Hi guys, I'm a little new to Node.js so please go easy if this is trivial or doesn't make sense.I'm making a React/Express webapp, and at some point the user will need to upload a file to the server for some computation. This file is supposed to be private, secure, and not visible/accessible to any other user.I'm using Axios to send the file to the server, like so:Axios.post( '/submit-file', { file }).then( res => { this.handleResponse( res ); }); In my server, I use the body-parser middleware to parse the JSON:app.use(bodyParser.json()); At this point the server has access to the file and can perform the computation on it. However, if for some reason I instead return a response containing the body of the request, as so:app.post( '/submit-file', function( req, res ) { res.send( req.body ); res.end(); }): React shows the location of the file's blob on the server:{"file":{"preview":"blob:http://localhost:3000/d839502b-5343-4a3f-c993-e87a3ff20c9d"}} If anyone connecting to the same server submits the link (including "blob:") into a browsers URL bar, they can download the file the original user uploaded. That would be a problem.I know nobody should be able to get their hand on this GUID, but what if a malicious user can? How can one be sure that they can't, or protect against it if they do? Is there a way that, even with a blob's address/GUID, the uploaded file cannot be recovered by any party (even the original user) other than the server itself? Or is my method of uploading files the wrong approach for sensitive data?
Submitted August 01, 2018 at 11:19PM by SBTangerine
No comments:
Post a Comment