.render('sla/printasxml', {result:{code:'success', 
                                        msg:'Module : ' + _module + '\n' + 
-                                               'RPC    : ' + rpc + '\n' + 
-                                               'Mode   : ' + mode + '\n' +
-                                               'Version: ' + version + '\n\n' + stdout}, header:process.env.MAIN_MENU});
-            }
-
-            // remove the grave accents, the sax parser does not like them
-            //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
-            //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
-            //dbRoutes.listSLA(req,res, resultObj);
-        });
-    } catch(ex) {
+                                       'RPC    : ' + rpc + '\n' + 
+                                       'Mode   : ' + mode + '\n' +
+                                       'Version: ' + version + '\n\n' + _lstdout}, header:process.env.MAIN_MENU});
+                       }
+                       return;
+               });
+       } catch(ex) {
                console.error("error:" + ex);
                dbRoutes.listSLA(req,res,{code:'failure',msg:ex} );
-   }
+               return;
+ }
 });
 
-
-router.get('/printAsGv', csp.checkAuth, function(req,res){
-
-       try {   
-               //dbRoutes.checkSvcLogic(req,res);
-
-        var _module = req.query.module;
-        var rpc = req.query.rpc;
-        var version = req.query.version;
-        var mode = req.query.mode;
-               var currentDB = dbRoutes.getCurrentDB();
-console.log('currentDB='+currentDB);
-
-       // call Dan's svclogic shell script from here
-       var commandToExec = process.cwd()
-            + "/shell/svclogic.sh print "
-            + _module + " "
-            + rpc + " "
-            + mode + " "
-            + version + " "
-            + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB
-            + " | dot -Tpng";
-
-        console.log("commandToExec:" + commandToExec);
-
-        child = exec(commandToExec , 
-                               {encoding:'base64',maxBuffer:5000*1024}, function (error,stdout,stderr){
-            if(error){
-                console.error("error:" + error);
-                dbRoutes.listSLA(req,res,{code:'failure',msg:error} );
-                               return;
-            }
-            if(stderr){
-                console.error("stderr:" + stderr);
-            }
-            if(stdout){
-                //logger.info("OUTPUT:" + stdout);
-                //res.render('sla/printasgv', result = {code:'success',
-                    //msg:new Buffer(stdout,'base64')} );
-                res.render('sla/printasgv', {result:{code:'success', 
-                                                         module: _module,
-                                                         rpc: rpc,
-                                                         version: version,
-                                                         mode:mode,
-                                                         msg:stdout}, header:process.env.MAIN_MENU});
-            }
-
-            // remove the grave accents, the sax parser does not like them
-            //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close();
-            //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res);
-            //dbRoutes.listSLA(req,res, resultObj);
-        });
-    } catch(ex) {
-               console.error("error:" + ex);
-        dbRoutes.listSLA(req,res,{code:'failure',msg:ex} );
-   }
-
-});
 module.exports = router;