1

I have a form in which someone could upload a file, and then undo if they don't want it anymore. I want to send a request to the server to delete the file, but I'm afraid the user might send ../../lorem/ipsum/. I have a csrf token in the header and a session.id as a cookie, but how would I use them? I have to use DELETE as the request method.

revert = function(req, res) {

fs.unlink(`/home/node/` + req.body.file, (err) => {
  if (err) throw err;
  console.log('file was deleted');
});
  res.send('done');
};

app.delete('/revert', revert);
yaserso
  • 2,638
  • 5
  • 41
  • 73

1 Answers1

1

You should generate an ID for each uploaded file and keep that in a map or database of some sort. You return the ID to the user as part of the success upload response. Only users knowing the ID can undo the upload (eg: using a link you provide or building it themselves)

Mihai
  • 9,526
  • 2
  • 18
  • 40