CS375: Software Engineering - Secure Code Review Assessment (100 Points)

Assignment Goals

The goals of this assignment are:
  1. To audit a piece of code for security vulnerabilities and identify each concrete flaw
  2. To classify each finding with its OWASP Top 10 category, CWE identifier, and a severity rating
  3. To propose a correct, specific fix for each finding
  4. To communicate the results as a clear, professional code-review report

Background Reading and References

Please refer to the following readings and examples offering templates to help get you started:

The Assignment

In this assessment you play the role of a security reviewer. Below is a small Node/Express login-and-notes handler, in the same style as the JWT/MVC example and the databases activity you studied. It contains several deliberately planted vulnerabilities. Your job is to find them, classify them, and propose fixes – exactly the skill you would apply reviewing a teammate’s pull request.

The Code Under Review

const express = require('express');
const jwt = require('jsonwebtoken');
const db = require('./db');
const app = express();
app.use(express.json());

const JWT_SECRET = "s3cr3t-do-not-share";   // (1)

// Log a user in
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  const q = "SELECT * FROM Users WHERE name = '" + username +
            "' AND password = '" + password + "'";        // (2)
  db.query(q, (err, rows) => {
    if (err) return res.status(500).send(err.stack);       // (3)
    if (rows.length === 0) return res.status(401).send('bad login');
    const token = jwt.sign({ sub: rows[0].id, role: rows[0].role }, JWT_SECRET);  // (4)
    res.json({ token });
  });
});

// Read a note by id
app.get('/notes/:id', (req, res) => {
  const token = req.headers.authorization;
  const user = jwt.decode(token);                          // (5)
  db.query("SELECT * FROM Notes WHERE id = ?", [req.params.id], (err, rows) => {
    const note = rows[0];
    res.send('<h1>' + note.title + '</h1><p>' + note.body + '</p>');  // (6) (7)
  });
});

app.listen(3000);

What to Do

Write a secure code-review report. For each vulnerability you find, provide an entry with:

  1. Location – the line or numbered marker, and a one-line description of the flaw.
  2. Classification – the OWASP Top 10 category and the CWE identifier.
  3. Severity – low / medium / high / critical, with a one-sentence justification (a CVSS-style rationale is welcome).
  4. Impact – what an attacker could actually do, in terms of the CIA triad.
  5. Fix – a specific, root-cause remediation (show corrected code where helpful), and note any test or defense-in-depth measure that should accompany it.

Prioritize your report by severity (most serious first). There are more than three issues here; aim for thorough coverage, and do not pad your report with false positives – accuracy counts as much as coverage.

Submission

Submit your report (Markdown or PDF) as directed. This assessment is graded with the rubric above; note that identification, correct classification, and correct fixes are weighted separately, so a finding you cannot classify or fix is worth partial, not full, credit – just as in a real review.

Submission

In your submission, please include answers to any questions asked on the assignment page, as well as the questions listed below, in your README file. If you wrote code as part of this assignment, please describe your design, approach, and implementation in a separate document prepared using a word processor or typesetting program such as LaTeX. This document should include specific instructions on how to build and run your code, and a description of each code module or function that you created suitable for re-use by a colleague. In your README, please include answers to the following questions:
  • Describe what you did, how you did it, what challenges you encountered, and how you solved them.
  • Please answer any questions found throughout the narrative of this assignment.
  • If collaboration with a buddy was permitted, did you work with a buddy on this assignment? If so, who? If not, do you certify that this submission represents your own original work?
  • Please identify any and all portions of your submission that were not originally written by you (for example, code originally written by your buddy, or anything taken or adapted from a non-classroom resource). It is always OK to use your textbook and instructor notes; however, you are certifying that any portions not designated as coming from an outside person or source are your own original work.
  • Approximately how many hours it took you to finish this assignment (I will not judge you for this at all...I am simply using it to gauge if the assignments are too easy or hard)?
  • Your overall impression of the assignment. Did you love it, hate it, or were you neutral? One word answers are fine, but if you have any suggestions for the future let me know.
  • Using the grading specifications on this page, discuss briefly the grade you would give yourself and why. Discuss each item in the grading specification.
  • Any other concerns that you have. For instance, if you have a bug that you were unable to solve but you made progress, write that here. The more you articulate the problem the more partial credit you will receive (it is fine to leave this blank).

Assignment Rubric

Description Pre-Emerging (< 50%) Beginning (50%) Progressing (85%) Proficient (100%)
Vulnerability Identification (Coverage) (40%) Few or no genuine vulnerabilities are identified, or reported issues are not real security flaws Some vulnerabilities are identified but several of the planted flaws are missed Most of the planted vulnerabilities are identified, with few false positives Nearly all planted vulnerabilities are identified with essentially no false positives, and the reviewer notes where a flaw could have further downstream impact
Classification (OWASP / CWE / Severity) (25%) Findings are not classified, or classifications are largely incorrect Some findings carry an OWASP or CWE label, but categories or severities are frequently wrong Most findings are correctly mapped to an OWASP category and CWE with a reasonable severity Each finding is correctly mapped to its OWASP category and CWE, with a justified severity (e.g., a CVSS-style rationale) reflecting real impact
Proposed Fixes (25%) Fixes are missing or would not resolve the vulnerability Fixes are suggested but are vague, incomplete, or address symptoms rather than the root cause Each significant finding has a specific fix that addresses the root cause Each finding has a specific, correct fix addressing the root cause, and the reviewer notes when a defense-in-depth measure or a test should accompany it
Report Clarity and Professionalism (10%) The report is disorganized or a reader cannot act on it The report lists findings but is hard to follow or inconsistent The report is well organized, with one clear entry per finding The report is clear and professional, prioritizes findings by severity, and a developer could remediate directly from it

Please refer to the Style Guide for code quality examples and guidelines.