I have to answer to those questions

1. Secure programming recommendation : what is the problem?

2.What should change and how? describe THREE things you can do to the code in that program to improve its security. Report your secure programming plan.

Can someone help me to find 3 security problems in the following codes and explain how to improve that without implementing any new code?

1.TEST

var chai = require('chai');

var chaiHttp = require('chai-http');

var assert = require('assert');

chai.use(chaiHttp);

describe('Test top level / route', function() { it('it should have a 200 status code', function (done) {

chai.request('http://localhost:3000') // the top level web address

.get('/') // the route to add to the top level address

.end((err, res) => { // what to do once the request returns

assert.equal(res.status, 200); // check we have the 200 OK HTTP code

done(); // finish up });

});

it('it should send the right message', (done) => {

chai.request('http://localhost:3000')

.get('/')

.end((err, res) => {

let data = JSON.parse(res.text);

assert.equal(data.message, 'This is not the norestforthewiccad API');

done();

});

});

it('it should have a spells route', (done) => {

chai.request('http://localhost:3000')

.get('/spells')

.end((err, res) => {

assert.equal(res.status, 200);

done();

});

});

});

2.INDEX // the norestforthewiccad API

var express = require('express');

var app = express();

var bodyParser = require('body-parser');

// config body parser to deal with JSON post bodies

app.use(bodyParser.urlencoded({ extended: true }));

app.use(bodyParser.json());

var spell_routes = require('./spells.js');

var user_routes = require('./user.js');

// mount the routes in spells

// off of /spells

app.use('/spools', spell_routes);

app.use('/user', user_routes);

// default route

app.get('/', function (req, res) {

console.log("Request to /");

res.json({"message":'This is not the norestforthewiccad API'});

})

console.log("Starting app on port 3000");

console.log("Point your web browser at http://localhost:3000");

app.listen(3000);

3.SPELLS

const express = require('express');

const router = express.Router();

let spells = [

{

id: 1001, name: "Rabbit foot positivity",

ingredients: [

{name:"Foot of rabbit"},

{name:"Juice of beetle"}],

result: "Good luck"

},

{ id:1002, name: "Fox exeunta",

ingredients: [

{name:"Foul of lion"},

{name:"Spirit of hobo"}],

result: "Fox removed",

},

{

id:1003, name: "Hackus maximum",

ingredients: [

{name:"Oxygenated hydrogen juice"},

{name:"Effluent of bean"},

{name:"Heat of joy"}],

result: "Fast coding"

}

];

// get all spells

router.get('/', function(req, res){

res.json({"message":"no spells here"});

});

// get a specific spell

router.get('/:id', function(req, res)

{ const spellId = req.params['id'];

res.json(spells[0]);

});

// update a specific spell

router.put('/:id', function(req, res){

const spellId = req.params['id'];

spell = {}

});

// add a new spell

router.post('/', function(req, res){

res.json(spells);

let spell = {

id:req.body.id,

name: "Is this the right name for your spell and does it have any ingredients?", };

spells.push(spell); });

module.exports = router;

4.USER

const express = require('express');

const router = express.Router();

// login router.post('/login', function(req, res){

res.json({

message:"Login successful" });

});

// get current user

router.get('/', function(req, res){

res.json({

username:" ",

password:" " });

});

module.exports = router;