From: Rotundo, Al (ar3165) Date: Fri, 22 Nov 2019 15:07:18 +0000 (+0000) Subject: fixing security issues found in onap admportal X-Git-Url: https://gerrit.onap.org/r/gitweb?p=sdnc%2Foam.git;a=commitdiff_plain;h=484d74555c481f055a7f33909071962cace85aa0 fixing security issues found in onap admportal changed exec command to spawn command to prevent arbitray code execution Issue-ID: SDNC-978 Signed-off-by: Rotundo, Al (ar3165) Change-Id: I4487b5c7a14d7a7b1e4985b89e646cf6801845e0 --- diff --git a/admportal/server/router/routes/admin.js b/admportal/server/router/routes/admin.js index 96c7fd85..9a33dc81 100755 --- a/admportal/server/router/routes/admin.js +++ b/admportal/server/router/routes/admin.js @@ -19,6 +19,8 @@ router.use(cookieParser()); router.get('/getParameters', csp.checkAuth, dbRoutes.checkDB, function(req,res) { dbRoutes.getParameters(req,res, {code:'', msg:''}, req.session.loggedInAdmin); }); + +/* router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, function(req,res) { var privilegeObj = req.session.loggedInAdmin; @@ -38,6 +40,7 @@ router.get('/deleteParameter', csp.checkAuth, dbRoutes.checkDB, csrfProtection, } }); }); +*/ // POST diff --git a/admportal/server/router/routes/csp.js b/admportal/server/router/routes/csp.js index 8828052f..f82edd89 100644 --- a/admportal/server/router/routes/csp.js +++ b/admportal/server/router/routes/csp.js @@ -15,50 +15,29 @@ function logout(req,res){ function login (req,res) { -console.log('login'); -var tkn = req.sanitize(req.body._csrf); -console.log('login:tkn=' + tkn); + var tkn = req.sanitize(req.body._csrf); var loggedInAdmin={}; var email = req.sanitize(req.body.email); var pswd = req.sanitize(req.body.password); - dbRoutes.findAdminUser(email,res,function(adminUser){ - if(adminUser !== null){ - - // make sure correct password is provided - if (pswd != adminUser.password) { - res.render("pages/login", - { - result: - { - code:'error', - msg:'Invalid password entered.' - }, - header:process.env.MAIN_MENU - }); - return; - } - - var loggedInAdmin = { + dbRoutes.findAdminUser(email,res,function(adminUser) + { + // make sure correct password is provided + if (pswd != adminUser.password) { + res.render("pages/err", { result: { code:'error', msg:'Invalid password entered.' }, header:process.env.MAIN_MENU }); + return; + } + var loggedInAdmin = { email:adminUser.email, csrfToken: tkn, password:adminUser.password, privilege:adminUser.privilege - } - req.session.loggedInAdmin = loggedInAdmin; - console.log("Login Success"+JSON.stringify(loggedInAdmin)); - res.redirect('sla/listSLA'); - }else{ - res.render("pages/err", - { - result: - { - code:'error', - msg:'User ' + attuid + ' is not in the database. Please see an adminstrator to have them added.' - }, - header:process.env.MAIN_MENU - }); } + req.session.loggedInAdmin = loggedInAdmin; + + console.log("Login Success"+JSON.stringify(loggedInAdmin)); + res.redirect('sla/listSLA'); + return; }); } @@ -72,17 +51,17 @@ function checkAuth(req,res,next){ var host = req.headers['host']; console.log('host=' + host); - console.log("cookie is not null "+JSON.stringify(req.session.loggedInAdmin)); if(req.session == null || req.session == undefined || req.session.loggedInAdmin == null || req.session.loggedInAdmin == undefined) { - // nothing else to do but log them back in, or they may - // be coming from the graph tool console.log("loggedInAdmin not found.session timed out."); - res.render('pages/login'); - return false; + res.redirect('/login'); + //res.render('pages/login'); + return; } + console.log("cookie is: " + JSON.stringify(req.session.loggedInAdmin)); next(); + return; } function checkPriv(req,res,next) diff --git a/admportal/server/router/routes/dbRoutes.js b/admportal/server/router/routes/dbRoutes.js index c4a09fdc..af3859b5 100644 --- a/admportal/server/router/routes/dbRoutes.js +++ b/admportal/server/router/routes/dbRoutes.js @@ -262,48 +262,45 @@ console.log('checkDB'); exports.saveUser = function(req,res){ -console.log('b4 sani'); + var tkn = req.csrfToken(); var email = req.sanitize(req.body.nf_email); var pswd = req.sanitize(req.body.nf_password); -console.log('after sani'); pool.getConnection(function(err,connection) { if(err){ console.error( String(err) ); // ALARM - res.render("pages/signup", {result:{code:'error', msg:"Unable to get database connection. " + String(err)},header:process.env.MAIN_MENU}); + res.render("pages/signup", {csrfToken:tkn,result:{code:'error', msg:"Unable to get database connection. " + String(err)},header:process.env.MAIN_MENU}); return; } - var sql = "SELECT email FROM PORTAL_USERS WHERE email='" + email + "'"; + var sql = "SELECT email FROM PORTAL_USERS WHERE email=" + connection.escape(email); connection.query(sql, function(err,result) { if(err){ connection.release(); - res.render("pages/signup", {result:{code:'error', msg:"Unable to get database connection. " + String(err)},header:process.env.MAIN_MENU}); + res.render("pages/signup", {csrfToken:tkn, result:{code:'error', msg:"Unable to get database connection. " + String(err)},header:process.env.MAIN_MENU}); return; } if (result.length == 1 || result.length > 1) { connection.release(); - res.render("pages/signup", {result:{code:'error', msg:'User Information already exists.'