[英]Migrating away from bodyParser() in Express app with busboy?
Being a newbie in Nodejs, I jumped right into writing a simple app without really reading up on good security practices. 作为Nodejs的新手,我直接编写了一个简单的应用程序,而没有真正阅读良好的安全实践。 I just found out that using
bodyParser()
for all routes is actually a bad thing because it allows for DOS attack using multipart files . 我刚刚发现对所有路由使用
bodyParser()
实际上是一件坏事,因为它允许使用多部分文件进行DOS攻击 。
A recommended fix is to only load specific modules depending on the route. 推荐的解决方法是仅根据路线加载特定的模块。 ie, for multipart fileupload, use
multipart
. 即,对于多部分文件上传,请使用
multipart
。 For regular POST without file uploads (ie, text form submission), use express.json(), express.urlencoded()
. 对于没有文件上传(即文本表单提交)的常规POST,请使用
express.json(), express.urlencoded()
。
Or another option is to use busboy with connect-busboy . 或者另一个选择是将busboy与connect-busboy一起使用。 But the thing I'm confused on is how I can specify which route should handle multipart data and which should not?
但是,我困惑的是如何指定应该处理多部分数据的路由,而不应该指定哪些路由? Otherwise, wouldn't I have the same problem as with
bodyParser
? 否则,我会不会与
bodyParser
相同的问题?
Furthermore, busboy
docs says it does not handle GET
: 此外,
busboy
文档说它不处理GET
:
If you find that req.busboy is not defined in your code when you expect it to be, check that the following conditions are met. If they are not, req.busboy won't be defined:
1. The request method is not GET or HEAD
So, I'm even more confused how I would parse params
in a GET
. 因此,我什至更加困惑如何解析
GET
params
。 I think bodyParser
does this for me so I could access data with req.params
. 我认为
bodyParser
为我做到了这一点,因此我可以使用req.params
访问数据。
For example, how would I migrate away from bodyParser()
to busboy/connect-busboy
with this simple app: 例如,如何使用这个简单的应用程序从
bodyParser()
迁移到bodyParser()
busboy/connect-busboy
bodyParser()
:
var express = require('express');
var app = express();
var http = require('http').Server(app);
var bodyParser = require('body-parser');
app.use(bodyParser.json());
var busboy = require('connect-busboy');
app.use(busboy());
// How to use busboy to prevent multipart files here?
app.post("/form_data_no_fileupload", function(req, res) {
var somedata = req.body.somedata;
});
// Use busboy to handle both regular form data + fileuploads
app.post("/form_data_AND_fileupload", function(req, res) {
});
// What would handle GET without bodyparser?
app.get("/get_something", function(req, res) {
var params = req.params;
});
http.listen(3000, function() {});
[How] I can specify which route should handle multipart data and which should not?
[如何]我可以指定哪个路由应该处理多部分数据,哪个不应该处理?
All of Express' routing methods allow for providing middleware specific to the route. Express的所有路由方法都允许提供特定于该路由的中间件。 This includes
Router
methods . 这包括
Router
方法 。
app.METHOD(path, callback [, callback ...])
Depending on the body expected for an individual route, you can use different modules to handle each of them (rather than applying them to the entire application with app.use()
). 根据单个路由的预期主体,可以使用不同的模块来处理每个模块(而不是通过
app.use()
将其应用于整个应用程序)。
var express = require('express');
var app = express();
var http = require('http').Server(app);
var bodyParser = require('body-parser');
var busboy = require('connect-busboy');
app.post("/form_data_no_fileupload",
bodyParser.urlencoded(),
function(req, res, next) {
// check that the request's body was as expected
if (!req.body) return next('route'); // or next(new Error('...'));
// ...
});
app.post("/form_data_AND_fileupload",
busboy({
limits: {
fileSize: 10 * 1024 * 1024
}
}),
function(req, res, next) {
// check that the request's body was as expected
if (!req.busboy) return next('route'); // or next(new Error('...'));
// ...
});
// ...
Furthermore, busboy docs says it does not handle GET.
此外,busboy文档说它不处理GET。
So, I'm even more confused how I would parse
params
in aGET
.因此,我什至更加困惑如何解析
GET
params
。
Busboy and BodyParser are designed for reading in and parsing the request's body, which GET
and HEAD
requests aren't expected to have . Busboy和BodyParser设计用于读取和解析请求的正文,而
GET
和HEAD
请求是不希望有的 。
For such requests, parameters can only be passed within the query-string within the URL, which Express parses itself. 对于此类请求,只能在Express自身解析的URL的查询字符串内传递参数。 They're available via
req.query
. 它们可以通过
req.query
。
app.get('/get_something', function () {
console.log(req.originalUrl);
// "/get_something?id=1
console.log(req.query);
// { id: "1" }
});
req.params
represents any placeholders matched in the path by the route. req.params
表示路径中与路由匹配的所有占位符。 These are available for any route, regardless of the method. 这些方法适用于任何路线,无论使用哪种方法。
app.get('/thing/:id', function (req, res) {
console.log(req.originalUrl);
// "/thing/2"
console.log(req.params);
// { id: "2" }
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.