Not checking url queries SEC-797

lib/azf.js

@@ -16,7 +16,7 @@ var AZF = (function() {
         var xml;
 
         var action = req.method;
-        var resource = req.url.substring(1, req.url.length);
+        var resource = req.url.split('?')[0].substring(1, req.url.split('?')[0].length);
 
         if (config.azf.custom_policy) {
             log.info('Checking auth with AZF...');
@@ -32,7 +32,7 @@ var AZF = (function() {
                 return;
             }
             log.info('Checking auth with AZF...');
-            xml = getRESTPolicy(roles, req, app_id);
+            xml = getRESTPolicy(roles, action, resource, app_id);
         }
 
         log.info('Checking auth with AZF...');
@@ -75,11 +75,8 @@ var AZF = (function() {
         return roles;
     };
 
-    var getRESTPolicy = function (roles, req, app_id) {
+    var getRESTPolicy = function (roles, action, resource, app_id) {
 
-        var action = req.method;
-        var resource = req.url.substring(1, req.url.length);
-
         log.info("Checking authorization to roles", roles, "to do ", action, " on ", resource, "and app ", app_id);
 
         var XACMLPolicy = {