},header:process.env.MAIN_MENU}); + res.render("pages/signup", {csrfToken:tkn, result:{code:'error', msg:'User Information already exists.'},header:process.env.MAIN_MENU}); return; } - sql = "INSERT INTO PORTAL_USERS (email,password,privilege) VALUES (" - +"'"+ email + "'," - + "AES_ENCRYPT('" + pswd + "','" + enckey + "')," - +"'A')"; + + connection.escape(email) + "," + + "AES_ENCRYPT(" + connection.escape(pswd) + ",'" + enckey + "'),'A')"; connection.query(sql, function(err,result) { connection.release(); if(err){ - res.render("pages/signup", {result:{ code:'error', msg:String(err) },header:process.env.MAIN_MENU});; + res.render("pages/signup", {csrfToken:tkn, result:{ code:'error', msg:String(err) },header:process.env.MAIN_MENU});; return; } - res.render('pages/signup', {result:{code:'success', msg:'User created. Please login.'},header:process.env.MAIN_MENU}); + res.render('pages/signup', {csrfToken:tkn, result:{code:'success', msg:'User created. Please login.'},header:process.env.MAIN_MENU}); return; }); }); @@ -317,46 +314,48 @@ exports.deleteUser = function(req,res){ var resultObj = { code:'', msg:'' }; var privilegeObj = req.session.loggedInAdmin; - pool.getConnection(function(err,connection) { - if(err){ + pool.getConnection(function(err,connection) { + + if(err){ console.error( String(err) ); // ALARM - res.render("user/list", {rows: null, result:{code:'error', msg:"Unable to get database connection. Error:" + String(err), - privilege:privilegeObj },header:process.env.MAIN_MENU}); + res.render("user/list", {rows: null, result:{code:'error', msg:"Unable to get database connection. Error:" + String(err), + privilege:privilegeObj },header:process.env.MAIN_MENU}); return; - } - - var sqlUpdate = "DELETE FROM PORTAL_USERS WHERE email='" + req.query.email + "'"; + } + var sqlUpdate = "DELETE FROM PORTAL_USERS WHERE email=" + connection.escape(req.query.email); console.log(sqlUpdate); - connection.query(sqlUpdate,function(err,result){ + connection.query(sqlUpdate,function(err,result){ - if(err){ - resultObj = {code:'error', msg:'Delete of user failed Error: '+ String(err) }; - } + if(err){ + resultObj = {code:'error', msg:'Delete of user failed Error: '+ String(err) }; + } - // Need DB lookup logic here - connection.query("SELECT email,password,privilege FROM PORTAL_USERS", function(err, rows) { - connection.release(); - if(!err) { - if ( rows.length > 0 ) - { + // Need DB lookup logic here + connection.query("SELECT email,password,privilege FROM PORTAL_USERS", function(err, rows) { + connection.release(); + if(!err) + { + if ( rows.length > 0 ) + { resultObj = {code:'success',msg:'Successfully deleted user.'}; - res.render('user/list', { rows: rows, result:resultObj, privilege:privilegeObj,header:process.env.MAIN_MENU } ); + res.render('user/list', { rows: rows, result:resultObj, privilege:privilegeObj,header:process.env.MAIN_MENU } ); return; - }else{ - res.render("user/list", { rows: null, result:{code:'error', msg:'Unexpected no rows returned from database, please try again.', - privilege:privilegeObj },header:process.env.MAIN_MENU}); + }else{ + res.render("user/list", { rows: null, result:{code:'error', msg:'Unexpected no rows returned from database, please try again.', + privilege:privilegeObj },header:process.env.MAIN_MENU}); return; - } - } else { - res.render("user/list", { rows: null, result:{code:'error', msg:'Unexpected no rows returned from database. Error: ' + String(err), - privilege:privilegeObj },header:process.env.MAIN_MENU}); + } + } + else { + res.render("user/list", { rows: null, result:{code:'error', msg:'Unexpected no rows returned from database. Error: ' + String(err), + privilege:privilegeObj },header:process.env.MAIN_MENU}); return; - } - }); //end query - }); - }); // end of getConnection + } + }); //end query + }); + }); // end of getConnection } // add User @@ -390,9 +389,9 @@ exports.addUser = function(req,res){ //connection.query(sqlRequest, function(err,result) var sqlUpdate = "INSERT INTO PORTAL_USERS (email, password, privilege) VALUES (" - +"'"+ email + "'," - + "AES_ENCRYPT('" + pswd + "','" + enckey + "')," - +"'"+ char_priv + "')"; + + connection.escape(email) + "," + + "AES_ENCRYPT(" + connection.escape(pswd) + ",'" + enckey + "')," + + "'" + char_priv + "')"; connection.query(sqlUpdate,function(err,result) @@ -456,11 +455,12 @@ exports.updateUser= function(req,res){ } var sqlUpdate = "UPDATE PORTAL_USERS SET " - + "email = '" + email + "'," - + "password = " + "AES_ENCRYPT('" + pswd + "','" + enckey + "'), " - + "privilege = '"+ char_priv + "'" - + " WHERE email = '" + key_email + "'"; + + "email = " + connection.escape(email) + "," + + "password = " + "AES_ENCRYPT(" + connection.escape(pswd) + ",'" + enckey + "'), " + + "privilege = '" + char_priv + "'" + + " WHERE email = " + connection.escape(key_email); + console.log(sqlUpdate); connection.query(sqlUpdate,function(err,result) { if(err){ @@ -596,57 +596,57 @@ exports.listSLA = function(req,res,resultObj){ exports.executeSQL = function(sql,req,res,callback){ - console.log(sql); - - pool.getConnection(function(err,connection) { - - if(err){ - console.error( String(err) ); // ALARM - callback(err, 'Unable to get database connection.' + err); - return; - } + console.log(sql); + pool.getConnection(function(err,connection) { - connection.query(sql, function(err,result){ - connection.release(); + if(err){ + console.error( String(err) ); // ALARM + callback(err, 'Unable to get database connection.' + err); + return; + } + connection.query(sql, function(err,result){ + connection.release(); if (err) { callback(err,'Database operation failed. ' + err ); + return; } - else - { -console.log('affectedRows='+result.affectedRows); - callback(null, result.affectedRows); - } - }); //end query - }); // end getConnection + else + { + console.log('affectedRows='+result.affectedRows); + callback(null, result.affectedRows); + return; + } + }); //end query + }); // end getConnection } // gamma - deleteParameter exports.deleteParameter = function(req,res,callback){ - var sql = "DELETE FROM PARAMETERS WHERE name='" + req.query.name + "'"; - - console.log(sql); - - pool.getConnection(function(err,connection) { + pool.getConnection(function(err,connection) { - if(err){ - console.log( String(err) ); // ALARM - callback(err, 'Unable to get database connection.' + err); - return; - } - connection.query(sql, function(err,result){ - connection.release(); - if(err){ - console.log('Update failed. ' + err ); - callback(err,'Update failed. ' + err ); - } - else - { - callback(null,''); - } - }); //end query - }); // end getConnection + if(err){ + console.log( String(err) ); // ALARM + callback(err, 'Unable to get database connection.' + err); + return; + } + var sql = "DELETE FROM PARAMETERS WHERE name=" + connection.escape(req.query.name); + + console.log(sql); + connection.query(sql, function(err,result){ + connection.release(); + if(err){ + callback(err,'Update failed. ' + err ); + return; + } + else + { + callback(null,''); + return; + } + }); //end query + }); // end getConnection } @@ -924,41 +924,41 @@ exports.getVnfData = function(req,res,resultObj,privilegeObj) exports.findAdminUser = function(email,res,callback) { - var adminUser={}; - pool.getConnection(function(err,connection) { - if(err){ - console.error( String(err) ); // ALARM - res.render("pages/login", {result:{code:'error', msg:"Unable to get database connection. "+ String(err)},header:process.env.MAIN_MENU}); + pool.getConnection(function(err,connection) + { + if(err) + { + res.render("pages/err", {result:{code:'error', msg:err},header:process.env.MAIN_MENU}); return; - } + } // Need DB lookup logic here - connection.query("SELECT email, AES_DECRYPT(password, '" + enckey + "') password, privilege FROM PORTAL_USERS WHERE email='" + email + "'", function(err, rows) { + connection.query("SELECT email, AES_DECRYPT(password, '" + enckey + "') password, privilege FROM PORTAL_USERS WHERE email=" + connection.escape(email), function(err, rows) { connection.release(); - if(!err) { - if ( rows.length > 0 ) - { - rows.forEach(function(row){ - adminUser = { - "email" : row.email, - "password" : row.password, - "privilege" : row.privilege }; - }); - callback(adminUser); - return; - }else{ - console.log("no rows returned"); - res.render("pages/login", {result:{code:'error', msg:'User is not in database.'},header:process.env.MAIN_MENU}); - return; - } - } else { - res.render("pages/err", {result:{code:'error',msg:'Unexpected no rows returned from database. '+ String(err)},header:process.env.MAIN_MENU}); + if(err) + { + res.render("pages/err", {result:{code:'error', msg:err},header:process.env.MAIN_MENU}); + return; + } + if ( rows.length > 0 ) + { + rows.forEach(function(row){ + adminUser = { + "email" : row.email, + "password" : row.password, + "privilege" : row.privilege }; + }); + callback(adminUser); + return; + } + else{ + res.render("pages/err", {result:{code:'error', msg:'User is not in database.'},header:process.env.MAIN_MENU}); return; } }); //end query - }); // end getConnection + }); // end getConnection } @@ -1029,6 +1029,121 @@ exports.addVnfProfile = function(row,res,callback){ }); // end getConnection } +exports.deleteVnfProfile = function(req,res,callback){ + + var privilegeObj = req.session.loggedInAdmin; + var rows={}; + + pool.getConnection(function(err,connection) { + + var sql = 'DELETE FROM VNF_PROFILE WHERE vnf_type = ' + connection.escape(req.sanitize(req.query.vnf_type)); + console.log(sql); + if(err){ + console.error( String(err) ); // ALARM + res.render("pages/err", {result:{code:'error', msg:"Unable to get database connection. "+ String(err)},header:process.env.MAIN_MENU}); + return; + } + + //var vt = req.sanitize(req.query.vnf_type); + //var vnf_type = { vnf_type: vt }; + //var vnf_type = connection.escape(vt); + //console.log('type='+vnf_type); + //connection.query('DELETE FROM VNF_PROFILE WHERE vnf_type = ?', vnf_type, function(err,result) + connection.query(sql, function(err,result) + { + connection.release(); + if (err) { + callback(err,'Database operation failed. ' + err ); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('No rows deleted.'); + return; + } + console.log('rows deleted: ' + result.affectedRows); + callback(null, result.affectedRows); + return; + } + }); + }); // end of getConnection +}; + +exports.deleteVnfData = function(req,res,callback){ + + var privilegeObj = req.session.loggedInAdmin; + var rows={}; + + pool.getConnection(function(err,connection) { + + var sql = 'DELETE FROM PRE_LOAD_VNF_DATA WHERE id =' + connection.escape(req.sanitize(req.query.id)); + console.log(sql); + if(err){ + console.error( String(err) ); // ALARM + res.render("pages/err", {result:{code:'error', msg:"Unable to get database connection. "+ String(err)},header:process.env.MAIN_MENU}); + return; + } + + connection.query(sql, function(err,result) + { + connection.release(); + if (err) { + callback(err,'Database operation failed. ' + err ); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('No rows deleted.'); + return; + } + console.log('rows deleted: ' + result.affectedRows); + callback(null, result.affectedRows); + return; + } + }); + }); // end of getConnection +}; + +exports.deleteVnfNetworkData = function(req,res,callback){ + + var privilegeObj = req.session.loggedInAdmin; + var rows={}; + + pool.getConnection(function(err,connection) { + + var sql = 'DELETE FROM PRE_LOAD_VNF_NETWORK_DATA WHERE id =' + connection.escape(req.sanitize(req.query.id)); + console.log(sql); + if(err){ + console.error( String(err) ); // ALARM + res.render("pages/err", {result:{code:'error', msg:"Unable to get database connection. "+ String(err)},header:process.env.MAIN_MENU}); + return; + } + + connection.query(sql, function(err,result) + { + connection.release(); + if (err) { + callback(err,'Database operation failed. ' + err ); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('No rows deleted.'); + return; + } + console.log('rows deleted: ' + result.affectedRows); + callback(null, result.affectedRows); + return; + } + }); + }); // end of getConnection +}; // Add to SVC_LOGIC table exports.addDG = function(_module, version, rpc, mode, xmlfile, req,res){ @@ -1095,131 +1210,193 @@ exports.addDG = function(_module, version, rpc, mode, xmlfile, req,res){ }); // end of getConnection }; -exports.activate = function(req,res,_module,rpc,version,mode,callback){ +exports.updatePreloadStatus = function(sql,req,res,_module,rpc,version,mode,callback){ - var sql = "UPDATE SVC_LOGIC SET active=\'Y\' WHERE module=\'" - + _module + "' AND rpc=\'" - + rpc + "' AND version=\'" - + version + "' AND mode=\'" - + mode + "'"; + pool.getConnection(function(err,connection) { + + if(err){ + console.error( String(err) ); // ALARM + callback(err, 'Unable to get database connection.' + err); + return; + } - console.log('SQL='+sql); + var sql = _sql + " WHERE id = " + connection.escape(req.query.id); - pool.getConnection(function(err,connection) { + console.log(sql); + connection.query(sql, function(err,result){ + + connection.release(); + if(err){ + callback(err, 'Unable to get database connection.' + err); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('Unable to update preload status.'); + return; + } + callback(null, result.affectedRows); + return; + } + }); //end query + }); // end getConnection +} + +exports.activate = function(req,res,_module,rpc,version,mode,callback){ + + pool.getConnection(function(err,connection) { - if(err){ + if(err){ console.error( String(err) ); // ALARM - callback(err, 'Unable to get database connection.' + err); + callback(err, 'Unable to get database connection.' + err); return; - } + } - connection.query(sql, function(err,result){ + var sql = "UPDATE SVC_LOGIC SET active=\'Y\' WHERE " + + "module = " + connection.escape(_module) + " AND " + + "rpc = " + connection.escape(rpc) + " AND " + + "version = " + connection.escape(version) + " AND " + + "mode = " + connection.escape(mode); - connection.release(); + console.log('SQL='+sql); + connection.query(sql, function(err,result){ + + connection.release(); if(err){ - callback(err, 'Unable to get database connection.' + err); - } - else - { - callback(null,''); - } - }); //end query - }); // end getConnection + callback(err, 'Unable to get database connection.' + err); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('Unable to activate directed graph.'); + return; + } + console.log('rows deleted: ' + result.affectedRows); + callback(null, result.affectedRows); + return; + } + }); //end query + }); // end getConnection } exports.deactivate = function(req,res,_module,rpc,version,mode,callback){ - var sql = "UPDATE SVC_LOGIC SET active=\'N\' WHERE module=\'" - + _module + "' AND rpc=\'" - + rpc + "' AND version=\'" - + version + "' AND mode=\'" - + mode + "'"; - - console.log('SQL='+sql); - - pool.getConnection(function(err,connection) { + pool.getConnection(function(err,connection) { - if(err){ + if(err){ console.error( String(err) ); // ALARM - callback(err, 'Unable to get database connection.' + err); + callback(err, 'Unable to get database connection.' + err); return; - } + } - connection.query(sql, function(err,result){ + var sql = "UPDATE SVC_LOGIC SET active=\'N\' WHERE " + + "module = " + connection.escape(_module) + " AND " + + "rpc = " + connection.escape(rpc) + " AND " + + "version = " + connection.escape(version) + " AND " + + "mode = " + connection.escape(mode); - connection.release(); - if(err){ - callback(err, 'Unable to get database connection.' + err); - } - else - { - callback(null,''); - } - }); //end query - }); // end getConnection + console.log('SQL='+sql); + connection.query(sql, function(err,result){ + + connection.release(); + if(err){ + callback(err, 'Unable to get database connection.' + err); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('Unable to deactivate directed graph.'); + return; + } + console.log('rows deleted: ' + result.affectedRows); + callback(null, result.affectedRows); + return; + } + }); //end query + }); // end getConnection } exports.global_deactivate = function(req,res,_module,rpc,mode,callback){ - var sql = "UPDATE SVC_LOGIC SET active=\'N\' WHERE module=\'" - + _module + "' AND rpc=\'" - + rpc + "' AND mode=\'" - + mode + "'"; + pool.getConnection(function(err,connection) { + if(err){ + callback(err, 'Unable to get database connection.' + err); + return; + } - pool.getConnection(function(err,connection) { + // deactivate all versions + var sql = "UPDATE SVC_LOGIC SET active=\'N\' WHERE " + + "module = " + connection.escape(_module) + " AND " + + "rpc = " + connection.escape(rpc) + " AND " + + "mode = " + connection.escape(mode); - if(err){ - callback(err, 'Unable to get database connection.' + err); - return; - } - - connection.query(sql, function(err,result){ + console.log(sql); + connection.query(sql, function(err,result){ - connection.release(); - if(err){ - callback(err, err); - } - else - { - callback(null,''); - } - }); //end query - }); // end getConnection + connection.release(); + if(err){ + callback(err, err); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('Unable to set all versions to deactivate.'); + return; + } + callback(null,result.affectedRows); + return; + } + }); //end query + }); // end getConnection } exports.deleteDG = function(req,res,_module,rpc,version,mode,callback){ - var sql = "DELETE FROM SVC_LOGIC WHERE module=\'" - + _module + "' AND rpc=\'" - + rpc + "' AND version=\'" - + version + "' AND mode=\'" - + mode + "'"; - - console.log('SQL='+sql); - - pool.getConnection(function(err,connection) { + pool.getConnection(function(err,connection) { - if(err){ + if(err){ console.error( String(err) ); // ALARM - callback(err, 'Unable to get database connection.' + err); + callback(err, 'Unable to get database connection.' + err); return; - } + } - connection.query(sql, function(err,result){ + var sql = "DELETE FROM SVC_LOGIC WHERE " + + "module = " + connection.escape(_module) + " AND " + + "rpc = " + connection.escape(rpc) + " AND " + + "version = " + connection.escape(version) + " AND " + + "mode = " + connection.escape(mode); - connection.release(); - if(err){ - callback(err, 'Unable to get database connection.' + err); - } - else - { - callback(null,''); - } - }); //end query - }); // end getConnection + console.log(sql); + connection.query(sql, function(err,result){ + + connection.release(); + if(err){ + callback(err, 'Unable to get database connection.' + err); + return; + } + else + { + if (result.affectedRows == 0) + { + callback('No rows deleted.'); + return; + } + callback(null,result.affectedRows); + return; + } + }); //end query + }); // end getConnection } diff --git a/admportal/server/router/routes/mobility.js b/admportal/server/router/routes/mobility.js index cd798dc8..8b5adabd 100644 --- a/admportal/server/router/routes/mobility.js +++ b/admportal/server/router/routes/mobility.js @@ -195,8 +195,7 @@ router.get('/loadVnfNetworkData', csp.checkAuth, csp.checkPriv, function(req,res // if successful then update the status tasks.push(function(arg1,callback){ - dbRoutes.executeSQL("UPDATE PRE_LOAD_VNF_NETWORK_DATA SET status='uploaded',svc_request_id='" - + svc_req_id + "',svc_action='reserve' WHERE id="+req.query.id,req,res,callback); + dbRoutes.updatePreloadStatus("UPDATE PRE_LOAD_VNF_NETWORK_DATA SET status='uploaded',svc_request_id='" + svc_req_id + "',svc_action='reserve'",req,res,callback); }); // use the waterfall method of making calls @@ -220,7 +219,7 @@ router.get('/loadVnfNetworkData', csp.checkAuth, csp.checkPriv, function(req,res router.get('/loadVnfData', csp.checkAuth, csp.checkPriv, function(req,res) { var privilegeObj = req.session.loggedInAdmin; - var full_path_file_name = process.cwd() + "/uploads/" + req.query.filename + var full_path_file_name = process.cwd() + "/uploads/" + req.sanitize(req.query.filename) var msgArray = new Array(); if ( req.query.status != 'pending' ) @@ -234,7 +233,7 @@ router.get('/loadVnfData', csp.checkAuth, csp.checkPriv, function(req,res) var now = new Date(); var df = dateFormat(now,"isoDateTime"); const rnum = crypto.randomBytes(4); - var svc_req_id = req.query.id + "-" + df + "-" + rnum.toString('hex'); + var svc_req_id = req.sanitize(req.query.id) + "-" + df + "-" + rnum.toString('hex'); var tasks = []; // first get the contents of the file from the db @@ -272,8 +271,7 @@ router.get('/loadVnfData', csp.checkAuth, csp.checkPriv, function(req,res) // if successful then update the status tasks.push(function(arg1,callback){ - dbRoutes.executeSQL("UPDATE PRE_LOAD_VNF_DATA SET status='uploaded',svc_request_id='" - + svc_req_id + "',svc_action='reserve' WHERE id="+req.query.id,req,res,callback); + dbRoutes.executeSQL("UPDATE PRE_LOAD_VNF_DATA SET status='uploaded',svc_request_id='" + svc_req_id + "',svc_action='reserve'",req,res,callback); }); // use the waterfall method of making calls @@ -298,13 +296,12 @@ router.get('/deleteVnfNetworkData', csp.checkAuth, csp.checkPriv, csrfProtection var privilegeObj = req.session.loggedInAdmin; var tasks = []; - var sql = 'DELETE FROM PRE_LOAD_VNF_NETWORK_DATA WHERE id=' + req.query.id; // if status is pending, then we do not have to call // ODL, just remove from db if (req.query.status == 'pending'){ tasks.push(function(callback) { - dbRoutes.executeSQL(sql,req,res,callback); + dbRoutes.deleteVnfNetworkData(req,res,callback); }); } else { // format the request to ODL @@ -349,17 +346,14 @@ router.get('/deleteVnfNetworkData', csp.checkAuth, csp.checkPriv, csrfProtection router.get('/deleteVnfData', csp.checkAuth, csp.checkPriv, csrfProtection, function(req,res) { -console.log('deleteVnfData'); - var privilegeObj = req.session.loggedInAdmin; var tasks = []; - var sql = 'DELETE FROM PRE_LOAD_VNF_DATA WHERE id=' + req.query.id; // if status is pending, then we do not have to call // ODL, just remove from db if (req.query.status == 'pending'){ tasks.push(function(callback) { - dbRoutes.executeSQL(sql,req,res,callback); + dbRoutes.deleteVnfData(req,res,callback); }); } else { var inputString = '{"input":{"vnf-topology-information":{"vnf-topology-identifier":{"service-type":"SDN-MOBILITY","vnf-name": "'; @@ -448,10 +442,9 @@ router.get('/deleteVnfProfile', csp.checkAuth, csp.checkPriv, csrfProtection, fu var tasks = []; var sql = ''; - sql = "DELETE FROM VNF_PROFILE WHERE vnf_type='" + req.query.vnf_type + "'"; tasks.push(function(callback) { - dbRoutes.executeSQL(sql,req,res,callback); + dbRoutes.deleteVnfProfile(req,res,callback); }); async.series(tasks, function(err,result) { diff --git a/admportal/server/router/routes/sla.js b/admportal/server/router/routes/sla.js index 098cd66b..beba7add 100644 --- a/admportal/server/router/routes/sla.js +++ b/admportal/server/router/routes/sla.js @@ -1,6 +1,8 @@ var express = require('express'); var router = express.Router(); -var exec = require('child_process').exec; + +var spawn = require('child_process').spawn; + //var util = require('util'); var fs = require('fs'); var dbRoutes = require('./dbRoutes'); @@ -64,141 +66,77 @@ router.get('/listSLA', csp.checkAuth, csrfProtection, function(req,res) { router.get('/activate', csp.checkAuth, csrfProtection, function(req,res){ - var _module = req.query.module; - var rpc = req.query.rpc; - var version = req.query.version; - var mode = req.query.mode; + var _module = req.sanitize(req.query.module); + var rpc = req.sanitize(req.query.rpc); + var version = req.sanitize(req.query.version); + var mode = req.sanitize(req.query.mode); var tasks = []; - tasks.push( function(callback) { dbRoutes.global_deactivate(req,res,_module,rpc,mode,callback); } ); - tasks.push( function(callback) { dbRoutes.activate(req,res,_module,rpc,version,mode,callback); } ); + tasks.push( function(callback) { dbRoutes.global_deactivate(req,res,_module,rpc,mode,callback); } ); + tasks.push( function(callback) { dbRoutes.activate(req,res,_module,rpc,version,mode,callback); } ); async.series(tasks, function(err,result){ - if ( err ) { - dbRoutes.listSLA(req,res,{code:'failure', msg:'Failed to activate, '+ String(err) }); - } - else { - dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully activated directed graph.'}); - } + if ( err ) { + dbRoutes.listSLA(req,res,{code:'failure', msg:err }); + } + else { + dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully activated directed graph.'}); + } }); }); router.get('/deactivate', csp.checkAuth, csrfProtection, function(req,res){ - var _module = req.query.module; - var rpc = req.query.rpc; - var version = req.query.version; - var mode = req.query.mode; + var _module = req.sanitize(req.query.module); + var rpc = req.sanitize(req.query.rpc); + var version = req.sanitize(req.query.version); + var mode = req.sanitize(req.query.mode); var tasks = []; - tasks.push( function(callback) { dbRoutes.deactivate(req,res,_module,rpc,version,mode,callback); } ); - async.series(tasks, function(err,result){ - - if ( err ) { - dbRoutes.listSLA(req,res,{code:'failure', msg:'There was an error uploading the file. '+ err }); - } - else { - dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully deactivated directed graph.'