node.js-安全图像文件上传 [英] node.js - secure image file upload
问题描述
我们必须为node.js项目实现一个图像上传器.作为框架,我们使用express.js.我们按此处所述进行操作: http://howtonode.org/真正简单的文件上传
We had to implement an image uploader for a node.js project. As framework we are using express.js We did it like described here: http://howtonode.org/really-simple-file-uploads
但是我们不确定如何保护此图像上传器.到目前为止,我们所做的是:
But we are not sure how to secure this image uploader. What we did so far is:
- 检查文件大小
- 检查扩展名和标题
- 重命名文件
- 文件只能通过特殊路径访问,并且不在根文件夹中
够了吗?以下行让我们感到很不舒服:
Is this enough? We don't feel very comfortable with the following line:
// CHECKING FOR FILESIZE, EXTENSION, HEADERS
fs.readFile(req.files.displayImage.path, function (err, data) {
...
...
...
// RENAMING FILE
// SAVE FILE
...
...
...
}
以这种方式读取图像是否保存?我们担心,req.files.displayImage.path中可能存在恶意代码.我们需要添加更多的支票还是我们的支票足够?如果使用上述代码,我们可以为攻击者提供哪些攻击媒介?
Is it save to read the image this way? We are afraid, there could be malicious code in req.files.displayImage.path. Do we need to add more checks or are our checks sufficient? What attack vectors do we offer an attacker if we use the code as described?
谢谢您的建议 乔沙基
推荐答案
如果您关注在注释中张贴的在客户端打开恶意映像的信息.尝试在沙盒iframe中打开第三方脚本和不受信任的文件,这将保护您的用户.
If you are concerned for opening malicious images on client side as posted in your comments. Try opening third party scripts and untrusted files inside a sandboxed iframe this will protect your users.
这篇关于node.js-安全图像文件上传的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
