Home/ Questions/Q 8220539
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T13:33:13+00:00

I’m working on handling file uploads using express.js and node, and have the basic

  • 0

I’m working on handling file uploads using express.js and node, and have the basic functionality working. What I need is to implement some security measures — namely, to limit uploads to certain formats (PNG, JPEG). Is there an easy way to only allow certain formats? Would it go in the body-parser? 

app.use(express.bodyParser({
    uploadDir: __dirname + '/public/uploads',
    keepExtensions: true   }));

app.use(express.limit('4mb'));

Are there any other security measures that I should take into account? Is it generally a good idea to wipe EXIF data from the image?

Thanks,

Ben

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    According to the documentation for connect’s bodyParser, any options are also passed to formidable, which does the actual form parsing.

    According to formidable docs, you can pass your own onPart handler:

    incomingForm.onPart(part)

    You may overwrite this method if you are interested in directly accessing the multipart stream. Doing so will disable any ‘field’ / ‘file’ events processing which would occur otherwise, making you fully responsible for handling the processing.

    incomingForm.onPart = function(part) {
  part.addListener('data', function() {
    // ...
  });
}

    If you want to use formidable to only handle certain parts for you, you can do so:

    incomingForm.onPart = function(part) {
  if (!part.filename) {
    // let formidable handle all non-file parts
    incomingForm.handlePart(part);
  }
}

    Taken together, you should be able to do something like this:

    function onPart(part) {
    if(!part.filename || part.filename.match(/\.(jpg|jpeg|png)$/i)) {
        this.handlePart(part);
    }
}

app.use(express.bodyParser({onPart: onPart});

    Warning: I haven’t tested any of this.

    • 0