CS 142 Final Examination: Spring Quarter 2018, Summaries of Software Engineering

A software engineering course at Stanford had students build a web server with a focus on a clean modular decomposition where each module was free of code ...

Typology: Summaries

2022/2023

Uploaded on 05/11/2023

anuradha
anuradha 🇺🇸

4.6

(9)

240 documents

1 / 22

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 142 Final Examination
Spring Quarter 2018
You have 3 hours (180 minutes) for this examination; the number of points for each
question indicates roughly how many minutes you should spend on that question. Make
sure you print your name and sign the Honor Code below. During the examination you
may consult two double-sided pages of notes; all other sources of information, including
laptops, cell phones, etc. are prohibited.
I acknowledge and accept the Stanford University Honor Code. I have neither given nor
received aid in answering the questions on this examination.
________________________________________________
(Signature)
________________________________________________
(Print your name, legibly!)
(SUID - stanford email account for grading database key)
Problem
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
Score
Max
10
10
10
8
8
8
8
10
8
8
8
Problem
#12
#13
#14
#15
#16
#17
#18
#19
#20
Total
Score
Max
8
8
10
12
10
8
8
10
10
180
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16

Partial preview of the text

Download CS 142 Final Examination: Spring Quarter 2018 and more Summaries Software Engineering in PDF only on Docsity!

CS 142 Final Examination

Spring Quarter 2018

You have 3 hours (180 minutes) for this examination; the number of points for each

question indicates roughly how many minutes you should spend on that question. Make

sure you print your name and sign the Honor Code below. During the examination you

may consult two double-sided pages of notes; all other sources of information, including

laptops, cell phones, etc. are prohibited.

I acknowledge and accept the Stanford University Honor Code. I have neither given nor received aid in answering the questions on this examination.


(Signature)


(Print your name, legibly!) [email protected] (SUID - stanford email account for grading database key) Problem #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 # Score Max 10 10 10 8 8 8 8 10 8 8 8 Problem #12 #13 #14 #15 #16 #17 #18 #19 #20 Total Score Max 8 8 10 12 10 8 8 10 10 180

The CS142 Photo Sharing application you built used Express.js session management software express-session configured to use the default server-side session storage, MemoryStore which stores the session state in Node.js memory. Consider an alternative session store called unsafe-cookie-session that works by storing the session state object as a cookie with the object encoded as a JSON string. This cookie is attached to the session much in the same way that express-session attaches its cookie. A. Describe the key advantage of unsafe-cookie-session compared to express-session. B. Assume a threat model that includes an untrustworthy user of our application. Describe the damaging attacks the user could do with unsafe-cookie-session where the session state is stored in a cookie. Describe what kind of changes we could make to produce a safe-cookie-session that defeats the attacks yet still gets the benefit listed in A.

In order for our CS142 Photo Sharing application to run using its MVC pattern we need to have model data from the Node.js backend shipped to our browser-based frontend. In general there are two ways this shipping of model data can occur. The code running in the browser can "pull" the model data from the server or the code running in the server can "push" model data to the browser. A. Which of the two ways ("push" or "pull") would you say our Photo Sharing application used? Briefly explain your answer. B. If we could magically have the other way that is not the supplied answer in Part A available for our application, what might that other way be useful for?

Our discussion of full stack web applications involved mention of two types of data: model data and session state , each of which we end up treating very differently. For example, we used different storage systems for them. Is there ever a scenario when some application data could be both model data and session state? If so, give a plausible example. If no, briefly explain why not.

When your web browser connects to a web server, one of its first steps is to communicate with a DNS resolver, which tells your browser the IP address associated with a host name in the URL (for instance, the IP address of the machine you should connect to to access www.google.com might be 216.58.194.164). Your browser then attempts to connect to the server with that IP address. Unfortunately, DNS lookups are not particularly secure, so an attacker might be able to trick your browser into connecting to an evil server instead of a real Google server. As a savvy student of CS 142, you're aware of the dangers of the Internet and are careful to always connect to your bank's website (www.mybank.com) over HTTPS. Unfortunately, an attacker has managed to gain control of your local DNS resolver and directs you to a server under his control (10.0.0.2) instead of the real bank server (10.0.0.1). Will HTTPS protect you from this attack? Please take two or three sentences to justify your answer.

