Server side validation ? about socketio-file-upload HOT 8 CLOSED

I think this is a good question actually. I'd imagine that you could validate within the start event based on event.file, once again using standard node libraries. How to cancel or short-circuit the upload midway through though I'm not sure of since it's been a while since I've used this library, but is it not possible to call instance.emit('error', {message: 'Incorrect filetype specified'}) on the server to cancel it and send an error to the client?

@vote539 would most likely know more than me!

I think a streamlined method of doing this would be really nice though.

from socketio-file-upload.

I haven't though about the case of aborting the upload from the server side before the upload is complete. Right now there isn't a good way to abort a file upload from the "start" event, although it would not be hard to add such a feature.

Keep in mind that until the file has finished uploading, the server has no extra information about the file than the client does. The server receives the file name, file size, metadata, and so forth from the client, and until it receives the content of the file, it has no way to verify that information on its own. Client-side checks can abort the file upload before any communication to the server has taken place at al.

In particular, if you're worried about MIME types, keep in mind that in most cases, MIME types are determined from nothing more than the file extension. This is a check that can be performed on the client side instead, avoiding all communications to the back-end. From a security point of view, someone could bypass a client-side MIME type checker, but they could just as easily bypass a server-side MIME type checker by sending an arbitrary file extension.

Transmitting an error event right now unfortunately is only cosmetic and doesn't actually stop a file upload that is in progress.

@LeoCreer Am I missing something? Could you give more details on a use case where server-side checking is superior to client-side checking? Thanks!

from socketio-file-upload.

Umm Im thinking ...
Your right !!!

from socketio-file-upload.

Surely (and this depends on the file type) but if the headers are passed
in, it should be able to be parsed in some way on the server. For example I
was using SIOFU to upload MP3s, and even when it was half completed, I
could send the unfinished chunk into ffprobe and get data back. So mime
checking is of course pointless, but there are still checks you can do for
the validity of a file before it's finished uploading!

Matt

On Wednesday, 13 July 2016, LeoCreer [email protected] wrote:

Umm Im thinking ...
Your right !!!

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#42 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ADJOPP0q8ZYp0RYm8RPbx4TcQmCaK1QWks5qVRb1gaJpZM4JHhov
.

from socketio-file-upload.

No idea why my comment has line breaks around the "I"s, by the way. Weird!

from socketio-file-upload.

Great point, @MaffooBristol.

I added a public API to the server-side uploader object in my branch. It can be used as follows to abort an upload from the server side.

uploader.abort(fileInfo.id, socket);

The socket needs to be passed in because the uploader instance doesn't keep a reference to the socket. I didn't think through the implications of making the uploader save the reference.

If it looks good, I'll merge in this change along with my other changes over the weekend.

from socketio-file-upload.

Nice Job Guys LOL!!!!

from socketio-file-upload.

Closed by #45

from socketio-file-upload.