Securing File Uploads in Node.js Express: A Comprehensive Guide

Saturday, 08/04/2023

Tram Ho

File uploads are a common feature in modern web applications. Users can submit images, videos, documents, and other types of files to interact with the service. However, file uploads also bring potential security risks. This article will provide you with an in-depth, visual guide to securing file uploads in a Node.js Express application. Follow along to ensure your app remains safe and efficient.

1. Understanding the Risks of File Uploads

Before diving into the security measures, it’s essential to understand the potential risks associated with file uploads. Some of these risks include:

Malicious file uploads: Attackers may upload files containing harmful scripts that could compromise your application or server.
Denial of Service (DoS) attacks: A large number of file uploads can exhaust server resources, causing the app to become unresponsive.
Sensitive data exposure: Unauthorized users may gain access to files containing sensitive information.

2. Setting Up a Basic Node.js Express Application

To demonstrate how to secure file uploads, let’s set up a basic Node.js Express application. Begin by installing the required packages:

<span class="token function">npm</span> init -y
<span class="token function">npm</span> <span class="token function">install</span> express multer

npm init -y

npm install express multer

Next, create an app.js file and import the necessary modules:

<span class="token keyword">const</span> express <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">'express'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">const</span> multer <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">'multer'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token keyword">const</span> app <span class="token operator">=</span> <span class="token function">express</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">const</span> port <span class="token operator">=</span> process<span class="token punctuation">.</span>env<span class="token punctuation">.</span><span class="token constant">PORT</span> <span class="token operator">||</span> <span class="token number">3000</span><span class="token punctuation">;</span>

app<span class="token punctuation">.</span><span class="token function">listen</span><span class="token punctuation">(</span>port<span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
  console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token template-string"><span class="token template-punctuation string">`</span><span class="token string">Server running at http://localhost:</span><span class="token interpolation"><span class="token interpolation-punctuation punctuation">${</span>port<span class="token interpolation-punctuation punctuation">}</span></span><span class="token template-punctuation string">`</span></span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

const express = require('express');

const multer = require('multer');

const app = express();

const port = process.env.PORT || 3000;

app.listen(port, () => {

console.log(`Server running at http://localhost:${port}`);

});

3. Implementing File Uploads with Multer

Multer is a popular middleware for handling file uploads in Express. Begin by configuring Multer and setting up the storage engine:

<span class="token keyword">const</span> storage <span class="token operator">=</span> multer<span class="token punctuation">.</span><span class="token function">diskStorage</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
  <span class="token function-variable function">destination</span><span class="token operator">:</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> file<span class="token punctuation">,</span> cb</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
    <span class="token function">cb</span><span class="token punctuation">(</span><span class="token keyword">null</span><span class="token punctuation">,</span> <span class="token string">'./uploads'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span><span class="token punctuation">,</span>
  <span class="token function-variable function">filename</span><span class="token operator">:</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> file<span class="token punctuation">,</span> cb</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
    <span class="token keyword">const</span> uniqueSuffix <span class="token operator">=</span> Date<span class="token punctuation">.</span><span class="token function">now</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token operator">+</span> <span class="token string">'-'</span> <span class="token operator">+</span> Math<span class="token punctuation">.</span><span class="token function">round</span><span class="token punctuation">(</span>Math<span class="token punctuation">.</span><span class="token function">random</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token operator">*</span> <span class="token number">1e9</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token function">cb</span><span class="token punctuation">(</span><span class="token keyword">null</span><span class="token punctuation">,</span> file<span class="token punctuation">.</span>fieldname <span class="token operator">+</span> <span class="token string">'-'</span> <span class="token operator">+</span> uniqueSuffix<span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span><span class="token punctuation">,</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token keyword">const</span> upload <span class="token operator">=</span> <span class="token function">multer</span><span class="token punctuation">(</span><span class="token punctuation">{</span> storage <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

const storage = multer.diskStorage({

destination: (req, file, cb) => {

cb(null, './uploads');

