Lab Exercise input2

This is a lab exercise on developing secure software. For more information, see the introduction to the labs.

Task

Practice validating specialized text input in a program using a regular expression.

Background

In this exercise, we'll add some simple input validation to a server-side program written in JavaScript using the Express framework (version 4) and the express-validator library.

However, this time we're going to do input validation for a specific data value using regular expressions. Many programs have specialized data values that are easily tested using regular expressions.

The code below sets up handlers for a get request on path /invoices. This code could be triggered, for example, by requesting http://localhost:3000/part?id=AX-794-7 (if it was running at localhost and responding to port 3000). If there are no validation errors, the code is supposed to show the part id. If there is a validation error, it responds with HTTP error code 422 ("Unprocessable Content"), a status code suggesting that the request was invalid for some reason, along with an error message.

In this case, we want to implement proper input validation. We want to ensure it's not longer than a certain length and that it matches a specific pattern. Just like lab input1, as written, this program has a vulnerability we haven't discussed yet called Cross-site Scripting (XSS). This particular vulnerability would be entirely prevented if we did better input validation.

Task Information

In this application, the part id format is always two uppercase Latin letters (each A through Z), then a dash (-), a sequence of one or more digits, another dash (-), and another sequence of one or more digits.

To do that:

1. After the first parameter to app.get which says '/parts', add a new comma-separated parameter.
2. Start this new parameter with query('id') to select the id parameter for validation (we have not filled in this part in this lab).
3. Add a period (.) and the validation requirement isLength()
4. The isLength method takes, as an optional parameter inside its parentheses, an object providing specific information such as a minimum and a maximum. We only want a maximum, so it should look something like isLength({max: YOUR_MAXIMUM}). Those familiar with JavaScript will know that the "length" value is the length of the string in UTF-16 code units; that's fine for our purposes.

We also need to verify that the input matches our pattern, which we can verify using a regular expression. In this situation, we can do this by:

1. appending another period (.) and the validation requirement matches().
2. Inside those parenthesis you should supply slash (/, the text of the regular expression to match, and another slash (/). In JavaScript, a pair of slashes (/) surrounds a regular expression.
3. Remember to match the entire expression (in other words, use ^ and $).
4. Also, remember that a way to match a single uppercase character is the pattern [A-Z]

Use the “hint” and “give up” buttons if necessary.

Interactive Lab ()

Please change the code below so the query parameter id is only accepted if it's no longer than 80 characters and meets this application's part id format requirement. The format is two uppercase Latin letters (each A through Z), then a dash (-), a sequence of one or more digits, another dash (-), and another sequence of one or more digits.

// Set up Express framework and express-validator library
const express = require("express");
const app = express();
const { query, matchedData, validationResult } =
    require('express-validator');

// Implement requests, e.g., http://localhost:3000/parts?id=1
app.get('/parts',
  ,
  (req, res) => { // Execute this code if /invoices seen
    const result = validationResult(req); // Retrieve errors
    if (result.isEmpty()) { // No errors
      const data = matchedData(req); // Retrieve matching data
      return res.send(`You requested part id ${data.id}!`);
    }
    res.status(422).send(`Invalid input`);
  })