yaserso
Reputation: 2868
How to secure DELETE request in node express to prevent injection?
I have a form in which someone could upload a file, and then undo if they don't want it anymore. I want to send a request to the server to delete the file, but I'm afraid the user might send ../../lorem/ipsum/. I have a csrf token in the header and a session.id as a cookie, but how would I use them? I have to use DELETE as the request method.
revert = function(req, res) {
fs.unlink(`/home/node/` + req.body.file, (err) => {
if (err) throw err;
console.log('file was deleted');
});
res.send('done');
};
app.delete('/revert', revert);
Upvotes: 1
Views: 273
Answers (1)
Mihai
Reputation: 10737
You should generate an ID for each uploaded file and keep that in a map or database of some sort. You return the ID to the user as part of the success upload response. Only users knowing the ID can undo the upload (eg: using a link you provide or building it themselves)
Upvotes: 1
Related Questions
- How to get parameter for delete request in express node js
- Most secure way of sending data to DELETE request (req.params / req.query)
- Express.js delete request
- DELETE with Express.JS
- delete request in nodejs and ejs
- Node/Express - How to implement DELETE and PUT requests
- Node.js: make delete request with link
- Node.js delete request
- HTTP DELETE verb in Node.JS
- Sending DELETE request in a link in nodejs express app