Pure Node.js file upload (multipart POST) without using a framework - node.js

The third-party libraries "node-formidable" and "express" come with the ability to handle multipart POST requests (e.g. with a file upload form), but I don't want to use any third-party code. How do I make the file upload process in pure JavaScript on Node.js?
There are very few resources in this regard. How can this be done? Thank you, love is.

Just to clarify because it seems some people are angry that the other answer didn't help much: There is no simple way of doing this without relying on a library doing it for you.
First, here's an answer to another question trying to clarify what happens on a POST file upload: https://stackoverflow.com/a/8660740/2071242
To summarize, to parse such an upload, you'll first need to check for a Content-Type header containing "multipart/form-data" and, if one exists, read the boundary attribute within the header.
After this, the content comes in multiple parts, each starting with the boundary string, including some additional headers and then the data itself after a blank line. The browser can select the boundary string pretty freely as long as such byte sequence doesn't exist in the uploaded data (see the spec at https://www.rfc-editor.org/rfc/rfc1867 for details). You can read in the data by registering a callback function for the request object's data event: request.on('data', callback);
For example, with boundary "QweRTy", an upload might look something like this:
POST /upload HTTP/1.1
(some standard HTTP headers)
Content-Type: multipart/form-data; boundary=QweRTy
--QweRTy
Content-Disposition: form-data; name="upload"; filename="my_file.txt"
Content-Type: text/plain
(The contents of the file)
--QweRTy--
Note how after the initial headers two dashes are added to the beginning of each boundary string and two dashes are added to the end of the last one.
Now, what makes this challenging is that you might need to read the incoming data (within the callback function mentioned above) in several chunks, and there are no guarantees that the boundary will be contained within one chunk. So you'll either need to buffer all the data (not necessarily a good idea) or implement a state machine parser that goes through the data byte by byte. This is actually exactly what the formidable library is doing.
So after having similar considerations, what I personally decided to do is to use the library. Re-implementing such a parser is pretty error-prone and in my opinion not worth the effort. But if you really want to avoid any libraries, checking the code of formidable might be a good start.

This is a bit old question, but still quite relevant.
I have been looking for a similar solution and no luck. So decided to do my own which might come handy to some other users.
GIST: https://gist.github.com/patrikbego/6b80c6cfaf4f4e6c119560e919409bb2
Nodejs itself recommends (as seen here) formidable, but I think that such a basic functionality should be provided by Nodejs out of the box.

I think you need to parse form by yourself if you don't want to use any modules very much. When uploading a file, the form will be in multipart/form-data format, which means your request content will be divided by a string that is generated randomly by your browser. You need to read this string at the beginning of the form, try to load data and find this string, then parse them one by one.
For more information about multipart/form-data you can refer http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.2
I think the best solution is to use formidable. It handles vary scenarios and works prefect I think.

Related

Is there anyway to sanitize SVG file in c#, any libraries anything?

Is there anyway to sanitize SVG file in c#, any libraries anything?
From client side we are sanitizing the SVG files while uploading , but the security team is asking for a sanitization in serverside too.
I'm primarily a Python developer, but I thought I'd throw some research into the issue for ya. I used to develop for C, so I thought I should at least have a basic understanding of what's going on.
*.SVG files are structured like XML documents, and use the HTML DOM to access JavaScript and CSS functionalities. Trying to enumerate and script out every single catch for potential JavaScript-based security issues doesn't seem realistic, so personally, I'd just entirely remove all JavaScript sectors that do anything more than define simple variables, do math operations, or reference already-defined visual elements from any uploaded *.SVG files.
Since *.SVG files are based on XML and are human-readable, this could be accomplished by iterating through the file either line-by-line like a text file or element-by-element like an XML or HTML file. You'd want to go through and remove all the JavaScript scripts that don't meet the above criteria, save it & then convert it to XML and use a standard XML-sanitation library on it, and then convert that back to *.SVG. I reckon this Github library and this StackOverflow thread could be helpful in that.
I hope my response was helpful!
It is true what your security team say: client-side security is not security. It is just user convenience. Never rely on client-side checks. Anyone wanting to do bad things to your application will bypass client-side checks first thing.
Now, a SVG file can be used in a XSS attack only by leveraging the <script> tag.
Unfortunately, defusing/securing a script is a very complicated topic and prone to errors and both false positives and negatives.
So, I believe your only recourse is to remove scripts altogether. This might not be what you need.
But, if it is, then it's very simple to do. The script tag cannot be masqueraded inside the SVG, or the browser will not recognize it in the first place, making the attack moot. So a simple regex should suffice. Something like,
cleanSVGcode = Regex.Replace(
userSVGcode,
#"<script.*?script>",
#"",
RegexOptions.IgnoreCase|RegexOptions.SingleLine
);
It is possible to sanitize out further sequences. Since, if they're written incorrectly or in an obfuscated way, javascript calls won't work, the number of these sequences is limited.
#"javascript:" => #"syntax:error:"

Explicitly specifying the boundary in MIME multipart messages?

