从expressParser()快速的应用程序与公务员迁移离开? [英] Migrating away from bodyParser() in Express app with busboy?
问题描述
bodyParser()
实际上是一件坏事,因为它允许使用多部分文件的DOS攻击。建议的修复方法是只根据路线加载特定的模块。即对于多部分文件上载,请使用 multipart
。对于没有文件上传(即文本表单提交)的常规POST,使用 express.json(),express.urlencoded()
。
另一个选择是使用 busboy 与 connect-busboy 。但我困惑的是我如何可以指定哪个路线应该处理多部分数据,哪些不应该?否则,我不会有与 bodyParser
相同的问题吗?
另外, busboy
docs表示不处理 GET
:
如果您发现req.busboy在您的代码中没有定义,请检查以下内容条件得到满足。如果不是,req.busboy将不会被定义:
1.请求方法不是GET或HEAD
所以,我更加困惑的是如何在 GET
中解析 params
。我认为 bodyParser
对我来说是这样的,所以我可以通过 req.params
访问数据。
例如,我将如何从 bodyParser()
迁移到 busboy / connect-busboy $ c $这个简单的应用程序:
var express = require('express');
var app = express();
var http = require('http')。Server(app);
var bodyParser = require('body-parser');
app.use(bodyParser.json());
var busboy = require('connect-busboy');
app.use(busboy());
//如何使用busboy防止多部分文件在这里?
app.post(/ form_data_no_fileupload,function(req,res){
var somedata = req.body.somedata;
});
//使用busboy来处理常规表单数据+ fileuploads
app.post(/ form_data_AND_fileupload,function(req,res){
}) ;
//什么可以在没有bodyparser的情况下处理GET?
app.get(/ get_something,function(req,res){
var params = req.params;
});
http.listen(3000,function(){});
<可以指定哪个路径应该处理多部分数据,哪些不应该?
所有Express'路由方法允许提供特定于路由的中间件。这包括 路由
方法。
$ b
app.METHOD(path,callback [,callback ...])$ c $
$ / b
根据单个路径的预期机构,你可以使用不同的模块来处理它们中的每一个(而不是应用它们到app.use()
)的整个应用程序。
var express = require('express');
var app = express();
var http = require('http')。Server(app);
var bodyParser = require('body-parser');
var busboy = require('connect-busboy');
$ b $ app.post(/ form_data_no_fileupload,
bodyParser.urlencoded(),
function(req,res,next){
//检查请求如果(!req.body)return next('route'); //或next(new Error('...'));
//。 ..
});
$ b app.post(/ form_data_AND_fileupload,
busboy({
limits:{
fileSize:10 * 1024 * 1024
} $ b $ ($ req.busboy)返回next('route');
函数//或者next(new Error('...'));
// ...
});
// ...
此外,busboy docs说它不处理GET。
所以,我更困惑如何解析
params
在GET
。
Busboy和BodyParser专为阅读解析请求的正文,其中
GET
和HEAD
请求不会有。
对于这样的请求,参数只能在Express中解析自己的URL中的查询字符串。他们可以通过
req.query
pre $ app $($ / $ _ $ $ $) (req.originalUrl);
/// get_something?id = 1
console.log(req.query);
// {id:1}
});
req.params
表示路径中路径匹配的所有占位符。
$ $ $ $ $ $ $ $ $ app $('/ thing /:id',function(req,res) {
console.log(req.originalUrl);
/// thing / 2
console.log(req.params);
// { id:2}
});
Being a newbie in Nodejs, I jumped right into writing a simple app without really reading up on good security practices. I just found out that using
bodyParser()
for all routes is actually a bad thing because it allows for DOS attack using multipart files.A recommended fix is to only load specific modules depending on the route. ie, for multipart fileupload, use
multipart
. For regular POST without file uploads (ie, text form submission), useexpress.json(), express.urlencoded()
.Or another option is to use busboy with connect-busboy. But the thing I'm confused on is how I can specify which route should handle multipart data and which should not? Otherwise, wouldn't I have the same problem as with
bodyParser
?Furthermore,
busboy
docs says it does not handleGET
:If you find that req.busboy is not defined in your code when you expect it to be, check that the following conditions are met. If they are not, req.busboy won't be defined: 1. The request method is not GET or HEAD
So, I'm even more confused how I would parse
params
in aGET
. I thinkbodyParser
does this for me so I could access data withreq.params
.For example, how would I migrate away from
bodyParser()
tobusboy/connect-busboy
with this simple app:var express = require('express'); var app = express(); var http = require('http').Server(app); var bodyParser = require('body-parser'); app.use(bodyParser.json()); var busboy = require('connect-busboy'); app.use(busboy()); // How to use busboy to prevent multipart files here? app.post("/form_data_no_fileupload", function(req, res) { var somedata = req.body.somedata; }); // Use busboy to handle both regular form data + fileuploads app.post("/form_data_AND_fileupload", function(req, res) { }); // What would handle GET without bodyparser? app.get("/get_something", function(req, res) { var params = req.params; }); http.listen(3000, function() {});
解决方案[How] I can specify which route should handle multipart data and which should not?
All of Express' routing methods allow for providing middleware specific to the route. This includes
Router
methods.
app.METHOD(path, callback [, callback ...])
Depending on the body expected for an individual route, you can use different modules to handle each of them (rather than applying them to the entire application with
app.use()
).var express = require('express'); var app = express(); var http = require('http').Server(app); var bodyParser = require('body-parser'); var busboy = require('connect-busboy'); app.post("/form_data_no_fileupload", bodyParser.urlencoded(), function(req, res, next) { // check that the request's body was as expected if (!req.body) return next('route'); // or next(new Error('...')); // ... }); app.post("/form_data_AND_fileupload", busboy({ limits: { fileSize: 10 * 1024 * 1024 } }), function(req, res, next) { // check that the request's body was as expected if (!req.busboy) return next('route'); // or next(new Error('...')); // ... }); // ...
Furthermore, busboy docs says it does not handle GET.
So, I'm even more confused how I would parse
params
in aGET
.Busboy and BodyParser are designed for reading in and parsing the request's body, which
GET
andHEAD
requests aren't expected to have.For such requests, parameters can only be passed within the query-string within the URL, which Express parses itself. They're available via
req.query
.app.get('/get_something', function () { console.log(req.originalUrl); // "/get_something?id=1 console.log(req.query); // { id: "1" } });
req.params
represents any placeholders matched in the path by the route. These are available for any route, regardless of the method.app.get('/thing/:id', function (req, res) { console.log(req.originalUrl); // "/thing/2" console.log(req.params); // { id: "2" } });
这篇关于从expressParser()快速的应用程序与公务员迁移离开?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!