Comments (6)
This was a thoughtful post. If multer is used globally, multer is exposed to these vulnerabilities. But if the middleware is placed directly on the route, the security concerns are mitigated. I just wrote a doc explaining how to do this.
from multer.
Not entirely, you still have to check all the files in req.files and delete any you are not expecting. I have seen quite a few examples that only check for req.files.images, for example, with no limit set (I have not seen any set a limit) which means an attacker could upload a file to req.files.bad to bypass any check made. Even with a limit set you could just upload to req.files.bad and watch the code return an error as you did not set req.files.images... but by this point your file is already on the server. Unless you check all files in req.files.images and set multer middle ware on only the expect routes you are vulnerable.
from multer.
Yes, I see now. I've setup some tests and verified this. As a side-effect, one of the tests showed that surpassing the file limit creates a condition where multer never "finishes" the current process of parsing files: so the server hangs. I'm gonna try to fix this now and then add in support for "explicitFields." I already have a pull request to add in-memory parsing (no automatic write-to-disk). So hopefully these can get merged in or else I may clutter up the code. When I get my tests done, I'll drop a message on this thread to get your thoughts if what I'm looking at is right/wrong/needs nudging.
from multer.
I added support for fieldNameSize limitations in busboy and initiated a pull request. Once that lib gets updated, we can work through hardening multer and will report back here.
from multer.
👍
from multer.
@James147 I believe this to be solved by the newly released version 1.0.0
. Please reopen if you have any further comments on how we could improve the security.
from multer.
Related Issues (20)
- I am also having the same error here, the error is saying "Cannot read properties of undefined (reading 'path')
- File delete issue HOT 2
- Multer & Express.js File Upload request hanged (never ending pending) HOT 3
- Distortion of the Russian file name HOT 4
- Error: Invalid 'path' Argument Type in File Upload Code HOT 6
- how can I upload image or json file ? HOT 1
- Why Postman filename is right, but in the web I use formdata.append() the filename is rong? HOT 1
- ERROR UPLOADING FILE
- ERROR UPLOADING FILE using the javascript and I also use multer in handling the fileupload HOT 5
- Translation of Documentation to Indonesian
- Multer gives error on serverless if using without express js
- Error in uploading a photo in javascript using a multer. HOT 2
- There is a way to effectively add a custom Error handler to multer? HOT 2
- (love) Just to tell you how great your software is HOT 1
- TypeError: Cannot read properties of undefined (reading 'length') when fieldNameSize is not set HOT 6
- Upgrade to the latest version of busboy to prevent potential DOS attack via Dicer HOT 1
- File upload got stuck while uploading large text files HOT 3
- Upload file use Multer with Multer-gridfs-storage in environment of bun is not working but when I use environment of nodejs then it's working? HOT 1
- req.file returning Undefined on frontend, but with Insomnia returns correctly HOT 4
- Custom storage engine not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from multer.