2

As you can see here: https://github.com/visionmedia/express/blob/master/examples/multipart/index.js Express support file uploads by default and store each uploaded file on the temp folder for later use.

My question is: Is it safe?

As I see it, an attacker can fill up all the temp folder with garbage files without any control on it. Should i check each POST request and delete any unused file?

Moshe Simantov
  • 3,937
  • 2
  • 25
  • 35
  • Here’s a similar question that may provide an answer: http://stackoverflow.com/questions/11295554/how-to-disable-express-bodyparser-for-file-uploads-node-js – Todd Yandell Sep 02 '12 at 01:13
  • Thanks, I saw that. This solution disable all the file uploads from all requests. What I'm looking for is enable it only for few requests. – Moshe Simantov Sep 04 '12 at 13:21

1 Answers1

1

Let me suggest two solutions to your problem.

  1. Use a virtual drive for your upload location. If your server is running on linux, it is very easy to mount a virtual file system which is in memory only. The files will be placed here faster than if it was on a real harddrive, and if you have problems like the one you describe, it is only a matter of cleaning out the virtual drive or restarting the server. Look at this article for an explaination of ram disks.

  2. Make sure that you only accept a maximum number of x uploads from the same ip address during during a 24 hour period. Combine this solution with solution 1 for maximum effect. One way of implementing this, is to have a global object with upload counts for each ip address, and then clear it out every 24 hours.

    var uploads = {}
setInterval(function(){
 uploads = {}
}, 24*60*60*1000); //Run every 24 hours

var onUpload = function(request, file){
  if(uploads[req.ip] > maxUploadsAllowedPrUser)
    fs.unlink(file) //Delete the file
  else
    uploads[req.ip]++ //Keep the file, and increase count
}
ExxKA
  • 930
  • 6
  • 10