The latest articles on DEV Community by Ionx Solutions (@ionx). https://dev.to/ionx https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1275308%2Ff463ad98-3d70-4597-8432-bda6aeb7c0e4.png https://dev.to/ionx en Ionx Solutions Mon, 12 May 2025 13:48:14 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-multer-edition-2olo https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-multer-edition-2olo <p>A variation on our earlier post 'How to Handle File Uploads with Node.js and Express' (which used express-fileupload). This time, we'll use Multer, a powerful middleware for handling file uploads with Node.js and Express.</p> <blockquote> <p><strong>NOTE</strong>: In order to follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://nodejs.org/" rel="noopener noreferrer">Node.js</a> installed on your machine</li> <li>Basic knowledge of JavaScript and <a href="https://expressjs.com/" rel="noopener noreferrer">Express</a> </li> <li>A text editor or lightweight IDE such as <a href="https://code.visualstudio.com" rel="noopener noreferrer">Visual Studio Code</a> </li> </ul> </blockquote> <h2> Why Choose Multer? </h2> <p>In our <a href="https://blog.ionxsolutions.com/p/file-uploads-with-nodejs-express" rel="noopener noreferrer">previous guide</a>, we showed how easy it is to handle file uploads using <a href="https://github.com/richardgirges/express-fileupload" rel="noopener noreferrer">express-fileupload</a>. <a href="https://github.com/expressjs/multer#readme" rel="noopener noreferrer">Multer</a> brings additional flexibility and control:</p> <ul> <li> <strong>Disk &amp; Memory Storage Engines</strong>: Choose between saving files directly to disk or keeping them in memory for immediate processing. Third parties even offer pluggable engines for cloud storage.</li> <li> <strong>File Filtering</strong>: Accept or reject files based on MIME type or custom criteria.</li> <li> <strong>Limits &amp; Validation</strong>: Set size limits, file count limits, and other constraints to protect your server.</li> <li> <strong>Streaming Support</strong>: Process large uploads efficiently without consuming excessive RAM.</li> </ul> <p>With these features, Multer is ideal for both simple and advanced upload workflows.</p> <h2> Project Scaffold/Setup </h2> <p>The first step is to create and initialize a new Express project.</p> <ul> <li>Open a terminal or command prompt, navigate to the directory where you want to store the project, and run the following commands: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx express-generator <span class="nt">--view</span><span class="o">=</span>pug myapp <span class="nb">cd </span>myapp npm <span class="nb">install</span> </code></pre> </div> <ul> <li>The generated app should have the following directory structure: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── app.js ├── package.json ├── bin │ └── www ├── package.json ├── public │ ├── images │ ├── javascripts │ └── stylesheets │ └── style.css ├── routes │ ├── index.js │ └── users.js ├── views │ ├── error.pug │ └── index.pug │ └── layout.pug </code></pre> </div> <ul> <li>Before we move on, make sure you are able to run the app and view it in a browser</li> </ul> <p>On MacOS, Linux or Git Bash on Windows, run the app with this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> npm start </code></pre> </div> <p>Or use this command for Windows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">set </span><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> &amp; npm start </code></pre> </div> <p>Or this command for Windows Powershell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">DEBUG</span><span class="o">=</span><span class="s1">'myapp:*'</span><span class="p">;</span><span class="w"> </span><span class="n">npm</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span></code></pre> </div> <p>Then navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> in your browser to access the app - you should see a page that looks like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" alt="Express web app running in a browser" width="627" height="371"></a></p> <ul> <li><p>Go ahead and stop the server by hitting <code>CTRL-C</code> at the command prompt</p></li> <li> <p>Next we’re going to add a few NPM packages:</p> <ul> <li>We'll add a package to deal with file uploads easier. There are several popular choices here, including <a href="https://github.com/node-formidable/formidable#readme" rel="noopener noreferrer">Formidable</a> and <a href="https://github.com/richardgirges/express-fileupload#readme" rel="noopener noreferrer">express-fileupload</a> - but for this tutorial, we'll use <a href="https://github.com/expressjs/multer#readme" rel="noopener noreferrer">Multer</a>.</li> <li>For this tutorial, we're going to scan the file for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>, and so we'll add a package to make it easier to make external HTTP requests. Popular choices include <a href="https://axios-http.com" rel="noopener noreferrer">Axios</a> and <a href="https://github.com/node-fetch/node-fetch#readme" rel="noopener noreferrer">node-fetch</a> - for this article, we'll use <code>node-fetch</code>.</li> <li>We'll also add the <a href="https://www.npmjs.com/package/form-data" rel="noopener noreferrer">form-data</a> package to allow working with multipart form data, which is used to perform file uploads. