Skip to content
/ bookshop-go Public
forked from andey-robins/bookshop-go

A simple book store API for input validation/sanitization assignments for Secure Software Design at the University of Wyoming

License

GPL-3.0 license
0 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Morgan-Sinclaire/bookshop-go

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
db
db
 
 
handlers
handlers
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
init.sql
init.sql
 
 
main.go
main.go
 
 

Repository files navigation

bookshop-go

A simple book store API in need of input validation/sanitization.

This is a part of the University of Wyoming's Secure Software Design Course (Spring 2023). This is the base repository to be forked and updated for various assignments. Alternative language versions are available in:

Versioning

bookshop-go is buit with:

  • go version go1.19.3 darwin/arm64

Usage

Start the api using go run main.go.

I recommend using httpie for testing of HTTP endpoints on the terminal. Tutorials are available elsewhere online, and you're free to use whatever tools you deem appropriate for testing your code.

Analysis of Existing Code

First of all, this original code was missing a lot of needed "rows.Next()" lines that caused errors. However, as written it is safe against SQL injections. For instance, if CreateBook() were written as:

database.Exec(fmt.Sprintf(INSERT INTO Books (title, author, price) VALUES (%s, %s, %s);, title, author, price))

then anything could be inputted into the title, author, and price fields, and db.Exec() would simply run it blindly. However, the code instead parametrizes these fields within that function:

database.Exec(INSERT INTO Books (title, author, price) VALUES (?, ?, ?);, title, author, price)

When given multiple parameters, db.Exec() automatically sanitizes the optional parameters for SQL injections, or if they're simply too long.

On the other hand, the price field could be any float32. But we don't want negative prices, so we must manually validate this.

Furthermore, we can make the following post request successfully:

{ "Title": "Dune", "Author": "Frank Herbert" }

If we do so, it will add that book to the database with a price of 0. This is because we didn't give a price, and the existing handlers will have it default to 0. This is bad, since we want the listing for each book to be complete and accurate.

The code we have now validates that there are no missing fields, and that a book's price is positive.

Acknowledgements: I have no idea about JSON stuff. I worked with Long, but he was unfamiliar with how to do this with Go syntax. So I asked ChatGPT and it wrote all the code for these "create" functions, I checked that it ran, and Long could see that the code made sense. He then wrote code inspired by this, but since I have no shame I left it as is, and added some logging.

About

A simple book store API for input validation/sanitization assignments for Secure Software Design at the University of Wyoming

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%