Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
express-fileupload
Advanced tools
Simple express file upload middleware that wraps around Busboy
The express-fileupload npm package is a middleware for handling file uploads in Express applications. It simplifies the process of uploading files to a server by providing an easy-to-use interface and various configuration options.
Basic File Upload
This feature allows for basic file uploads. The code sets up an Express server with the express-fileupload middleware, and defines a POST route to handle file uploads. Uploaded files are moved to a specified directory on the server.
const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();
app.use(fileUpload());
app.post('/upload', (req, res) => {
if (!req.files || Object.keys(req.files).length === 0) {
return res.status(400).send('No files were uploaded.');
}
let sampleFile = req.files.sampleFile;
sampleFile.mv('/somewhere/on/your/server/filename.jpg', function(err) {
if (err)
return res.status(500).send(err);
res.send('File uploaded!');
});
});
app.listen(3000, () => {
console.log('Server started on http://localhost:3000');
});
File Size Limit
This feature allows setting a file size limit for uploads. The code configures the express-fileupload middleware to limit the file size to 50MB.
const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();
app.use(fileUpload({
limits: { fileSize: 50 * 1024 * 1024 }, // 50MB
}));
app.post('/upload', (req, res) => {
if (!req.files || Object.keys(req.files).length === 0) {
return res.status(400).send('No files were uploaded.');
}
let sampleFile = req.files.sampleFile;
sampleFile.mv('/somewhere/on/your/server/filename.jpg', function(err) {
if (err)
return res.status(500).send(err);
res.send('File uploaded!');
});
});
app.listen(3000, () => {
console.log('Server started on http://localhost:3000');
});
Using Temp Files
This feature allows the use of temporary files during the upload process. The code configures the express-fileupload middleware to use temporary files and specifies a directory for these temp files.
const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();
app.use(fileUpload({
useTempFiles: true,
tempFileDir: '/tmp/'
}));
app.post('/upload', (req, res) => {
if (!req.files || Object.keys(req.files).length === 0) {
return res.status(400).send('No files were uploaded.');
}
let sampleFile = req.files.sampleFile;
sampleFile.mv('/somewhere/on/your/server/filename.jpg', function(err) {
if (err)
return res.status(500).send(err);
res.send('File uploaded!');
});
});
app.listen(3000, () => {
console.log('Server started on http://localhost:3000');
});
Multer is a Node.js middleware for handling multipart/form-data, which is primarily used for uploading files. It is highly configurable and allows for fine-grained control over file storage and handling. Compared to express-fileupload, Multer offers more flexibility and control over file handling, but it may require more setup and configuration.
Formidable is a Node.js module for parsing form data, especially file uploads. It is a low-level library that provides a lot of control over file uploads and form parsing. Compared to express-fileupload, Formidable is more complex and offers more detailed control over the file upload process, but it may be more difficult to use for simple use cases.
Busboy is a Node.js module for parsing incoming HTML form data. It is a low-level library that provides a stream-based interface for handling file uploads. Compared to express-fileupload, Busboy offers more control and efficiency for handling large file uploads, but it requires more setup and understanding of streams in Node.js.
Simple express middleware for uploading files.
This package is still very much supported and maintained. But the more help the better. If you're interested any of the following:
...please contact richardgirges '-at-' gmail.com
# With NPM
npm i express-fileupload
# With Yarn
yarn add express-fileupload
When you upload a file, the file will be accessible from req.files
.
Example:
<input name="foo" type="file" />
req.files.foo
:app.post('/upload', function(req, res) {
console.log(req.files.foo); // the uploaded file object
});
The req.files.foo object will contain the following:
req.files.foo.name
: "car.jpg"req.files.foo.mv
: A function to move the file elsewhere on your server. Can take a callback or return a promise.req.files.foo.mimetype
: The mimetype of your filereq.files.foo.data
: A buffer representation of your file, returns empty buffer in case useTempFiles option was set to true.req.files.foo.tempFilePath
: A path to the temporary file in case useTempFiles option was set to true.req.files.foo.truncated
: A boolean that represents if the file is over the size limitreq.files.foo.size
: Uploaded size in bytesreq.files.foo.md5
: MD5 checksum of the uploaded fileNotes about breaking changes with MD5 handling:
md5
is an MD5 checksum of the uploaded file.md5
is a function to compute an MD5 hash (Read about it here.).md5
is reverted back to MD5 checksum value and also added full MD5 support in case you are using temporary files.md5
still holds the checksum value, but the checksum is generated with the provided hashAlgorithm
option. The property name remains md5
for backwards compatibility.Pass in Busboy options directly to the express-fileupload middleware. Check out the Busboy documentation here.
app.use(fileUpload({
limits: { fileSize: 50 * 1024 * 1024 },
}));
Use temp files instead of memory for managing the upload process.
