堆栈内存溢出
  简体   繁体   English

使用Busboy从Express应用程序中的bodyParser()迁移吗?

[英]Migrating away from bodyParser() in Express app with busboy?

 原文  2015-04-12 20:39:31       javascript/ node.js/ file-upload/ express/ busboy

问题描述

Being a newbie in Nodejs, I jumped right into writing a simple app without really reading up on good security practices. 作为Nodejs的新手,我直接编写了一个简单的应用程序,而没有真正阅读良好的安全实践。 I just found out that using bodyParser() for all routes is actually a bad thing because it allows for DOS attack using multipart files . 我刚刚发现对所有路由使用bodyParser()实际上是一件坏事,因为它允许使用多部分文件进行DOS攻击

A recommended fix is to only load specific modules depending on the route. 推荐的解决方法是仅根据路线加载特定的模块。 ie, for multipart fileupload, use multipart . 即,对于多部分文件上传,请使用multipart For regular POST without file uploads (ie, text form submission), use express.json(), express.urlencoded() . 对于没有文件上传(即文本表单提交)的常规POST,请使用express.json(), express.urlencoded()

Or another option is to use busboy with connect-busboy . 或者另一个选择是将busboyconnect-busboy一起使用。 But the thing I'm confused on is how I can specify which route should handle multipart data and which should not? 但是,我困惑的是如何指定应该处理多部分数据的路由,而不应该指定哪些路由? Otherwise, wouldn't I have the same problem as with bodyParser ? 否则,我会不会与bodyParser相同的问题?

Furthermore, busboy docs says it does not handle GET : 此外, busboy文档说它不处理GET 

If you find that req.busboy is not defined in your code when you expect it to be, check that the following conditions are met. If they are not, req.busboy won't be defined:
  1. The request method is not GET or HEAD

So, I'm even more confused how I would parse params in a GET . 因此,我什至更加困惑如何解析GET params I think bodyParser does this for me so I could access data with req.params . 我认为bodyParser为我做到了这一点,因此我可以使用req.params访问数据。

For example, how would I migrate away from bodyParser() to busboy/connect-busboy with this simple app: 例如,如何使用这个简单的应用程序从bodyParser()迁移到bodyParser() busboy/connect-busboy bodyParser() 

var express = require('express');
var app = express();
var http = require('http').Server(app);

var bodyParser = require('body-parser');
app.use(bodyParser.json());

var busboy = require('connect-busboy');
app.use(busboy());

// How to use busboy to prevent multipart files here?
app.post("/form_data_no_fileupload", function(req, res) {
    var somedata = req.body.somedata;
});

// Use busboy to handle both regular form data + fileuploads 
app.post("/form_data_AND_fileupload", function(req, res) {

});

// What would handle GET without bodyparser?
app.get("/get_something", function(req, res) {
    var params = req.params;
});

http.listen(3000, function() {});

1 个解决方案

解决方案1
 3 已采纳  2015-04-12 21:03:41

[How] I can specify which route should handle multipart data and which should not? [如何]我可以指定哪个路由应该处理多部分数据,哪个不应该处理?

All of Express' routing methods allow for providing middleware specific to the route. Express的所有路由方法都允许提供特定于该路由的中间件。 This includes Router methods . 这包括Router方法

app.METHOD(path, callback [, callback ...])

Depending on the body expected for an individual route, you can use different modules to handle each of them (rather than applying them to the entire application with app.use() ). 根据单个路由的预期主体,可以使用不同的模块来处理每个模块(而不是通过app.use()将其应用于整个应用程序)。 

var express = require('express');
var app = express();
var http = require('http').Server(app);

var bodyParser = require('body-parser');
var busboy = require('connect-busboy');

app.post("/form_data_no_fileupload",
    bodyParser.urlencoded(),
    function(req, res, next) {
        // check that the request's body was as expected
        if (!req.body) return next('route'); // or next(new Error('...'));

        // ...
    });

app.post("/form_data_AND_fileupload",
    busboy({
        limits: {
            fileSize: 10 * 1024 * 1024
        }
    }),
    function(req, res, next) {
        // check that the request's body was as expected
        if (!req.busboy) return next('route'); // or next(new Error('...'));

        // ...
    });

// ...

Furthermore, busboy docs says it does not handle GET. 此外,busboy文档说它不处理GET。

So, I'm even more confused how I would parse params in a GET . 因此,我什至更加困惑如何解析GET params

Busboy and BodyParser are designed for reading in and parsing the request's body, which GET and HEAD requests aren't expected to have . Busboy和BodyParser设计用于读取和解析请求的正文,而GETHEAD请求是不希望有的

For such requests, parameters can only be passed within the query-string within the URL, which Express parses itself. 对于此类请求,只能在Express自身解析的URL的查询字符串内传递参数。 They're available via req.query . 它们可以通过req.query 

app.get('/get_something', function () {
    console.log(req.originalUrl);
    // "/get_something?id=1

    console.log(req.query);
    // { id: "1" }
});

req.params represents any placeholders matched in the path by the route. req.params表示路径中与路由匹配的所有占位符。 These are available for any route, regardless of the method. 这些方法适用于任何路线,无论使用哪种方法。 

app.get('/thing/:id', function (req, res) {
    console.log(req.originalUrl);
    // "/thing/2"

    console.log(req.params);
    // { id: "2" }
});

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我可以替换app.use(express.bodyParser()); - What can I replace app.use(express.bodyParser()); Node / Express BodyParser不从输入字段返回数据或返回“未定义” - Node/Express BodyParser not returning data from input fields or returning “undefined” 捕获 express bodyParser 错误 - Catch express bodyParser error 在 React 项目中从 Typescript 迁移 - Migrating away from Typescript in a React project Express:将中间件抽象为应用程序使用 - Express: abstracting away middleware for app.use NodeJS 响应不被 express 或 bodyparser 解析 - NodeJS response is not parsed by express or bodyparser FileStream从busboy到MongoDB - FileStream from busboy to MongoDB app.use(bodyParser.urlencoded({extended: true })) 是什么? 在 express js 中做什么? - what does app.use(bodyParser.urlencoded({ extended: true })); do in express js? 隐藏/禁用字段从req.body消失(Express JS bodyParser) - Hidden/Disabled fields disappear from req.body (Express JS bodyParser) 使用 express.json 和 bodyParser 一样吗? - Is it the same to use express.json than bodyParser?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM