Analysis of safety problems of Nodejs Multer

Yesterday back to the blog when found that the upload directory under a few more strange. asp and. php files. These files are not uploaded by myself, most likely through a vulnerability to the server. What harm will it do? Here is a brief introduction.

Suppose someone evil.php a feature to remove all files under the site through a vulnerability to http://abc.com/upload/and then accesses http://abc.com/upload/evil.php, then:

If the site does not support PHP scripts, there is no harm;
If the site supports PHP scripts, all of its files will be deleted.
Here are two key points, one is the active access to the file will trigger the script execution, and the second is the server to support the type of script to execute. But this blog just does not have these two conditions (later detailed explanation), so did not cause any loss. Even so, this loophole is still to be repaired, otherwise the endless upload file will fill up the hard disk space sooner or later.

This blog is based on the Express framework development, upload function is implemented through the Multer middleware, and only the management of the background file upload function. Because the background page, the interface has the authority authentication, is impossible to be bypassed. The problem was finally found in the Multer call, and the problem was blamed on the official document's error-guided:

App.use (Multer ({
Dest: './uploads/',
Rename:function (fieldname, filename) {
Return Filename.replace (/\w+/g, '-'). toLowerCase () + Date.now ()
}
}))
App.use (Multer ({
Dest: './public/upload/',
Rename:function () {
var now = new Date ();
Rename to Year + month + day + time + minute + sec + 5-bit random number
return Now.getfullyear () +
(' 0 ' + (now.getmonth () + 1)). Slice (-2) +
(' 0 ' + now.getdate ()). Slice (-2) +
(' 0 ' + now.gethours ()). Slice (-2) +
(' 0 ' + now.getminutes ()). Slice (-2) +
(' 0 ' + now.getseconds ()). Slice (-2) +
parseint (10000 + math.random () * 90000);
}
}))

The first code above is an example of an official document, and the second code is the calling method in my blog program. This means that all HTTP accesses (including 404 access) will pass through the Multer middleware. So whenever a file is included in an HTTP access, the file is Multer saved to the specified directory (dest).

The use of security should be to invoke Multer middleware only on the specified path and to increase permission validation:

Permission check
function Addpermissionchecking (handler) {
return function (req, res, next) {
Suppose the user information is stored in the Req.currentuser
if (Req.currentuser) {
Handler.apply (this, arguments);
} else {
Next (' Insufficient authority ');
}
};
}

App.use (
'/upload ',
Addpermissionchecking (
Multer ({
Dest: './public/upload/',
Rename:function () {
var now = new Date ();
Rename to Year + month + day + time + minute + sec + 5-bit random number
return Now.getfullyear () +
(' 0 ' + (now.getmonth () + 1)). Slice (-2) +
(' 0 ' + now.getdate ()). Slice (-2) +
(' 0 ' + now.gethours ()). Slice (-2) +
(' 0 ' + now.getminutes ()). Slice (-2) +
(' 0 ' + now.getseconds ()). Slice (-2) +
parseint (10000 + math.random () * 90000);
}
})
)
);
In this way, the problem is solved. Finally, explain why this blog is not affected by script files:

The uploaded file is renamed, and the new file name contains random numbers, which means that the attacker could not know the file name even if it uploaded the script file, and the access path was not known.
ASP and PHP are not supported at all in Express.