uploading files using express.js and node, limiting extensions

Question

I'm working on handling file uploads using express.js and node, and have the basic functionality working. What I need is to implement some security measures -- namely, to limit uploads to certain formats (PNG, JPEG). Is there an easy way to only allow certain formats? Would it go in the body-parser?

app.use(express.bodyParser({
    uploadDir: __dirname + '/public/uploads',
    keepExtensions: true   }));

app.use(express.limit('4mb'));

Are there any other security measures that I should take into account? Is it generally a good idea to wipe EXIF data from the image?

Thanks,

Ben

Answer 1

According to the documentation for connect's bodyParser, any options are also passed to formidable, which does the actual form parsing.

According to formidable docs, you can pass your own onPart handler:

incomingForm.onPart(part)

You may overwrite this method if you are interested in directly accessing the multipart stream. Doing so will disable any 'field' / 'file' events processing which would occur otherwise, making you fully responsible for handling the processing.

incomingForm.onPart = function(part) {
  part.addListener('data', function() {
    // ...
  });
}

If you want to use formidable to only handle certain parts for you, you can do so:

incomingForm.onPart = function(part) {
  if (!part.filename) {
    // let formidable handle all non-file parts
    incomingForm.handlePart(part);
  }
}

Taken together, you should be able to do something like this:

function onPart(part) {
    if(!part.filename || part.filename.match(/\.(jpg|jpeg|png)$/i)) {
        this.handlePart(part);
    }
}

app.use(express.bodyParser({onPart: onPart});

Warning: I haven't tested any of this.

Answer 2

I found a potential solution:

In your middleware,

    if (req.files[key].type != 'image/png' && req.files[key].type != 'image/jpeg'){
      res.send(403);
    } else {
      next(); 
    }

update: This doesn't actually stop the file from uploading, though.