},

filename: (req, file, cb) => {

const uniqueSuffix = Date.now() + '-' + Math.round(Math.random() * 1e9);

cb(null, file.fieldname + '-' + uniqueSuffix);

},

});

const upload = multer({ storage });

Now, create a route for file uploads:

app<span class="token punctuation">.</span><span class="token function">post</span><span class="token punctuation">(</span><span class="token string">'/upload'</span><span class="token punctuation">,</span> upload<span class="token punctuation">.</span><span class="token function">single</span><span class="token punctuation">(</span><span class="token string">'file'</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> res</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
  res<span class="token punctuation">.</span><span class="token function">status</span><span class="token punctuation">(</span><span class="token number">200</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token punctuation">{</span> message<span class="token operator">:</span> <span class="token string">'File uploaded successfully.'</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

app.post('/upload', upload.single('file'), (req, res) => {

res.status(200).send({ message: 'File uploaded successfully.' });

});

4. Securing File Uploads

4.1 Limit File Size

The first security measure is to limit the file size. This can help prevent DoS attacks and reduce the risk of running out of server resources. Set a file size limit when configuring Multer:

<span class="token keyword">const</span> upload <span class="token operator">=</span> <span class="token function">multer</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
  storage<span class="token punctuation">,</span>
  limits<span class="token operator">:</span> <span class="token punctuation">{</span> fileSize<span class="token operator">:</span> <span class="token number">2</span> <span class="token operator">*</span> <span class="token number">1024</span> <span class="token operator">*</span> <span class="token number">1024</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token comment">// 2MB</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

storage,

limits: { fileSize: 2 * 1024 * 1024 }, // 2MB

});

4.2 Validate File Types

Ensure that only specific file types are allowed. This reduces the risk of malicious file uploads. Add a file filter function to the Multer configuration:

<span class="token keyword">const</span> allowedFileTypes <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token string">'image/jpeg'</span><span class="token punctuation">,</span> <span class="token string">'image/png'</span><span class="token punctuation">,</span> <span class="token string">'image/gif'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>

<span class="token keyword">const</span> <span class="token function-variable function">fileFilter</span> <span class="token operator">=</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> file<span class="token punctuation">,</span> cb</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
  <span class="token keyword">if</span> <span class="token punctuation">(</span>allowedFileTypes<span class="token punctuation">.</span><span class="token function">includes</span><span class="token punctuation">(</span>file<span class="token punctuation">.</span>mimetype<span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token function">cb</span><span class="token punctuation">(</span><span class="token keyword">null</span><span class="token punctuation">,</span> <span class="token boolean">true</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span>
    <span class="token function">cb</span><span class="token punctuation">(</span><span class="token keyword">null</span><span class="token punctuation">,</span> <span class="token boolean">false</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>

<span class="token keyword">const</span> upload <span class="token operator">=</span> <span class="token function">multer</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
  storage<span class="token punctuation">,</span>
  limits<span class="token operator">:</span> <span class="token punctuation">{</span> fileSize<span class="token operator">:</span> <span class="token number">2</span> <span class="token operator">*</span> <span class="token number">1024</span> <span class="token operator">*</span> <span class="token number">1024</span> <span class="token punctuation">}</span><span class="token punctuation">,</span>
  fileFilter<span class="token punctuation">,</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

const allowedFileTypes = ['image/jpeg', 'image/png', 'image/gif'];

const fileFilter = (req, file, cb) => {

if (allowedFileTypes.includes(file.mimetype)) {

cb(null, true);

} else {

cb(null, false);

}

};

storage,

fileFilter,

});