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>multer@^1.4.5-lts.2 npm <span class="nb">install </span>node-fetch@^2.7.0 npm <span class="nb">install </span>form-data </code></pre> </div> <h2> Frontend </h2> <p>Before we write JavaScript code to handle the file upload, let’s create a simple web page that lets the end user select a file to upload.</p> <ul> <li>Update the content of <code>myapp/views/index.pug</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>extends layout block content h2 File Upload <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/upload"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> br h2 Malware Scan <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/scan"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>We’ve added two forms to the page. When the <strong>File Upload</strong> form is submitted, the file will be sent to a route at <code>/upload</code> - the next step is to create the route and route handler. We’ll get back to the <strong>Malware Scan</strong> form later.</p> <h2> Backend - Simple File Upload </h2> <p>Now we’re going to add a route handler to process uploaded files, and then we’ll wire up the handler to the <code>/upload</code> route.</p> <ul> <li>Create file <code>myapp/routes/upload.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">multer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">multer</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="nx">multer</span><span class="p">.</span><span class="nf">diskStorage</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="nx">storage</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fileUpload</span><span class="p">.</span><span class="nf">single</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">),</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Original File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Path: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Return a web page showing information about the file</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">}</span><span class="s2">&lt;br&gt; File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">&lt;br&gt; File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>This simple handler will both print information about the file to the console and return it in as a web page, so you can see what has been received by your router.</p> <p>Next, we need to wire up this code to the /upload route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added 2 lines to the default code provided by the Express generator (lines <code>#9</code> and <code>#25</code> above), telling Express to use our <code>upload.js</code> router for the <code>/upload</code> route.</p> <h2> Testing File Uploads </h2> <p>Now we’re ready to test it! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>File Upload</strong> form, Browse to select a file and press the <strong>Upload File</strong> button</li> </ol> <p>If everything was set up correctly, you should see information about the file being printed to the console, and also shown in a web page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6sq4xkbes7c6pdhhrmzs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6sq4xkbes7c6pdhhrmzs.png" alt="Express console output" width="522" height="236"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3p1jxdf6soeqyk2az0z6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3p1jxdf6soeqyk2az0z6.png" alt="Successful file upload" width="628" height="202"></a></p> <h2> Backend - Malware Scanning </h2> <p>Now we’re going to add a route handler to perform a virus scan on uploaded files, and then we’ll wire up the handler to the <code>/scan</code> route.</p> <ul> <li>Create file <code>myapp/routes/scan.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fetch</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node-fetch</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">multer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">multer</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">FormData</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">form-data</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="nx">multer</span><span class="p">.</span><span class="nf">diskStorage</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="nx">storage</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fileUpload</span><span class="p">.</span><span class="nf">single</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">),</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Original File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Path: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Scan the file for malware using the Verisys Antivirus API - the same concepts can be</span> <span class="c1">// used to work with the uploaded file in different ways</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Attach the uploaded file to a FormData instance</span> <span class="kd">var</span> <span class="nx">form</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">();</span> <span class="nx">form</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">createReadStream</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">),</span> <span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-API-Key</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&lt;YOUR API KEY HERE&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*/*</span><span class="dl">'</span> <span class="p">};</span> <span class="c1">// Send the file to the Verisys Antivirus API</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">form</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">headers</span> <span class="p">});</span> <span class="c1">// Did we get a response from the API?