for #101: only response to 6-char hash queries

db/utils.js

@@ -50,9 +50,13 @@ const DBUtils = {
   },
 
   async _getSha1EntriesFromPrefixAndDo(sha1Prefix, aFoundCallback, aNotFoundCallback) {
-    console.log("sha1Prefix: ", sha1Prefix);
+    // Only accept 6-character hash prefixes so requests:
+    // 1. can't get more than the intended hash range results FROM us
+    // 2. can't reveal a more specific hash query TO us
+    if (sha1Prefix.length !== 6) {
+      return await aNotFoundCallback();
+    }
     const existingEntries = await EmailHash.query().where("sha1", "like", sha1Prefix + "%").eager("breaches");
-    console.log("SQL: ", EmailHash.query().where("sha1", "like", sha1Prefix + "%").eager("breaches").toSql());
 
     if (existingEntries.length && aFoundCallback) {
       return await aFoundCallback(existingEntries);

routes/hibp-stubs.js

@@ -11,12 +11,14 @@ const urlEncodedParser = bodyParser.urlencoded({ extended: false });
 
 router.get("/api/v3/breachedaccount/range/:hashPrefix", urlEncodedParser, async (req, res) => {
   const hashPrefix = req.params.hashPrefix;
-  console.log("Received hash prefix: ", hashPrefix);
 
   const foundEntries = await DBUtils.getBreachesForHashPrefix(hashPrefix);
-  console.log("foundEntries: ", foundEntries);
 
-  res.render("range", {foundEntries});
+  if (!foundEntries.length) {
+    res.status(404).send("Not Found");
+  } else {
+    res.render("range", {foundEntries});
+  }
 });
 
 module.exports = router;