// Note that this option available for versions 1.0.0 and newer.
app.use(fileUpload({
useTempFiles : true,
tempFileDir : '/tmp/'
}));
You can set debug
option to true
to see some logging about upload process.
In this case middleware uses console.log
and adds Express-file-upload
prefix for outputs.
You can set a custom logger having .log()
method to the logger
option.
It will show you whether the request is invalid and also common events triggered during upload. That can be really useful for troubleshooting and we recommend attaching debug output to each issue on Github.
Output example:
Express-file-upload: Temporary file path is /node/express-fileupload/test/temp/tmp-16-1570084843942
Express-file-upload: New upload started testFile->car.png, bytes:0
Express-file-upload: Uploading testFile->car.png, bytes:21232...
Express-file-upload: Uploading testFile->car.png, bytes:86768...
Express-file-upload: Upload timeout testFile->car.png, bytes:86768
Express-file-upload: Cleaning up temporary file /node/express-fileupload/test/temp/tmp-16-1570084843942...
Description:
Temporary file path is...
says that useTempfiles
was set to true and also shows you temp file name and path.New upload started testFile->car.png
says that new upload started with field testFile
and file name car.png
.Uploading testFile->car.png, bytes:21232...
shows current progress for each new data chunk.Upload timeout
means that no data came during uploadTimeout
.Cleaning up temporary file
Here finaly we see cleaning up of the temporary file because of upload timeout reached.Pass in non-Busboy options directly to the middleware. These are express-fileupload specific options.
Option | Acceptable Values | Details |
---|---|---|
createParentPath |
| Automatically creates the directory path specified in .mv(filePathName) |
uriDecodeFileNames |
| Applies uri decoding to file names if set true. |
safeFileNames |
| Strips characters from the upload's filename. You can use custom regex to determine what to strip. If set to true , non-alphanumeric characters except dashes and underscores will be stripped. This option is off by default.Example #1 (strip slashes from file names): app.use(fileUpload({ safeFileNames: /\\/g })) Example #2: app.use(fileUpload({ safeFileNames: true })) |
preserveExtension |
| Preserves filename extension when using safeFileNames option. If set to true , will default to an extension length of 3. If set to Number , this will be the max allowable extension length. If an extension is smaller than the extension length, it remains untouched. If the extension is longer, it is shifted.Example #1 (true): app.use(fileUpload({ safeFileNames: true, preserveExtension: true })); myFileName.ext --> myFileName.ext Example #2 (max extension length 2, extension shifted): app.use(fileUpload({ safeFileNames: true, preserveExtension: 2 })); myFileName.ext --> myFileNamee.xt |
abortOnLimit |
| Returns a HTTP 413 when the file is bigger than the size limit if true. Otherwise, it will add a truncated = true to the resulting file structure. |
responseOnLimit |
| Response which will be send to client if file size limit exceeded when abortOnLimit set to true. |
limitHandler |
| User defined limit handler which will be invoked if the file is bigger than configured limits. |
useTempFiles |
| By default this module uploads files into RAM. Setting this option to True turns on using temporary files instead of utilising RAM. This avoids memory overflow issues when uploading large files or in case of uploading lots of files at same time. |
tempFileDir |
| Path to store temporary files. Used along with the useTempFiles option. By default this module uses 'tmp' folder in the current working directory.You can use trailing slash, but it is not necessary. |
parseNested |
| By default, req.body and req.files are flattened like this: {'name': 'John', 'hobbies[0]': 'Cinema', 'hobbies[1]': 'Bike'} When this option is enabled they are parsed in order to be nested like this: {'name': 'John', 'hobbies': ['Cinema', 'Bike']} |
debug |
| Turn on/off upload process logging. Can be useful for troubleshooting. |
logger |
| Customizable logger to write debug messages to. Console is default. |
uploadTimeout |
| This defines how long to wait for data before aborting. Set to 0 if you want to turn off timeout checks. |
hashAlgorithm |
| Allows the usage of alternative hashing algorithms for file integrity checks. This option must be an algorithm that is supported on the running system's installed OpenSSL version. On recent releases of OpenSSL, openssl list -digest-algorithms will display the available digest algorithms. |
Looking for additional maintainers. Please contact richardgirges [ at ] gmail.com
if you're interested. Pull Requests are welcome!
Brian White for his stellar work on the Busboy Package and the connect-busboy Package
FAQs
Simple express file upload middleware that wraps around Busboy
We found that express-fileupload demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.