














Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A software engineering course at Stanford had students build a web server with a focus on a clean modular decomposition where each module was free of code ...
Typology: Summaries
1 / 22
This page cannot be seen from the preview
Don't miss anything!















I acknowledge and accept the Stanford University Honor Code. I have neither given nor received aid in answering the questions on this examination.
(Signature)
(Print your name, legibly!) [email protected] (SUID - stanford email account for grading database key) Problem #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 # Score Max 10 10 10 8 8 8 8 10 8 8 8 Problem #12 #13 #14 #15 #16 #17 #18 #19 #20 Total Score Max 8 8 10 12 10 8 8 10 10 180
The CS142 Photo Sharing application you built used Express.js session management software express-session configured to use the default server-side session storage, MemoryStore which stores the session state in Node.js memory. Consider an alternative session store called unsafe-cookie-session that works by storing the session state object as a cookie with the object encoded as a JSON string. This cookie is attached to the session much in the same way that express-session attaches its cookie. A. Describe the key advantage of unsafe-cookie-session compared to express-session. B. Assume a threat model that includes an untrustworthy user of our application. Describe the damaging attacks the user could do with unsafe-cookie-session where the session state is stored in a cookie. Describe what kind of changes we could make to produce a safe-cookie-session that defeats the attacks yet still gets the benefit listed in A.
In order for our CS142 Photo Sharing application to run using its MVC pattern we need to have model data from the Node.js backend shipped to our browser-based frontend. In general there are two ways this shipping of model data can occur. The code running in the browser can "pull" the model data from the server or the code running in the server can "push" model data to the browser. A. Which of the two ways ("push" or "pull") would you say our Photo Sharing application used? Briefly explain your answer. B. If we could magically have the other way that is not the supplied answer in Part A available for our application, what might that other way be useful for?
Our discussion of full stack web applications involved mention of two types of data: model data and session state , each of which we end up treating very differently. For example, we used different storage systems for them. Is there ever a scenario when some application data could be both model data and session state? If so, give a plausible example. If no, briefly explain why not.
When your web browser connects to a web server, one of its first steps is to communicate with a DNS resolver, which tells your browser the IP address associated with a host name in the URL (for instance, the IP address of the machine you should connect to to access www.google.com might be 216.58.194.164). Your browser then attempts to connect to the server with that IP address. Unfortunately, DNS lookups are not particularly secure, so an attacker might be able to trick your browser into connecting to an evil server instead of a real Google server. As a savvy student of CS 142, you're aware of the dangers of the Internet and are careful to always connect to your bank's website (www.mybank.com) over HTTPS. Unfortunately, an attacker has managed to gain control of your local DNS resolver and directs you to a server under his control (10.0.0.2) instead of the real bank server (10.0.0.1). Will HTTPS protect you from this attack? Please take two or three sentences to justify your answer.
If you receive an email and click on a link for https://www.bankofthevvest.com (note: vvest, not west.) Assume that www.bankofthevvest.com is under the attacker's complete control. Will your browser provide indication that the site you are visiting is not legitimate? If not, explain why. If so, how would it likely show up?
In Project #5 we introduced the FetchModel function in your controllers that fetched data from the server. We had you implement the fetching using XMLHttpRequest. In order to prevent unwanted behavior in Angular, we suggested that you use $scope.$apply. Had the implementation used a AngularJS service $resource and $http the suggestion to use $scope.$apply wouldn't have been needed. Explain the problem that necessitated $scope.$apply and why it wasn't needed with the AngularJS model fetching services.
The following is an Express.js handling code for a particular URL with an "id" parameter. A. What will go wrong in the following code, and why? B. How would you fix it? var user_photos = []; Photo.find({user_id: request.params.id}, function (err, photos) { if (err) { response.status(400).send(JSON.stringify(err)); return; } // process photos... user_photos = photos; }); response.status(200).send(JSON.stringify(user_photos));
A software engineering course at Stanford had students build a web server with a focus on a clean modular decomposition where each module was free of code with knowledge belonging to another module. One group proposed the following processing pipeline for HTTP requests:
In the class projects we used a simple Node.js web server program (webServer.js) running in the local environment to allow the browser to fetch the project files from the local file system. Browsers are perfectly capable of fetching files from the local file system using URLs specifying the "file:" protocol. Explain the reason we couldn't just use the "file:" protocol to fetch the various pieces of our web application given that everything fetched was coming from the local machine.
Consider the following Express.js program: var express = require('express'); var app = express(); app.use(function(request, response, next) { request.value = 'foo'; next(); }); app.get('/test', function (request, response) { response.status(200).send(request.value); }); app.use(function(request, response, next) { request.value = 'bar'; next(); }); app.get('/test2/:test3', function (request, response) { var paramValue = request.params.test3; var queryValue = request.query.test3; response.status(200).send((paramValue === '4' && queryValue === '5') ? 'baz' : 'qux'); }); app.use(function (request, response, next) { response.status(404).send('N/A'); }); app.listen(3000, function () {}); Question continued on next page …
…. continued from previous page. Answer the following questions below. Hint: When processing requests, ExpressJS executes app.use and matching app.get callbacks in the order in which the app.* statements are executed. A. Write down the response that the web server sends back for a GET /test request. B. Write down the response that the web server sends back for a GET /test3 request. C. Write down the type of request (specify verb + url) that should be made to get a 'qux' response. Please include any necessary url path components or query strings. (e.g., sample (incorrect) answer: GET /test?q=hi) D. Write down the type of request (specify verb + url) that should be made to get a 'baz' response. Please include any necessary url path components or query strings. (see sample answer above)
REST and GraphQL are two different protocols used to fetch model data for web applications. Assume you have a web application with users located in countries where connections to the web app's backend servers use low bandwidth networks with long round trip times. Is either REST or GraphQL advantageous over the other under these communication characteristics? Justify your answer.
Which of the components in a MVC pattern would be inappropriate to put on a Content Distribution Network? Justify your answer.