Browse files

update bodyParser post to take into account updates to express

  • Loading branch information...
andrewrk committed Sep 7, 2013
1 parent 3fb6bda commit a5cbf4a7815391dbcc57d6f30f8d330a67487167
Showing with 56 additions and 27 deletions.
  1. +56 −27 posts/do-not-use-bodyparser-with-express-js.html
@@ -1,5 +1,13 @@
<h1>Do Not Use bodyParser with Express.js</h1>
+Note: this post has
+<a href="">been edited</a>
+to take into account
+<a href="">TJ</a>'s
+<a href="!topic/express-js/iP2VyhkypHo">diligent work</a>
+in response to this.
I came across
<a href="">this Google+ post</a>
@@ -9,15 +17,11 @@ <h1>Do Not Use bodyParser with Express.js</h1>
enough to use for production applications.
-This reminds me of one vulnerability in particular that I've been trying to get solved
-but <a href="">the maintainer</a> of express is too busy
-to care. Rightfully so. I mean if you look at how much stuff this guy has to maintain it's
-amazing that he's able to get around to as many issues as he does.
-I just wish he'd recruit some trusted additional maintainers to keep the issue counts
-from getting out of hand.
+This reminds me of one "gotcha" in particular that you could be bitten by if
+you're not careful.
-Anyway, all servers using
+All servers using
<a href="">express.bodyParser</a>
are vulnerable to an attack which creates an unlimited number of temp files
on the server, potentially filling up all the disk space, which is likely
@@ -85,8 +89,12 @@ <h3>Always delete the temp files when you use bodyParser or multipart middleware
every multipart upload that comes its way, creating a temp file, writing it to disk,
and then deleting the temp file. Why do all that when you don't want to accept uploads?
+ <li>
+ As of express 3.4.0 (connect 2.9.0) bodyParser is deprecated.
+ It goes without saying that deprecated things should be avoided.
+ </li>
-<h3>Use a utility such as tmpwatch</h3>
+<h3>Use a utility such as tmpwatch or reap</h3>
<a href="">jfromaniello</a>
<a href="">pointed out</a>
@@ -108,37 +116,58 @@ <h3>Use a utility such as tmpwatch</h3>
of free space, an attacker would need an Internet connection with
145 KB/s upload bandwidth to crash your server.
+TJ pointed out that he also has a utility for this purpose called
+<a href="">reap</a>.
<h3>Avoid bodyParser and explicitly use the middleware that you need</h3>
If you want to parse json in your endpoint, use <code>express.json()</code> middleware.
If you want json and urlencoded endpoint, use <code>[express.json(), express.urlencoded()]</code>
for your middleware.
-If you want users to upload files to your endpoint, use <code>express.multipart()</code> and be
+If you want users to upload files to your endpoint, you could use <code>express.multipart()</code> and be
sure to clean up all the temp files that are created.
+This would still stuffer from problem #3 previously mentioned.
+<h3>Use the defer option in the multipart middleware</h3>
+When you create your multipart middleware, you can use the <code>defer</code>
+option like this:
+<code class="language-javascript">express.multipart({defer: true})</code>
+According to the documentation:
+ defers processing and exposes the multiparty form object as `req.form`.<br>
+ `next()` is called without waiting for the form's "end" event.<br>
+ This option is useful if you need to bind to the "progress" or "part" events, for example.<br>
-This still suffers from problem #3 previously mentioned.
+So if you do this you will use <a href="">multiparty's API</a> assuming that <code>req.form</code>
+is an instantiated <code>Form</code> instance.
-<h3>Consider using alternatives to formidable</h3>
+<h3>Use an upload parsing module directly</h3>
-<code>bodyParser</code> depends on <code>multipart</code>, which depends on
-<a href="">formidable</a>, which
-is hardcoded to send uploads to a temp directory.
+<code>bodyParser</code> depends on <code>multipart</code>, which behind the
+scenes uses
+<a href="">multiparty</a> to
+parse uploads.
-Consider using an alternative, such as
-<a href="">multiparty</a>.
-In addition to solving some bugs, it gives you much more flexibility over your file
-upload, most notably not creating temp files unless you want it to.
-(It also is flexible enough to for example
-<a href="">stream an upload directly to S3</a>).
-There's also a
-<a href="">drop-in replacement</a>
-for <code>express.multipart()</code> using multiparty.
+You can use this module directly to handle the request. In this case you can
+look at
+<a href="">multiparty's API</a>
+and do the right thing.
-<a href="">mscdex</a>
-<a href="">mentioned</a>
-that he created an alternative named
-<a href="">busboy</a>.
+There are also alternatives such as
+<a href="">busyboy</a>,
+<a href="">parted</a>,
+<a href="">formidable</a>.

0 comments on commit a5cbf4a

Please sign in to comment.