yahoo / express-busboy Goto Github PK

View Code? Open in Web Editor NEW

45.0 13.0 28.0 76 KB

A simple body-parser like module for express that uses connect-busboy under the hood.

License: BSD 3-Clause "New" or "Revised" License

JavaScript 100.00%

javascript expressjs active

express-busboy's Introduction

express-busboy

A simple body-parser like module for express that uses connect-busboy under the hood.

It's designed to be more of a "drop in" replacement for body-parser. With it populating req.body, there is very minimal code change needed to use it.

usage

import bb from 'express-busboy';
const app = express();

bb.extend(app);

The module will populate req.body and req.files like the body-parser module does.

configuration

bb.extend(app, {
    //options can go here
});

By default this module will create an Array when it finds multiple fields with the same name in the POST parameters. You can set restrictMultiple to true to not parse mutiple POST values into Array's

file uploads

By default file uploads are disabled, the req.files object will always be empty. You can activate them with:

bb.extend(app, {
    upload: true,
    path: '/path/to/save/files',
    allowedPath: /./
});

path will default to: os.tmpdir()/express-busboy/<uuid>/<the field name>/<filename>.

allowedPath can contain a regular expression limiting the upload function to given urls. For example /^\/upload$/ would only allow uploads in the /upload path.

You can have a function returning true/false if you prefer that:

options.allowedPath = function(url) {
    return url == '/upload';
}

You can restrict uploads to specific mimetypes as well:

options.mimeTypeLimit = [
    'text/x-markdown',
    'application/javascript',
    'image/jpeg',
    'image/png'
];

Name and filename inputs will be sanitized into an MD5 hash before determining path for the file on disk. If you want to change this behavior you can provide a strip function of your own:

// this will not sanitize the inputs
options.strip = function(value, type) {
    return value;
}

When files are not uploaded due to path or mimetype checks, no error is returned (so the other data in the request can be handled) the restricted item will simply not appear in the req.files Object.

express-busboy's People

Contributors

Stargazers

Watchers

express-busboy's Issues

Denial of Service vulnerability in dependency 'qs'

It appears that the dependency on qs 6.4.0 suffers from a security vulnerability:

[CVE-2021-44907 ] (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44907)
CVE-2021-44907

Denial Of Service (DoS): qs is vulnerable to denial of service. The vulnerability exists in merge function in qs.js due to lack of sanitization which allows an attacker to cause an application crash.

Return before async callback is triggered

Is it possible that https://github.com/yahoo/express-busboy/blob/master/index.js#L43 will return to the calling function before the callback in the previous function is fired? Perhaps it would be safer to move the return statement into the callback?

Saving to no dir

I want to know if we can make the upload happen but not to a dir in our application, since my needs are based on saving those files in a DB, so is it possible ?

No way of handling the 'error' event in busboy

Hi team,
There is no way of handling busboy's error event currently which is leading to global exceptions in express whenever a malformed body is passed

Eg:
If I pass \n instead of \r\n, an error is thrown

Valid Request:

curl -k '<path>' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary76aZhgZIDJfqZd9S' \
  -H 'Accept: application/json, text/plain, */*' \
  --data-raw $'------WebKitFormBoundary76aZhgZIDJfqZd9S\r\nContent-Disposition: form-data; name="file"; filename="img1.jpg"\r\nContent-Type: image/jpeg\r\n\r\n\r\n------WebKitFormBoundary76aZhgZIDJfqZd9S--\r\n' \
  --compressed

Invalid Request:

curl -k '<path>' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary76aZhgZIDJfqZd9S' \
  -H 'Accept: application/json, text/plain, */*' \
  --data-raw $'------WebKitFormBoundary76aZhgZIDJfqZd9S\nContent-Disposition: form-data; name="file"; filename="img1.jpg"\nContent-Type: image/jpeg\n\n\n------WebKitFormBoundary76aZhgZIDJfqZd9S--\n' \
  --compressed

Would it be possible to expose the error event in express busboy?

req.files always returning empty object

Hello i just read documentation and enabled upload files, i have this code

index.js

var express = require('express');
var bb = require('express-busboy');
var app = express();

bb.extend(app,{
	upload: true,
        path: '/uploads',
        allowedPath: /^\/uploads$/
});

app.post('/sendmail.html',require('./routes').sendmail)

routes.js

exports.sendmail = (req,res) => {
    console.log(req.files) // <-- always is {}
}

index.html

<form id="cform" name="cform" method="post" action="/sendmail.html" enctype="multipart/form-data">
    <input type="file" name="upload" />
</form>

any fix for this?