</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Did the file contain a virus/malware?</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">clean</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Uploaded file is clean!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Uploaded file contained malware: &lt;b&gt;</span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">signals</span><span class="p">[</span><span class="mi">0</span><span class="p">]}</span><span class="s2">&lt;/b&gt;`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unable to scan file: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">response</span><span class="p">.</span><span class="nx">statusText</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Delete the uploaded file</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">rm</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{});</span> <span class="c1">// Forward the error to the Express error handler</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>As with the <code>/upload</code> handler, this new <code>/scan</code> handler will print information about the file to the console, so you can see what has been received by your route handler. It then uploads the file to Verisys Antivirus API to scan it for malware.</p> <blockquote> <p><strong>NOTE</strong>:<br> The <code>X-API-Key</code> in the above code will need to be replaced with a real API key to scan files. Don't have an API key? <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Subscribe</a> or <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">start a trial now</a>!</p> </blockquote> <p>Next, we need to wire up this code to the <code>/scan</code> route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">scanRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/scan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/scan</span><span class="dl">'</span><span class="p">,</span> <span class="nx">scanRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added two lines to the previous code (lines <code>#10</code> and <code>#27</code> above), telling Express to use our <code>scan.js</code> router for the <code>/scan</code> route.</p> <h2> Testing Malware Scanning </h2> <p>Now we’re ready to test malware scanning! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>Malware Scan</strong> form, Browse to select a file and press the <strong>Scan File</strong> button</li> </ol> <p>If everything was set up correctly, as before you should see information about the file being printed to the console, but you should also see a response from <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" alt="Successful malware scan on a clean file" width="630" height="222"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" alt="Successful malware scan on an infected file" width="628" height="222"></a></p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express-multer" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express-multer" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-express-multer</a></p> webdev javascript tutorial express Ionx Solutions Mon, 14 Oct 2024 11:14:52 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-python-and-fastapi-8cf https://dev.to/ionx/how-to-handle-file-uploads-with-python-and-fastapi-8cf <p>Handling file uploads securely is a common need for modern applications, but it comes with challenges. From managing large files to ensuring that the content isn't malicious, developers must implement robust solutions. In this guide, we'll walk through how to use Python's FastAPI to handle file uploads. Plus, we'll show you how to integrate Verisys Antivirus API to scan files for malware, protecting your application and users.</p> <blockquote> <p><strong>NOTE</strong>: To follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://www.python.org/" rel="noopener noreferrer">Python 3.7+</a> installed on your machine</li> <li>Basic knowledge of Python and <a href="https://github.com/fastapi/fastapi" rel="noopener noreferrer">FastAPI</a> </li> <li>A text editor or lightweight IDE such as <a href="https://code.visualstudio.com/" rel="noopener noreferrer">Visual Studio Code</a> </li> </ul> </blockquote> <h2> Why FastAPI? </h2> <p>FastAPI is a modern web framework for Python that enables you to build APIs quickly. It's built on standard Python type hints, making it easier to work with and maintain. With built-in support for asynchronous request handling, it's also ideal for high-performance applications.</p> <p>Combined with <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>, FastAPI helps you build secure file upload endpoints, crucial for any web or mobile app handling potentially unsafe files.</p> <h2> Project Scaffold/Setup </h2> <p>The first step is to create a Python environment, ready with the libraries we will use for the FastAPI project.