We’ll have basic file upload support (issue 55) live soon, though there’s lots of work still to do to make it really useful and user-friendly. What’s nice is that we’ll have support for batch uploads (more than one file at a time) from the start. A bit more technical detail follows, if you care.
We’re using the multer middleware for Express. It’s interesting to think about all the security issues with uploads. To begin with, ensuring basic cross-site request forgery token validation (CSRF) was a bit tricky. Because upload forms are encoded differently than regular forms, the token that protects against forged requests wasn’t available when it was needed.
The common recommendation is simply to move multer before the CSRF token check. But because multer itself saves the files, that would require all kinds of shenanigans to clean up the stored files if the check fails. Indeed, I suspect that lots of Node devs who follow this recommendation (multer is being downloaded >100,000 times per week) are vulnerable to uploads via CSRF, even though their checks dutifully report token errors! (See this comment for an explanation of the approach I’m using to avoid this.)
Additional complexity comes from multer’s processing of data streams. multer has a convenient function that lets me check whether files should be stored on the server or not. It can check against the MIME type reported by the client, but it doesn’t yet know the file’s contents, because the stream hasn’t finished yet at the time the check is performed.
Why do we need to look at the contents? Because a client might upload a malicious file disguised as an image, for example. Depending on the browser and operating system, that may create vulnerabilities for spreading malware. So to be safe, we’ll need to perform some basic inspections on the file later, and delete it if it’s not kosher. This isn’t implemented yet, which is a main reason I’ve not deployed the upload feature yet.
And there are other security concerns. Filenames are, of course, another vector for injection of HTML, for example – < and > are perfectly valid parts of a filename. We need to ensure that previously uploaded files don’t get accidentally overwritten. And we need to protect against denial of service attacks aiming to fill up the disk. The OWASP page on uploads is a great starting point to learn more about these and other security risks.