1

I have a form that is used to upload images to backend written in NodeJS+Multer. Backend checks for filesize and file type so user is not allowed to uplaod any other files then png/jpg/gif. However, nothing stopping user from renaming .zip (or any other type) file into .png and upload to my server. This will store the file in images location and later might be returned back to browser when requested.

So now my question is if this is something that I should be concerned about? Can it be used to do any damage to my server or users who will retrieve this fake image later on in their browsers? If so how can I prevent this? I would have to check if the image is valid image file somehow? Would I have to use something like Lwip?

spirytus
  • 10,726
  • 14
  • 61
  • 75

1 Answers1

1

You can check the mimetype of file.

//File filter to send only videos  
const fileFilter = (req, file, cb) => {
    // reject a file
    console.log(file.mimetype);
    if (file.mimetype.match(/^video\/\w+/)){
        cb(null,true);
    } else {
        console.log('File Extension not Allowed');
        cb(null, false);        
    }
 };

 //Multer
 const upload = multer({
   storage: storage,
   fileFilter: fileFilter
 });
Syed Zain Ali
  • 1,206
  • 1
  • 14
  • 20
tiagofga
  • 50
  • 1
  • 6