If you receive an email and click on a link for https://www.bankofthevvest.com (note: vvest, not west.) Assume that www.bankofthevvest.com is under the attacker's complete control. Will your browser provide indication that the site you are visiting is not legitimate? If not, explain why. If so, how would it likely show up?

In Project #5 we introduced the FetchModel function in your controllers that fetched data from the server. We had you implement the fetching using XMLHttpRequest. In order to prevent unwanted behavior in Angular, we suggested that you use $scope.$apply. Had the implementation used a AngularJS service $resource and $http the suggestion to use $scope.$apply wouldn't have been needed. Explain the problem that necessitated $scope.$apply and why it wasn't needed with the AngularJS model fetching services.

The following is an Express.js handling code for a particular URL with an "id" parameter. A. What will go wrong in the following code, and why? B. How would you fix it? var user_photos = []; Photo.find({user_id: request.params.id}, function (err, photos) { if (err) { response.status(400).send(JSON.stringify(err)); return; } // process photos... user_photos = photos; }); response.status(200).send(JSON.stringify(user_photos));

A software engineering course at Stanford had students build a web server with a focus on a clean modular decomposition where each module was free of code with knowledge belonging to another module. One group proposed the following processing pipeline for HTTP requests:

  1. Read request - Read the full HTTP request from the data coming into the TCP socket
  2. Parse HTTP request - Extract out the header properties and body of the HTTP request
  3. Dispatch request - Call the handler function based on the URL and HTTP method Using your knowledge of HTTP request headers, describe why this decomposition lost points for not being clean with the same work needing to be done in multiple steps.

In the class projects we used a simple Node.js web server program (webServer.js) running in the local environment to allow the browser to fetch the project files from the local file system. Browsers are perfectly capable of fetching files from the local file system using URLs specifying the "file:" protocol. Explain the reason we couldn't just use the "file:" protocol to fetch the various pieces of our web application given that everything fetched was coming from the local machine.

Consider the following Express.js program: var express = require('express'); var app = express(); app.use(function(request, response, next) { request.value = 'foo'; next(); }); app.get('/test', function (request, response) { response.status(200).send(request.value); }); app.use(function(request, response, next) { request.value = 'bar'; next(); }); app.get('/test2/:test3', function (request, response) { var paramValue = request.params.test3; var queryValue = request.query.test3; response.status(200).send((paramValue === '4' && queryValue === '5') ? 'baz' : 'qux'); }); app.use(function (request, response, next) { response.status(404).send('N/A'); }); app.listen(3000, function () {}); Question continued on next page …

…. continued from previous page. Answer the following questions below. Hint: When processing requests, ExpressJS executes app.use and matching app.get callbacks in the order in which the app.* statements are executed. A. Write down the response that the web server sends back for a GET /test request. B. Write down the response that the web server sends back for a GET /test3 request. C. Write down the type of request (specify verb + url) that should be made to get a 'qux' response. Please include any necessary url path components or query strings. (e.g., sample (incorrect) answer: GET /test?q=hi) D. Write down the type of request (specify verb + url) that should be made to get a 'baz' response. Please include any necessary url path components or query strings. (see sample answer above)

REST and GraphQL are two different protocols used to fetch model data for web applications. Assume you have a web application with users located in countries where connections to the web app's backend servers use low bandwidth networks with long round trip times. Is either REST or GraphQL advantageous over the other under these communication characteristics? Justify your answer.

Which of the components in a MVC pattern would be inappropriate to put on a Content Distribution Network? Justify your answer.