</p> <ol> <li><p>Open a terminal or command prompt, and navigate to the directory where you want to store the project</p></li> <li><p>Create and activate a <a href="https://fastapi.tiangolo.com/virtual-environments/#create-a-virtual-environment" rel="noopener noreferrer">virtual environment</a></p></li> <li> <p>Install FastAPI, Uvicorn and <code>python-multipart</code>:<br> </p> <pre class="highlight shell"><code>pip <span class="nb">install </span>fastapi uvicorn python-multipart </code></pre> </li> <li> <p>For this tutorial, we'll also use the <code>requests</code> library to send uploaded files to Verisys Antivirus API for malware scanning:<br> </p> <pre class="highlight shell"><code>pip <span class="nb">install </span>requests </code></pre> </li> </ol> <h2> Creating the FastAPI App </h2> <p>Let's start by setting up a simple FastAPI app that will accept file uploads. Create a file <code>main.py</code> with this content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">File</span><span class="p">,</span> <span class="n">UploadFile</span> <span class="kn">import</span> <span class="n">uvicorn</span> <span class="kn">import</span> <span class="n">logging</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">'</span><span class="s">uvicorn.error</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">DEBUG</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="nb">file</span><span class="p">:</span> <span class="n">UploadFile</span> <span class="o">=</span> <span class="nc">File</span><span class="p">(...)):</span> <span class="n">content</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="c1"># Print information about the file to the console </span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Name: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Size: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">content</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File MIME Type: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">content_type</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Return information about the file to the caller - note that the </span> <span class="c1"># content_type can easily be spoofed </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">filename</span><span class="sh">"</span><span class="p">:</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">,</span> <span class="sh">"</span><span class="s">file_size</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">content</span><span class="p">),</span> <span class="sh">"</span><span class="s">file_mime_type</span><span class="sh">"</span><span class="p">:</span> <span class="nb">file</span><span class="p">.</span><span class="n">content_type</span><span class="p">}</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8000</span><span class="p">)</span> </code></pre> </div> <h2> Starting the FastAPI App </h2> <p>To run the API using the Uvicorn web server, execute the following from the same folder as <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uvicorn main:app <span class="nt">--reload</span> </code></pre> </div> <p>The <code>--reload</code> flag allows the server to automatically reload as we make changes to the code, which is helpful during development.</p> <p>Once Uvicorn starts, you'll see output indicating that the app is running, along with the URL where it's accessible. By default, it will run at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://127.0.0.1:8000 </code></pre> </div> <h2> Testing the API </h2> <p>To test the basic file upload functionality, you can simply use <code>curl</code>, or you could a tool like Postman or <a href="https://github.com/Kong/insomnia/" rel="noopener noreferrer">Insomnia</a>.</p> <p>Here's an example using curl, with a file <code>testfile.png</code> (substitute for any file you want to upload):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-F</span> <span class="s2">"file=@testfile.png"</span> http://127.0.0.1:8000/upload/ </code></pre> </div> <p>You should see a result similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"filename"</span>:<span class="s2">"testfile.png"</span>, <span class="s2">"file_size"</span>:26728, <span class="s2">"file_mime_type"</span>:<span class="s2">"image/png"</span> <span class="o">}</span> </code></pre> </div> <h2> Integrating Verisys Antivirus API </h2> <p>Uploading files is a start, but ensuring that uploaded files are free of malware is critical, especially when accepting files from end users. Verisys Antivirus API allows us to scan files before processing them further.</p> <blockquote> <p><em><a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> is a language-agnostic REST API that allows you to easily add malware scanning to mobile apps, web apps and backend processing.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <p>Here's how to integrate Verisys Antivirus API to scan uploaded files:</p> <ol> <li><p><strong>Get your Verisys API Key</strong>: Before we start, ensure you have your Verisys Antivirus API key. If you don't have one, visit <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> to get started or request a trial.</p></li> <li><p><strong>Send the file to Verisys Antivirus API</strong>: Once the file has been received, send it to the Verisys API for scanning.</p></li> </ol> <p>Update <code>main.py</code> with this content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">File</span><span class="p">,</span> <span class="n">UploadFile</span> <span class="kn">import</span> <span class="n">uvicorn</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">logging</span> <span class="n">VERISYS_API_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file</span><span class="sh">"</span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">your_api_key</span><span class="sh">"</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">'</span><span class="s">uvicorn.error</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">DEBUG</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="k">class</span> <span class="nc">ScanResult</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">filename</span><span class="o">=</span><span class="sh">""</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="sh">""</span><span class="p">,</span> <span class="n">content_type</span><span class="o">=</span><span class="sh">""</span><span class="p">,</span> <span class="n">signals</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">filename</span> <span class="o">=</span> <span class="n">filename</span> <span class="n">self</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="n">status</span> <span class="n">self</span><span class="p">.