Don't replace the original `body` of the request

I have a situation where I need to verify a webhook signature, which requires the original unparsed JSON body. Re-serializing the JSON isn't the best approach, as my JS engine may order the keys differently, or little things like whitespace might change, which would cause the signature validation to fail.

I am going to open a PR to fill this need. I considered the best way to achieve this for a while, including adding an extra option, but I feel it is probably best (and harmless) to pre-assign the req.body to a req.rawBody and call it a day.

Thoughts?

PR: #36

In-place replacement for bodyParser?

I have a working app, and adding this and removing bodyParser makes it stop working.

Original:

const bodyParser = require('body-parser');
const express = require('express');
...
const app = express();
app.use(bodyParser.json());

Everything works as expected before the file upload... But if I remove body-parser, and just have:

const expressBusboy = require('express-busboy');
...
const app = express();
expressBusboy.extend(app, { upload: true });

then the rest of the app stop working, only the file upload works. But if I use both, then everything works as expected.

const app = express();
app.use(bodyParser.json());
expressBusboy.extend(app, { upload: true });

Am I misunderstanding the documentation?

[email protected], [email protected], and [email protected]

Thanks,

TS2339: Property files does not exist on type

TypeScript project.
Installed npm i @types/express-busboy --save-dev.

My router method:

router.post("uploads", async (req, res) => {
    console.log(req.files);
}

Got compilation error on the console.log line:

error TS2339: Property 'files' does not exist on type 'Request<{ runId: string; } & { requestId: string; }, any, any, ParsedQs, Record<string, any>>'.

I understand that bb.extend(app... does nothing with the type info, thus we get the compilation error.
But since there's d.ts support for this package, how developers supposed to be accessing req.files w/o falling back to pure JavaScript way of thinking?

If it matters, I have "noImplicitAny": true compiler option set in tsconfig.json, so it's restricted to cast req to any.

Security contact

Hi, do you have contact details for security issues that are relevant to this repository?

Setting to delete files after successful upload

So after the file (or image) has been uploaded to the server and the server has done whatever it needs to do with it (e.g. save to database or store in AWS, etc), the NodeJS server should delete the files from the tmp directory (or wherever they were saved)

request.files are not fully loaded when busboy trigger the finish event

Hello guys,

Maybe it is by design, maybe not... In all case here is my feedback !

I was tracking a "bug" from my entire day until i find it in express-busboy...

When i upload a file on my server, i need to process it to convert some data (etc...) before store it in database. But some times when i parse the file i just got nothing !

So just take a look about (run) that

'use strict';
/*
 * Copyright (c) 2014, Yahoo Inc. All rights reserved.
 * Copyrights licensed under the New BSD License.
 * See the accompanying LICENSE file for terms.
 */

const busboy = require('connect-busboy');
const key = '@express-busboy';
const path = require('path');
const uuid = require('uuid');
const fs = require('fs');
const mkdirp = require('mkdirp');
const qs = require('qs');
const os = require('os');
const jsonBody = require('body/json');

const fixDups = (item) => {
    Object.keys(item).forEach((field) => {
        if (Array.isArray(item[field])) {
            item[`__${field}__`] = item[field];
            item[field] = item[field][0];
        }
    });
    return item;
};

var convertParams = (item, name, data) => {
    if (Array.isArray(item[name])) {
        item[name].push(data);
    } else if (item[name]) {
        item[name] = [item[name], data];
    } else {
        item[name] = data;
    }
};