}); - } - }); + tasks.push( function(callback) { dbRoutes.deactivate(req,res,_module,rpc,version,mode,callback); } ); + async.series(tasks, function(err,result){ + + if ( err ) { + dbRoutes.listSLA(req,res,{code:'failure', msg:err }); + } + else { + dbRoutes.listSLA(req,res,{code:'success', msg:'Successfully deactivated directed graph.'}); + } + }); }); router.get('/deleteDG', csp.checkAuth, csrfProtection, function(req,res){ - var _module = req.query.module; - var rpc = req.query.rpc; - var version = req.query.version; - var mode = req.query.mode; + var _module = req.sanitize(req.query.module); + var rpc = req.sanitize(req.query.rpc); + var version = req.sanitize(req.query.version); + var mode = req.sanitize(req.query.mode); var tasks = []; - tasks.push( function(callback) { dbRoutes.deleteDG(req,res,_module,rpc,version,mode,callback); } ); - async.series(tasks, function(err,result){ - - if ( err ) { - dbRoutes.listSLA(req,res,{ code:'failure', msg:'There was an error uploading the file. '+ err }); - } - else { - dbRoutes.listSLA(req,res,{ code:'success', msg:'Successfully deleted directed graph.'}); - } - }); -}); + tasks.push( function(callback) { dbRoutes.deleteDG(req,res,_module,rpc,version,mode,callback); } ); + async.series(tasks, function(err,result){ -router.post('/dgUpload', upload.single('filename'), csrfProtection, function(req, res, next){ - - if(req.file.originalname){ - if (req.file.originalname == 0) { - - dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'}); - } - fs.exists(req.file.path, function(exists) { - if(exists) { - - // parse xml - try { - //dbRoutes.checkSvcLogic(req,res); - - var file_buf = fs.readFileSync(req.file.path, "utf8"); - - // call Dan's svclogic shell script from here - var currentDB = dbRoutes.getCurrentDB(); - var commandToExec = process.cwd() - + "/shell/svclogic.sh load " - + req.file.path + " " - + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB; - - console.log("commandToExec:" + commandToExec); - child = exec(commandToExec ,function (error,stdout,stderr){ - if(error){ - console.error("error:" + error); - //res.type('text/html').status(400).send( error); - //return; - } - if(stderr){ - res.status(400).send(stderr); - return; - } - if(stdout){ - res.status(200).send( new Buffer('Success')); - return; - } - - // remove the grave accents, the sax parser does not like them - //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close(); - //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res); - //dbRoutes.listSLA(req,res, resultObj); - }); - } catch(ex) { - // keep 'em silent - console.error('sax error:'+ex); - res.status(400).send(ex); - return; - } - - } else { - res.status(400).send(new Buffer('Cannot find file.')); - return; - - } - }); - } - else { - res.status(400).send(new Buffer('file does not exist\n')); - } - return; + if ( err ) { + dbRoutes.listSLA(req,res,{code:'failure', msg:'There was an deleting the directed graph. '+ err }); + } + else { + dbRoutes.listSLA(req,res,{code:'success', msg:'Successfully deleted directed graph.'}); + } + }); }); - // POST router.post('/upload', csp.checkAuth, upload.single('filename'), csrfProtection, function(req, res, next){ -console.log('file:'+ JSON.stringify(req.file)); + var _lstdout = ""; + var _lstderr = ""; + console.log('file:'+ JSON.stringify(req.file)); if(req.file.originalname) { if (req.file.originalname.size == 0) { - dbRoutes.listSLA(req,res, - { code:'danger', msg:'There was an error uploading the file, please try again.'}); + dbRoutes.listSLA(req,res, {code:'danger', msg:'There was an error uploading the file, please try again.'}); } fs.exists(req.file.path, function(exists) { @@ -207,68 +145,67 @@ console.log('file:'+ JSON.stringify(req.file)); // parse xml try { - //dbRoutes.checkSvcLogic(req,res); - var currentDB = dbRoutes.getCurrentDB(); var file_buf = fs.readFileSync(req.file.path, "utf8"); // call svclogic shell script from here - var commandToExec = process.cwd() + "/shell/svclogic.sh load " - + req.file.path + " " - + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB; + var commandToExec = process.cwd() + "/shell/svclogic.sh"; + console.log('filepath: ' + req.file.path); + console.log('prop: ' + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB); console.log("commandToExec:" + commandToExec); - child = exec(commandToExec ,function (error,stdout,stderr) - { - if(error) + + child = spawn(commandToExec, ['load', req.file.path, process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB]); + child.on('error', function(error){ + console.log('error: '+error); + dbRoutes.listSLA(req,res,{code:'failure', msg:error}); + return; + }); + child.stdout.on('data', function(data) { + console.log('stdout: ' + data); + _lstdout = _lstdout.concat(data); + }); + child.stderr.on('data', function(data) { + console.log("stderr:" + data); + _lstderr = _lstderr.concat(data); + }); + child.on('exit', function(code,signal){ + console.log('code: ' + code); + console.log('stdout: [[' + _lstdout + ']]'); + console.log('stderr: [[' + _lstderr + ']]'); + if ( _lstderr.indexOf("Saving") > -1 ) { - console.error("error:" + error); - dbRoutes.listSLA(req,res,{code:'failure',msg:error} ); - return; - } - if(stderr){ - console.error("stderr:" + JSON.stringify(stderr,null,2)); - var s_stderr = JSON.stringify(stderr); - if ( s_stderr.indexOf("Saving") > -1 ) - { - dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'}); - }else { - dbRoutes.listSLA(req,res,{code:'failure', msg:stderr}); - } - return; - } - if(stdout){ - console.log("stderr:" + stdout); dbRoutes.listSLA(req,res,{code:'success', msg:'File sucessfully uploaded.'}); - return; } - - // remove the grave accents, the sax parser does not like them - //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close(); - //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res); - //dbRoutes.listSLA(req,res, resultObj); - }); - } catch(ex) { - // keep 'em silent - console.error("error:" + ex); - dbRoutes.listSLA(req,res,{code:'failure',msg:ex} ); + else + { + dbRoutes.listSLA(req,res,{code:'failure', msg:_lstderr} ); + } + return; + }); + } catch(ex) { + console.log("error: " + ex); + dbRoutes.listSLA(req,res,{code:'failure',msg:ex} ); + return; + } + } + else { + dbRoutes.listSLA(req,res,{code:'danger', msg:'There was an error uploading the file, please try again.'}); + return; } - } - else { - dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'}); - } }); } else { - dbRoutes.listSLA(req,res,{ code:'danger', msg:'There was an error uploading the file, please try again.'}); + dbRoutes.listSLA(req,res,{code:'danger', msg:'There was an error uploading the file, please try again.'}); + return; } }); router.get('/printAsXml', csp.checkAuth, csrfProtection, function(req,res){ try { - //dbRoutes.checkSvcLogic(req,res); - + var _lstdout = ""; + var _lstderr = ""; var _module = req.query.module; var rpc = req.query.rpc; var version = req.query.version; @@ -276,44 +213,50 @@ router.get('/printAsXml', csp.checkAuth, csrfProtection, function(req,res){ var currentDB = dbRoutes.getCurrentDB(); // call Dan's svclogic shell script from here - var commandToExec = process.cwd() - + "/shell/svclogic.sh get-source " - + _module + " " - + rpc + " " - + mode + " " - + version + " " - + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB; - + var commandToExec = process.cwd() + "/shell/svclogic.sh"; console.log("commandToExec:" + commandToExec); + console.log("_mode: " + _module); + console.log("rpc: " + rpc); + console.log("version: " + version); + console.log("currentDB: " + process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB); + + child = spawn(commandToExec, ['get-source', _module, rpc, mode, version, process.env.SDNC_CONFIG_DIR + "/svclogic.properties." + currentDB], {maxBuffer: 1024*5000}); + child.on('error', function(error){ + console.log("error: " + error); + dbRoutes.listSLA(req,res,{code:'failure',msg:error} ); + return; + }); + child.stderr.on('data', function(data){ + console.log('stderr: ' + data); + _lstderr = _lstderr.concat(data); + }); + child.stdout.on('data', function(data){ + console.log("OUTPUT:" + data); + _lstdout = _lstdout.concat(data); + }); + child.on('exit', function(code,signal){ - child = exec(commandToExec , {maxBuffer: 1024*5000}, function (error,stdout,stderr){ - if(error){ - console.error("error:" + error); - dbRoutes.listSLA(req,res,{code:'failure',msg:error} ); - return; - } - //if(stderr){ - //logger.info("stderr:" + stderr); - //} - if(stdout){ - console.log("OUTPUT:" + stdout); - res.render('sla/printasxml', {result:{code:'success', - msg:'Module : ' + _module + '\n' + - 'RPC : ' + rpc + '\n' + - 'Mode : ' + mode + '\n' + - 'Version: ' + version + '\n\n' + stdout}, header:process.env.MAIN_MENU}); - } - - // remove the grave accents, the sax parser does not like them - //parser.write(file_buf.replace(/\`/g,'').toString('utf8')).close(); - //dbRoutes.addDG(_module,version,rpc,mode,file_buf,req,res); - //dbRoutes.listSLA(req,res, resultObj); - }); - } catch(ex) { + console.log('code: ' + code); + console.log('close:stdout: ' + _lstdout); + console.log('close:stderr: ' + _lstderr); + + if ( code != 0 ){ + dbRoutes.listSLA(req,res,{code:'failure',msg:_lstderr} ); + } + else { + res.render('sla/printasxml', {result:{code:'success', + msg:'Module : ' + _module + '\n' + + 'RPC : ' + rpc + '\n' + + 'Mode : ' + mode + '\n' + + 'Version: ' + version + '\n\n' + _lstdout}, header:process.env.MAIN_MENU}); + } + return; + }); + } catch(ex) { console.error("error:" + ex); dbRoutes.listSLA(req,res,{code:'failure',msg:ex} ); + return; } }); - module.exports = router; diff --git a/admportal/views/pages/err.ejs b/admportal/views/pages/err.ejs index 8ed51c6c..cf5c3004 100644 --- a/admportal/views/pages/err.ejs +++ b/admportal/views/pages/err.ejs @@ -5,7 +5,6 @@ <% include ../partials/head %> - <% include ../partials/header %>