</span><span class="n">content_type</span> <span class="o">=</span> <span class="n">content_type</span> <span class="n">self</span><span class="p">.</span><span class="n">signals</span> <span class="o">=</span> <span class="n">signals</span> <span class="k">if</span> <span class="n">signals</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="p">[]</span> <span class="n">self</span><span class="p">.</span><span class="n">metadata</span> <span class="o">=</span> <span class="n">metadata</span> <span class="k">if</span> <span class="n">metadata</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">__repr__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ScanResult(filename=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">filename</span><span class="si">}</span><span class="s">,status=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="s">, content_type=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">content_type</span><span class="si">}</span><span class="s">, signals=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">signals</span><span class="si">}</span><span class="s">, metadata=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">metadata</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">scan_file</span><span class="p">(</span><span class="n">file_content</span><span class="p">,</span> <span class="n">filename</span><span class="p">):</span> <span class="n">files</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="n">file_content</span><span class="p">)}</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">X-API-Key</span><span class="sh">'</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">'</span><span class="s">Accept</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">*/*</span><span class="sh">'</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">VERISYS_API_URL</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">files</span><span class="o">=</span><span class="n">files</span><span class="p">)</span> <span class="c1"># Was the scan successful? </span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">201</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="c1"># Print the full scan result to the console </span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Scan result: </span><span class="si">{</span><span class="n">result</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">scan_result</span> <span class="o">=</span> <span class="nc">ScanResult</span><span class="p">(</span> <span class="n">filename</span><span class="o">=</span><span class="n">filename</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">],</span> <span class="n">content_type</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">content_type</span><span class="sh">"</span><span class="p">],</span> <span class="n">signals</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">signals</span><span class="sh">"</span><span class="p">],</span> <span class="n">metadata</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">metadata</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">scan_result</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="nc">ScanResult</span><span class="p">(</span><span class="n">status</span><span class="o">=</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Failed to scan file</span><span class="sh">"</span><span class="p">}])</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="nb">file</span><span class="p">:</span> <span class="n">UploadFile</span> <span class="o">=</span> <span class="nc">File</span><span class="p">(...)):</span> <span class="n">content</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="c1"># Print information about the file to the console </span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Name: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Size: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">content</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File MIME Type: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">content_type</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Scan file with Verisys API </span> <span class="n">scan_result</span> <span class="o">=</span> <span class="nf">scan_file</span><span class="p">(</span><span class="n">content</span><span class="p">,</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">)</span> <span class="c1"># In real-life, you'd now use the scan result to determine what to do </span> <span class="c1"># next - but here, we'll just return the scan results to the caller </span> <span class="k">return</span> <span class="n">scan_result</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8000</span><span class="p">)</span> </code></pre> </div> <p>In this modified version, after the file is uploaded, it's passed to the scan_file function, which sends the file to Verisys Antivirus API for scanning. The response from Verisys is returned as part of the result, indicating whether the file is safe or malicious.