6

I should implement an upload form I thought of using bodyparser but I read http://andrewkelley.me/post/do-not-use-bodyparser-with-express-js.html

so what's the way to upload a file with express using the mean stack ? may be formidable or other modules ?

Whisher
  • 31,320
  • 32
  • 120
  • 201

2 Answers2

6

That warning is specifically against adding the express.bodyparser middleware to your entire stack as it adds express.multipart to all POST endpoints and therefore file uploads are automatically accepted at all POST endpoints. By default the framework automatically saves any uploaded files to /tmp and so unless you are cleaning them up an attacker could flood your disk with uploaded files.

If you want to avoid using additional modules, what you should do is implement express.multipart on the endpoint(s) where you want to allow file uploads. Here's what I'm talking about:

var express = require("express")
  , app = express();

// middleware (no bodyparser here)
app.use(express.json());
app.use(express.urlencoded());

// average GET endpoint
app.get("/", function(req,res) {
  res.send('ok');
});

// average POST endpont
app.post("/login", function(req,res) {
  res.send('ok');
});

// File upload POST endpoint
app.post('/upload', express.multipart, function(req, res) {
  //File upload logic here
  //Make sure to delete or move the file accordingly here, otherwise files will pile up in `/tmp`
});

Note the inclusion of express.multipart in the file upload endpoint. This endpoint will now process multipart file uploads, and assuming you handle them correctly they won't be a threat.

Now, having told you all of this, Connect is moving to deprecate multipart due to this exact issue, but there don't seem to be any plans to add a stream based file upload replacement. What they instead recommend is that you use node-multiparty which uses streams to avoid ever placing a file on disk. However, there don't seem to be any good references I can find for using multiparty as a middleware without saving files though, so you'll have to contact the author of multiparty or take a closer look at the API for implementing it with Express.

Rob Riddle
  • 3,544
  • 2
  • 18
  • 26
  • The [answer to node.js - MEAN Stack File Uploads](http://stackoverflow.com/a/23066169/609021), outlines how to use node-multiparty as middleware without writing to disk... – Patrick Fowler Dec 25 '14 at 21:08
2

I created an example that uses Express & Multer - very simple, avoids all Connect warnings

https://github.com/jonjenkins/express-upload

Jon J
  • 491
  • 5
  • 8