exports.extend = function(app, options) {
    if (app[key]) { return app; }
    Object.defineProperty(app, key, { value: exports });
    options = options || {};
    options.immediate = false; //Remove if the user sets it
    options.path = options.path || path.join(os.tmpdir(), 'express-busboy');
    const restrictMultiple = options.restrictMultiple;
    const mimeTypeLimit = options.mimeTypeLimit ? !Array.isArray(options.mimeTypeLimit) ? [options.mimeTypeLimit] : options.mimeTypeLimit : null;
    delete options.restrictMultiple;
    delete options.mimeTypeLimit;
    
    app.use(busboy(options));

    app.use((req, res, next) => {
        var allowUpload = true;
        
        req.body = req.body || {};
        req.files = req.files || {};

        if (req.is('json') && req.readable) {
            jsonBody(req, res, options, (err, body) => {
                req.body = body || {};
                next();
            });
            return;
        }
        
        if (!req.busboy) { //Nothing to parse..
            return next();
        }

        if (options.allowedPath) {
            allowUpload = false;
            /*istanbul ignore else - else case is the default case*/
            if (options.allowedPath === req.url) {
                allowUpload = true;
            } else if (typeof options.allowedPath === 'function') {
                allowUpload = !!options.allowedPath(req.url);
            } else if (typeof options.allowedPath.test === 'function') {
                allowUpload = !!options.allowedPath.test(req.url);
            }
        }

	// [TV] Debug variable to see what happen
	var fileIsWrite = false
        if (options.upload && allowUpload) {
            req.busboy.on('file', (name, file, filename, encoding, mimetype) => {
                const fileUuid = uuid.v4();
                const out = path.join(options.path, '/', fileUuid, '/', name, filename);
                
                if (mimeTypeLimit && !mimeTypeLimit.some(type => { return type === mimetype; })) {
                    return file.resume();
                }

                /*istanbul ignore next*/
                if (!filename || filename === '') {
                    return file.on('data', () => { });
                }


                mkdirp.sync(path.dirname(out));
                const writer = fs.createWriteStream(out);
		
		// [TV] LOOK AT HERE
		writer.on('finish', () => {

                    console.log('writer finish')
                    fileIsWrite = true

                })
				
                file.pipe(writer);
                const data = {
                    uuid: fileUuid,
                    field: name,
                    file: out,
                    filename: filename,
                    encoding: encoding,
                    mimetype: mimetype,
                    truncated: false
                };

                // Indicate whether the file was truncated
                /*istanbul ignore next*/
                file.on('limit', () => {
                    data.truncated = true;
                });
                
                convertParams(req.files, name, data);
            });
        }
		
        req.busboy.on('field', (name, data) => {
            convertParams(req.body, name, data);
        });
		
        req.busboy.on('finish', () => {
            req.body = qs.parse(qs.stringify(req.body));
            if (restrictMultiple) {
                [req.body, req.files].forEach(fixDups);
            }
	
            // [TV] Here the problem	
            if( ! fileIsWrite ) {
                console.error('BOOM for next file usage...')
            }
            next();
        });
        req.pipe(req.busboy);
    });

    return app;
};

So the question is:
Need i to check for existing file under 'next()' due to inconsistency of files returned by express-busboy or could/should you fix this ???

I hope this help,
best regards.

Tristan

Clarification of `path`

Please update documentation regarding the path option.

Documentation says:

path will default to: os.tmpdir()/express-busboy/<uuid>/<the field name>/<filename>.

but it's actually os.tmpdir()/express-busboy, because when defining a custom path, it still creates the file as <uuid>/<the field name>/<filename>.

Thanks,

How to validate limits?

How can i return an error message when filesize is exceded?

bb.extend(app,{
limits: { files: 1, fileSize: 500000 }
})

When POST filename="", it doesn't work as expected

Usually, when you create a plain HTML form as

<form action="" method="post" enctype="multipart/form-data">
  <input type="file" name="image">
  <input type="submit" class="submit" value="submit" name="">
</form>

After clicking the submit button without assigning a file, a HTTP request with empty filename will be sent.

Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream

So, I think you should do some empty filename check in the file event callback.
https://github.com/yahoo/express-busboy/blob/master/index.js#L40-L56

Temporary Files

Do this delete temporary files uploaded or still suffer from http://andrewkelley.me/post/do-not-use-bodyparser-with-express-js.html ?