4.3 Handle Rejected Files

When a file is rejected, it’s essential to provide the user with an appropriate error message. Update the /upload route to handle rejected files:

app<span class="token punctuation">.</span><span class="token function">post</span><span class="token punctuation">(</span><span class="token string">'/upload'</span><span class="token punctuation">,</span> upload<span class="token punctuation">.</span><span class="token function">single</span><span class="token punctuation">(</span><span class="token string">'file'</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> res</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
  <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>req<span class="token punctuation">.</span>file<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> res<span class="token punctuation">.</span><span class="token function">status</span><span class="token punctuation">(</span><span class="token number">400</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token punctuation">{</span> message<span class="token operator">:</span> <span class="token string">'Invalid file type or file too large.'</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
  res<span class="token punctuation">.</span><span class="token function">status</span><span class="token punctuation">(</span><span class="token number">200</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token punctuation">{</span> message<span class="token operator">:</span> <span class="token string">'File uploaded successfully.'</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

if (!req.file) {

return res.status(400).send({ message: 'Invalid file type or file too large.' });

}

});

4.4 Scan Files for Malware

To further protect your application, scan uploaded files for malware. One option is to use the ClamAV antivirus engine. Install the clamscan package:

<span class="token function">npm</span> <span class="token function">install</span> clamscan

1 2	<span class="token function">npm</span> <span class="token function">install</span> clamscan

Then, import and configure the ClamScan module:

<span class="token keyword">const</span> <span class="token punctuation">{</span> NodeClam <span class="token punctuation">}</span> <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">'clamscan'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">const</span> clamscan <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">NodeClam</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

clamscan<span class="token punctuation">.</span><span class="token function">init</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
  clamdscan<span class="token operator">:</span> <span class="token punctuation">{</span>
    path<span class="token operator">:</span> <span class="token string">'/usr/bin/clamdscan'</span><span class="token punctuation">,</span> <span class="token comment">// Path to clamdscan binary on your server</span>
    config_file<span class="token operator">:</span> <span class="token string">'/etc/clamd.d/scan.conf'</span><span class="token punctuation">,</span> <span class="token comment">// Path to ClamAV config file on your server</span>
  <span class="token punctuation">}</span><span class="token punctuation">,</span>
  preference<span class="token operator">:</span> <span class="token string">'clamdscan'</span><span class="token punctuation">,</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

const { NodeClam } = require('clamscan');

const clamscan = new NodeClam();

clamscan.init({

clamdscan: {

path: '/usr/bin/clamdscan', // Path to clamdscan binary on your server

config_file: '/etc/clamd.d/scan.conf', // Path to ClamAV config file on your server

},

preference: 'clamdscan',

});

Scan the uploaded file for malware in the/upload route:

app<span class="token punctuation">.</span><span class="token function">post</span><span class="token punctuation">(</span><span class="token string">'/upload'</span><span class="token punctuation">,</span> upload<span class="token punctuation">.</span><span class="token function">single</span><span class="token punctuation">(</span><span class="token string">'file'</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token keyword">async</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> res</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
  <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span>req<span class="token punctuation">.</span>file<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword">return</span> res<span class="token punctuation">.</span><span class="token function">status</span><span class="token punctuation">(</span><span class="token number">400</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token punctuation">{</span> message<span class="token operator">:</span> <span class="token string">'Invalid file type or file too large.'</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>

  <span class="token keyword">try</span> <span class="token punctuation">{</span>
    <span class="token keyword">const</span> scanResult <span class="token operator">=</span> <span class="token keyword">await</span> clamscan<span class="token punctuation">.</span><span class="token function">scan_file</span><span class="token punctuation">(</span>req<span class="token punctuation">.</span>file<span class="token punctuation">.</span>path<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>scanResult<span class="token punctuation">.</span>is_infected<span class="token punctuation">)</span> <span class="token punctuation">{</span>
      fs<span class="token punctuation">.</span><span class="token function">unlinkSync</span><span class="token punctuation">(</span>req<span class="token punctuation">.</span>file<span class="token punctuation">.</span>path<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// Delete infected file</span>
      <span class="token keyword">return</span> res<span class="token punctuation">.</span><span class="token function">status</span><span class="token punctuation">(</span><span class="token number">400</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token punctuation">{</span> message<span class="token operator">:</span> <span class="token string">'File is infected with malware.'</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
    res<span class="token punctuation">.</span><span class="token function">status</span><span class="token punctuation">(</span><span class="token number">200</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token punctuation">{</span> message<span class="token operator">:</span> <span class="token string">'File uploaded successfully.'</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span> <span class="token keyword">catch</span> <span class="token punctuation">(</span>error<span class="token punctuation">)</span> <span class="token punctuation">{</span>
    res<span class="token punctuation">.</span><span class="token function">status</span><span class="token punctuation">(</span><span class="token number">500</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">send</span><span class="token punctuation">(</span><span class="token punctuation">{</span> message<span class="token operator">:</span> <span class="token string">'Error scanning file for malware.'</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

