This is a lab exercise on developing secure software. For more information, see the introduction to the labs.
Practice validating input of a simple data type.
In this exercise, we'll add some simple input validation to a server-side program written in JavaScript using the Express framework (version 4) and the express-validator library. The point isn't to learn about these specific technologies; the point is to learn how to write secure software in general.
Express allows us to state that when the system receives a specific request, it will run a list of functions ("handlers"). The library express-validator provides a set of validation functions to make it easy to add validation checks.
The code below sets up handlers for a get request on path /invoices. If there are no validation errors, the code is supposed to show the invoice id. If there is a validation error, it responds with HTTP error code 422 ("Unprocessable Content"), a status code suggesting that the request was invalid for some reason, along with an error message.
Unfortunately, this program doesn't do proper input validation. In this application id is supposed to only be an integer between 1 and 9999 (including those numbers). As written below it fails to make that check. In fact, as written, this program has a vulnerability we haven't discussed yet called Cross-site Scripting (XSS). Because of this XSS vulnerability, an attacker could provide malicious scripts in id which the viewer would automatically run! This particular vulnerability would be entirely prevented if we did better input validation.
To complete this task:
Note: JavaScript names are case-sensitive, so isint won't work. Remember to indicate the end of this parameter with a comma (our starter text does this).
Use the “hint” and “give up” buttons if necessary.
The code below accepts the query parameter id as input. Please change it so id is only accepted if it is an integer between 1 and 9999 (including those numbers).