</p> <h2> Testing the Completed API </h2> <p>To test the file upload and scanning functionality, as before you can use <code>curl</code> or another tool of your preference.</p> <p>Here's an example using curl, with an <a href="https://www.eicar.org/download-anti-malware-testfile/" rel="noopener noreferrer">EICAR Anti-Virus Test File</a> <code>eicar.png</code> (substitute for any file you want to upload):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-F</span> <span class="s2">"file=@eicar.png"</span> http://127.0.0.1:8000/upload/ </code></pre> </div> <p>Depending on the file you upload, you should see the malware scan result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"filename"</span>: <span class="s2">"eicar.png"</span>, <span class="s2">"status"</span>: <span class="s2">"threat"</span>, <span class="s2">"content_type"</span>: <span class="s2">"text/plain"</span>, <span class="s2">"signals"</span>: <span class="o">[</span> <span class="s2">"Virus:EICAR_Test_File"</span> <span class="o">]</span>, <span class="s2">"metadata"</span>: <span class="o">{</span> <span class="s2">"hash_sha1"</span>: <span class="s2">"3395856ce81f2b7382dee72602f798b642f14140"</span>, <span class="s2">"hash_sha256"</span>: <span class="s2">"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Your upload endpoint could use the scan result to determine what to do next - for example, to prevent uploading files that contain malware.</p> <p>Note that while in this example the file masqueraded as a PNG image file, Verisys Antivirus API detected that it was actually a plain text file!</p> <h2> Handling File Uploads Securely </h2> <p>Here are a couple of additional tips to ensure your file upload system is secure:</p> <ul> <li><p><strong>Limit File Size</strong>: Ensure you're not accepting excessively large files, which could cause performance issues or even DoS attacks. FastAPI allows you to define custom file size limits.</p></li> <li><p><strong>Restrict File Types</strong>: Only accept specific file types (e.g., PDFs, images) to prevent the upload of executable or malicious files. </p></li> </ul> <p>{{% aside-note %}}<br> Checking the file extension and <code>Content-Type</code> header are basic steps towards securing file uploads. However, both of these can easily be spoofed.</p> <p>By scanning the actual file content, <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> can identify <a href="https://docs.av.ionxsolutions.com/?utm_source=devto#content-type-detection" rel="noopener noreferrer">50+ different file formats</a> for you, while also scanning files for malware.<br> {{% /aside-note %}}</p> <blockquote> <p><em>Checking the file extension and <code>Content-Type</code> header are basic steps towards securing file uploads. However, both of these can easily be spoofed.</em></p> <p><em>By scanning the actual file content, <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> can identify <a href="https://docs.av.ionxsolutions.com/?utm_source=devto#content-type-detection" rel="noopener noreferrer">50+ different file formats</a> for you, while also scanning files for malware.</em></p> </blockquote> <h2> Why Choose Verisys Antivirus API? </h2> <p>Verisys Antivirus API is specifically designed to ensure secure file uploads in your applications. Here's why it's a great fit for your project:</p> <ul> <li> <strong>Powerful Malware Detection</strong>: Verisys detects a wide range of threats, ensuring that no malicious files slip through.</li> <li> <strong>Easy Integration</strong>: The API is simple to integrate with any web framework, including FastAPI.</li> <li> <strong>Content Type Detection</strong>: Alongside malware scanning, the API also scans the file content to determine the <em>real</em> file type.</li> </ul> <h2> Conclusion </h2> <p>Handling file uploads is essential for many applications, but steps must be taken to ensure security. By using FastAPI and Verisys Antivirus API, you can create a secure file upload endpoint that scans files for malware before processing them further. Whether you're building a web app or an API for file storage, this approach ensures that your infrastructure - and your users - remain safe from harmful files.</p> <p>If you haven't yet, sign up for <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> today and start protecting your application against malware!</p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-fastapi" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-fastapi" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-fastapi</a></p> webdev tutorial python fastapi Ionx Solutions Thu, 06 Jun 2024 11:06:14 +0000 https://dev.to/ionx/securing-file-uploads-16kc https://dev.to/ionx/securing-file-uploads-16kc <p>File uploads are a common feature in web and mobile applications, but they can pose significant security risks if not handled properly. To ensure your apps remains secure, it's crucial to implement robust validation and security measures. This guide will help you to effectively secure file uploads, protecting your systems and end users from malicious intent and malware.</p> <p>File uploads present several security risks that could compromise both your apps and users. The main risks include:</p> <ul> <li><p><strong>Malicious Files</strong>: Uploaded files can contain viruses, malware, or executable code designed to exploit vulnerabilities.</p></li> <li><p><strong>Cross-Site Scripting (XSS)</strong>: Inadequately validated files can contain scripts that execute in the context of the user's browser.