I know how to use python3's email.mime.multipart.MIMEMultipart class to create various kinds of multipart email messages.
I have a need to do "email surgery" on certain existing multipart messages by taking the body (which contains the various MIME parts) and to remove and add some new parts without changing the rest of the email's headers. In the headers, there is the following sample header:
Content-Type: multipart/mixed;
boundary="ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
... where the ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ boundary is used to separate the existing message parts.
I want to use the email.mime.multipart.MIMEMultipart tools to create a new body with modified parts, and I want to use the same ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ boundary between these parts, so that I don't have to go back and change the Content-Type header that already exists among the message's original headers.
It would be ideal if I could specify the exact text of the boundary that I want to use when creating this multipart body, but in python3, it seems like the email.mime.multipart.MIMEMultipart package always creates its own, randomly generated boundary string.
In python3, is there any way to tell the email.mime.multipart.MIMEMultipart software to use a boundary string that I supply?
If not, I can work around this by taking the newly generated message body, extracting its new boundary string (which I'll call "newboundary", and then replacing it with the original boundary (which I'll call "originalboundary"), as follows:
msgbodytext = msgbodytext.replace(newboundary, originalboundary)
But I prefer not to do this, if possible.
Any ideas about how to tell email.mime.multipart.MIMEMultipart to use a boundary string that I specify? Thank you.
I originally misread the docs, and now that I re-read them, I see that this is trivially easy.
To set my own boundary to the value of the originalboundary variable, I just have to do this:
msg = email.mime.multipart.MIMEMultipart(boundary=originalboundary)

How do you extract data associated with an image that is an attachment to a Notes RichTextItem?

I've seen things that skirt around this question, but nothing that answers it directly.
I have a RichTextItem in a document that contains an attached image. If I look at the document properties for the field, it says:
Data Type: MIME Part
Data Length: 7615 bytes
...
"Content-Transfer-Encoding: binary
Content-Type: image/jpeg
then a bit of binary data. How can I extract that data in server-side javascript so that I can use it in the value of an image control? In other words, I want the data corresponding to that image to appear in the following so that it renders in the web browser:
<xp:image><xp:this.value><![CDATA[#{javascript:"data:image/jpeg;base64,<DATA HERE>
Can this be done? I've tried all sorts of things but to no avail.
Thanks,
Reid
There a several approaches you can play with.
The "cheat" way: use ....nsf/0/unid/RTItemName?OpenField in a dojo panel as its source. (see here. It would open the whole RichText.
Eventually you need OpenElement instead - can directly address an attachment
Last not least, since your field isn't actually RichText, but MIME, you can use the Notes MIME classes to get to the content and render it base64. The mime classes allow to get the data as stream as well as provide methods to then encode it, so you don't need an extra encoder class
Hope that helps

Excel file as HTTP post method response

In my application, I use GET method to get a Excel file back. The url actually contains the parameters that server needs to generate the Excel file. However, sometimes, the parameters may become so long (more then 2000 characters).
I am considering using POST method, but it does not seem that POST method can return a document. Am I right?
Nop, how you request, say GET, PUT and POST, doesn't necessarily affect the server you response.
How to make the response depends on the program on server. If you want to send a binary file after a POST request is totally cool.
Just take a look at sites like megaupload, rapidshare, etc. All of them will send you a file after you POST the recaptcha code.

IE MIME/content filtering

I'm looking into ways to develop an extension for IE6+ that will allow handling of custom MIME types.
As an example, I need to be able to take a document with a custom MIME type that is returned by the server, perform some processing on it, and then change the MIME type back to something that IE can natively handle, such as text/html or image/jpeg.
I am familiar with the urlmon MIME filters, but they have a huge weakness; they are only invoked for the top level document, and not for any of the additional page content such as images and the like.
The one way that I can think of that will work is to hook the HTTP/S protocol handlers using vtable/iat patches, similar to the way Google Gears works, to be able to intercept the response headers, and modify the headers and response body when a document with the specified MIME type is received.
I'm wondering if anybody else has any good ideas on how this could be accomplished in a less hacky/intrusive way.
Edit:
Just thought I'd follow up on this and mention that I went with the vtable patch into the HTTP/S protocol handlers, and it worked much better than I expected. If anybody else is looking to do something like this, I highly recommend taking a look at the HttpHandlerPatch class in Google Gears for some inspiration.
Several years ago, I wrote such extensions, BHO, IE toolbars, etc., based on a book called Shell Programming in VB6. The book I used is this one: http://oreilly.com/catalog/9781565926707/ This book tells you how to hook and trap messages coming into IE. I wrote a kind of screen scraper (post-render style not like a spider that doesn't execute the javascript first). It was based on IE5 but the extensions still work with IE6. I probably still have the VB6 source somewhere. I am not offering to upgrade it to .Net for you though.
PS. The review on that page by Haroeris Astrum is by me :)

Resources