do not use bodyParser with express.js

[Andrew Kelley]

http://andrewkelley.me/post/do-not-use-bodyparser-with-express-js.html

in short, every post endpoint in which you use bodyParser is vulnerable to an attack which can fill up your hard drive with temp files.

[tjholowaychuk]

We've already discussed adding an option for auto-removal, but no production app should go without

reaping tempfiles, regardless of a valid end-point or not. I'm not "too busy to care", it's open-source, these

are group efforts. Piping through the file is just as dangerous if the writable stream is not implemented correctly,

which is often the case with node, say hello to memory bloat. Anyways this will be addressed for people who

do not properly perform garbage collection.

[tjholowaychuk]

Also as far as maintenance goes I'd be happy to try and get you added to Connect (I don't have admin rights), the additional help would be great!

On Friday, 6 September 2013 16:25:08 UTC-7, Andrew Kelley wrote:

[Stephen Belanger]

As TJ said, this has already been brought up several times. There is ongoing discussion here;

https://github.com/visionmedia/express/issues/1673

https://github.com/senchalabs/connect/issues/871

On Friday, 6 September, 2013 at 4:25 PM, Andrew Kelley wrote:

http://andrewkelley.me/post/do-not-use-bodyparser-with-express-js.html

in short, every post endpoint in which you use bodyParser is vulnerable to an attack which can fill up your hard drive with temp files.

--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
 
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[tjholowaychuk]

I'd be down with swapping out formidable, but we'll have to do a major bump for the API change, and I'm willing to bet knox

doesn't work well with back-pressure so we may want to look into that first, exploding processes is worse than annoying tmpfiles. 

[Stephen Belanger]

If this pull request is any indication (https://github.com/senchalabs/connect/pull/786), multiparty would be trivial to switch to and backward compatibility is just a matter of changing a property name of each file from "originalFilename" to "name" to match the current setup.

[mscdex]

There's also busboy[1] which never saves to disk, uses streams2, uses a faster multipart parser, and allows limiting of various aspects of fields and files.

[1] https://github.com/mscdex/busboy

[Ryan Graham]

FWIW, an issue was opened for this 16 days ago: https://github.com/senchalabs/connect/issues/871

~Ryan

[Andrew Kelley]

busboy looks great!

TJ, apologies for my hastily chosen words about you. To be clear I very much appreciate the huge amount of effort and high quality work that you put out for the open source community.

[José F. Romaniello]

This is similar to "any application using var/log is vulnerable to run out of diskpace". This is why there is a Logrotate(8)  http://linuxcommand.org/man_pages/logrotate8.html and tmpwatch http://linux.die.net/man/8/tmpwatch

El sep 6, 2013 8:25 p.m., "Andrew Kelley" <super...@gmail.com> escribió:

http://andrewkelley.me/post/do-not-use-bodyparser-with-express-js.html

in short, every post endpoint in which you use bodyParser is vulnerable to an attack which can fill up your hard drive with temp files.

--

[Andrew Kelley]

I updated the post mentioning tmpwatch and busboy.

[José F. Romaniello]

Very good post Andrew, thanks for sharing

2013/9/7 Andrew Kelley <super...@gmail.com>

[tjholowaychuk]

https://groups.google.com/forum/#!topic/express-js/iP2VyhkypHo

On Friday, 6 September 2013 16:25:08 UTC-7, Andrew Kelley wrote:

[Andrew Kelley]

Great post TJ. I'll update the article accordingly.

[Andrew Kelley]

Updated. Thanks for the diligent work TJ. Sorry for making this into an ordeal.

[Andrew Kelley]

TJ -

Wow, I just noticed on twitter people were giving you all kinds of shit. I'm truly sorry to have caused that to happen. My initial remarks, while sincere, were flippant and disrespectful. I should have taken some time to consider how to phrase my thoughts in a way that would not cause Internet rage to be directed at you.

I know we've butted heads in the past over specific github issues or whatever, but in general I've always considered your work to be high quality and I am continually impressed by how much maintenance you manage to do.

[tjholowaychuk]

Thanks man, no harm done! It just caught me a bit off guard waking up to the huge stream of tweets / emails in the morning. I'm not much of a morning person ;) haha. I think it's pretty natural for people in any technical field to disagree, I know how it is being opinionated myself it's pretty hard to keep your mouth shut sometimes haha, I'm still learning that