File upload via multer with security in uploads folder which is locked - node.js

I want to upload files via multer folder and it is working fine
var storage = multer.diskStorage({
destination: function (req, file, cb) {
cb(null, "./uploads");//storage location
},
filename: function (req, file, cb) {
cb(null, file.fieldname + "-" + Date.now() + path.extname(file.originalname));
},
});
var upload = multer({ storage: storage });
var uploadMultiple = upload.fields([{ name: 'data[w_1]', maxCount: 10 }])
But i want to lock the uploads file with password for security issues. How can i upload file via multer to a locked file.
Any suggestion to make my folder more secure are welcome

Related

How to upload summernote images to nodejs server

I have the following input for the picture above, Am getting an error for MulterError: Unexpected field anytime I upload an image on file field and on summernote but uploading an image only on file input i don't get an error here is the code for my route
const helpers = require("../../helpers/helpers");
const storage = multer.diskStorage({
destination: (req, file, cb) => {
cb(null, "public/uploads");
},
filename: (req, file, cb) => {
cb(null, file.fieldname + "-" + Date.now());
},
});
const upload = multer({ storage: storage, fileFilter: helpers.imageFilter });
const cpUpload = upload.fields([{ name: 'photo', maxCount: 1 },{ name: 'markdown',maxCount: 60 }])
router.post('/newpost',middleware.isLoggedInBlogger,cpUpload,blogController.newBlog);
How do one upload images while you both have a summernote editor and file input field?

multipart file upload not working using multer's diskStorage

nodejs
I am using multer to upload file in nodejs. The below code seems to work fine.
const upload = multer({ dest: "uploads/" });
But the code below doesn't work.
const storage = multer.diskStorage({
destination: function (req, file, cb) {
cb(null, "./uploads/");
},
filename: function (req, file, cb) {
cb(null, new Date().toISOString() + file.originalname);
},
});
Any idea on how to solve it?

how to store images on heroku

I Am trying to store images on Heroku server ./public.uploades folder but when I try to get images I get 404 not found is there any way to store images in Heroku other AWS s3
const storage = multer.diskStorage({
destination:function(req,file,cb){
cb(null,"./public/uploades") //storage confg
},
filename: function (req, file, callback) {
callback(null, file.fieldname + '-' + Date.now() + path.extname(file.originalname));
}
})
const upload = multer({ storage:storage,limits: { fileSize: 5000000 }});
app.get("/fetchimage/", (req, res) => {
const file = req.query.file
const fileLocation = path.join('/public/uploades', file);
res.sendFile(__dirname +fileLocation)
})
Heroku dose not allow any file excluding git. However you can use https://cloudinary.com for image upload its free.

Multer 'storage' option does not work while 'dest' one does

I'm using Multer to upload and store files. If I use the dest option files upload to my /uploads folder with no problem. Whilst this works, it's saving the uploads like 2eb3f1a6def453f7a461c5de353b06f8 so I want to use the storage option, but for some reason this doesn't work or me and the files upload (logged in console), but wont save to the folder.
I've tried a few different ways of achieving this and none work. Can anyone point out what might be wrong?
{
fieldname: 'attachments',
originalname: 'myFile.pdf',
encoding: '7bit',
mimetype: 'application/pdf',
destination: 'uploads/',
filename: '2eb3f1a6def453f7a461c5de353b06f8',
path: 'uploads/2eb3f1a6def453f7a461c5de353b06f8',
size: 57638
}
const express = require('express');
const app = express();
const multer = require("multer");
const path = require('path');
// const upload = multer({ dest: "uploads/" }); // this works, file saves to /uploads
var upload = multer({ storage: storage }); // this doesnt work/ files dont save to /uploads
// Parse URL-encoded bodies (as sent by HTML forms)
app.use(express.urlencoded());
// Parse JSON bodies (as sent by API clients)
app.use(express.json());
var storage = multer.diskStorage({
destination: function(req, file, cb) {
// cb(null, 'uploads/');
// cb(null, __dirname + '/uploads');
cb(null, './uploads');
},
filename: function (req, file, cb) {
// cb(null , file.originalname);
// cb(null, file.fieldname + '-' + Date.now());
// By default, multer removes file extensions so let's add them back
cb(null, file.fieldname + '-' + Date.now() + path.extname(file.originalname));
}
});
// var upload = multer({ storage: storage });
app.post('/', upload.array('attachments') , (req, res) =>{
try {
res.send(req.files);
console.log('body', req.body);
console.log('files', req.files);
} catch(error) {
console.log(error);
res.send(400);
}
});
module.exports = {
path: '/api/upload',
handler: app
};
Declaring var upload = multer({ storage: storage }) after having it defined with multer.diskStorage was enough to fix OP's issue.

UPLOAD FILE VULNERABILITY with multer

I am using multer to upload file in my application.
like: https://github.com/expressjs/multer/blob/master/README.md
Can path traversal vulnerability possible ? If yes then tell us how we can stop this?
Currenlty, I am using below code. I just want to confirm, Is there any file vulnerable risk? Please comment.
var storage = multer.diskStorage({
destination: function(req, file, cb) {
cb(null, 'uploads/');
},
filename: function (req, file, cb) {
console.log(file);
var ext = file.originalname.split('.').pop();
cb(null, Date.now() + '_' + file.originalname);
}});
const fileFilter = (req, file, cb) => {
// Accept or reject the file based on if MIME type is found in accepted list
if (acceptedMimeTypes.indexOf(file.mimetype) < 0) {
return cb("エラー:このタイプのファイルはアップロードできません。ZIP形式とLZH形式のファイルのみアップロードしてください。", false) // Error: You can't upload files of this type. Please upload images and zips only.
}
else {
return cb(null, true);
}
}
var upload = multer({ storage: storage, fileFilter: fileFilter, limits: { fileSize: 1024 * 1024 * 1 } }).single('file');
If there is any risk then please suggest me a better approach with expressjs multer.
You can modify the fileName using this code so no one can threaten you :
const storage = multer.diskStorage({
destination: './public',
filename(req, file, cb) {
cb(null, 'Your File Name');
},
});
and also you can make it dynamic using randomatic and time like this :
const storage = multer.diskStorage({
destination: './public',
filename(req, file, cb) {
cb(null, `${new Date().getTime()}`);
},
});

Resources