app.post('/upload', upload.single('file'), async (req, res) => {

}

try {

const scanResult = await clamscan.scan_file(req.file.path);

if (scanResult.is_infected) {

fs.unlinkSync(req.file.path); // Delete infected file

return res.status(400).send({ message: 'File is infected with malware.' });

}

} catch (error) {

res.status(500).send({ message: 'Error scanning file for malware.' });

}

});

Don’t forget to import the fs module:

<span class="token keyword">const</span> fs <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">'fs'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

1 2	<span class="token keyword">const</span> fs <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">'fs'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

4.5 Store Files Outside the Web Root

Storing uploaded files outside the web root helps prevent direct access to those files. In this example, we’ll use the uploads folder, which should be outside your web root directory.

<span class="token keyword">const</span> storage <span class="token operator">=</span> multer<span class="token punctuation">.</span><span class="token function">diskStorage</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
  <span class="token function-variable function">destination</span><span class="token operator">:</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> file<span class="token punctuation">,</span> cb</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
    <span class="token function">cb</span><span class="token punctuation">(</span><span class="token keyword">null</span><span class="token punctuation">,</span> <span class="token string">'../uploads'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span><span class="token punctuation">,</span>
  <span class="token comment">// ...</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

cb(null, '../uploads');

},

// ...

});

4.6 Serve Files Securely

To serve files securely, create a new route that verifies the user’s authorization and serves the file using the res.sendFile() method:

app<span class="token punctuation">.</span><span class="token function">get</span><span class="token punctuation">(</span><span class="token string">'/files/:filename'</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token parameter">req<span class="token punctuation">,</span> res</span><span class="token punctuation">)</span> <span class="token operator">=&gt;</span> <span class="token punctuation">{</span>
  <span class="token comment">// Verify user authorization here</span>

  <span class="token keyword">const</span> filename <span class="token operator">=</span> req<span class="token punctuation">.</span>params<span class="token punctuation">.</span>filename<span class="token punctuation">;</span>
  <span class="token keyword">const</span> filePath <span class="token operator">=</span> path<span class="token punctuation">.</span><span class="token function">join</span><span class="token punctuation">(</span><span class="token string">'../uploads'</span><span class="token punctuation">,</span> filename<span class="token punctuation">)</span><span class="token punctuation">;</span>
  res<span class="token punctuation">.</span><span class="token function">sendFile</span><span class="token punctuation">(</span>filePath<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

app.get('/files/:filename', (req, res) => {

// Verify user authorization here

const filename = req.params.filename;

const filePath = path.join('../uploads', filename);

res.sendFile(filePath);

});

Don’t forget to import the path module:

<span class="token keyword">const</span> path <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">'path'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

1 2	<span class="token keyword">const</span> path <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">'path'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

Conclusion

By following this comprehensive guide, you can create a secure file upload system in a Node.js Express application. Implementing proper security measures, like limiting file size, validating file types, scanning files for malware, and serving files securely, will help protect your app from various risks associated with file uploads.

And Finally

As always, I hope you enjoyed this article and got something new.
Thank you and see you in the next articles!

If you liked this article, please give me a like and subscribe to support me. Thank you.

Ref

https://tuan200tokyo.blogspot.com/2023/04/blog212-securing-file-uploads-in-nodejs.html

Share the news now

Source : Viblo