</p></li> <li><p><strong>Denial-of-Service (DoS) Attacks</strong>: Malicious users upload large files, or numerous smaller files, to exhaust server storage and processing capacities.</p></li> <li><p><strong>SQL Injection</strong>: If uploaded file metadata (e.g. filename) are not meticulously sanitised, they can serve as vectors for SQL injection attacks, potentially compromising the database.</p></li> </ul> <p>Due to the diverse range of risks, relying on a single method is not sufficient - a multi-layered approach is required, combining validation checks, metadata sanitisation, secure configuration and malware scanning.</p> <h2> Validate the File Extension </h2> <p>File extensions help in identifying the type of file and determining whether it should be accepted. However, just like the <code>Content-Type</code> header, file extensions can be manipulated. Despite this, enforcing a whitelist of allowed file extensions can act as a preliminary filter to block obviously dangerous file types. Ensure that only extensions pertinent to your application's needs are accepted.</p> <p>Checking the file extension is another basic step in securing file uploads. However, like other HTTP headers, file names and extensions can easily be spoofed. Use an allowlist approach, permitting only the specific extensions that your application requires (e.g., <code>.jpg</code>, <code>.png</code>, <code>.pdf</code>). This is a simple validation, and can act as a preliminary filter to block obviously dangerous/incorrect file types.</p> <h2> Validate the File Size </h2> <p>Limiting the file size is crucial to prevent denial-of-service (DoS) attacks where an attacker attempts to upload extremely large files to exhaust server resources. Set a maximum file size limit according to your application's requirements and enforce this limit server-side to ensure that oversized files are rejected immediately.</p> <h2> Validate the <code>Content-Type</code> Header </h2> <p>Depending on your application's requirements, you will want to accept only particular types of file; for example, for a profile picture you would only want to accept image files.</p> <p>The <code>Content-Type</code> header, sent by the client, indicates the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME type</a> of the file being uploaded. While it's useful to validate as a quick and easy check, it should never be fully trusted - malicious users can easily spoof this header. Therefore, treat the <code>Content-Type</code> header as just one of several checks.</p> <p>How to <em>definitively</em> determine the file type is covered in the next section.</p> <h2> Validate the File Type Based on Signature </h2> <p>As neither the file extension or <code>Content-Type</code> header can be trusted, the most effective and reliable way to verify a file's content/media type is by checking its file signature, or "magic number". These are unique <a href="https://www.garykessler.net/library/file_sigs.html">sequences of bytes</a>, usually at the beginning of a file, that indicate its true format. Validation can be performed by reading the first few bytes of the file and matching them against known signatures for allowed file types. For example, a PNG file typically starts with <code>89 50 4E 47</code>, and a JPEG file starts with <code>FF D8 FF</code>.</p> <p>This method ensures that the file content matches its purported type, providing a robust defence against file type spoofing. Libraries and tools are available in various programming languages to facilitate this check, or alternatively <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a> can identify <a href="https://docs.av.ionxsolutions.com/?utm_source=devto#content-type-detection">50+ different file formats</a> for you, while also scanning files for malware.</p> <h2> Scan for Malware </h2> <p>Incorporating malware scanning into your file upload process is a critical step to ensure the security of both your application and your end users. Malware can be hidden in seemingly harmless files, posing significant risks once they are uploaded and processed.</p> <p>While there are several malware scanning tools available, not all are equally effective. For instance, <a href="https://www.clamav.net">ClamAV</a> is a popular open-source antivirus engine, but has notable drawbacks such as poor detection rates, high resource usage, and slow scan times. These limitations can compromise your application's performance and security.</p> <p>Consider using a more robust and efficient solution like <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a>. Verisys Antivirus API offers vastly superior detection capabilities, faster scan times, and a ready-to-use <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">antivirus API</a>, making it a reliable choice for integrating malware scanning into your applications.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwvsq7e79j04hn1qu046e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwvsq7e79j04hn1qu046e.png" alt="JSON response from Verisys Antivirus API" width="717" height="395"></a></p> <blockquote> <p><em>Boost your app security with <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a>: our language-agnostic API seamlessly integrates malware scanning into your mobile apps, web apps, and backend systems.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <h2> Storing Files </h2> <p>Steps required to secure files at rest will depend on the location of stored files - for example, they could be uploaded to object storage such as S3, or they could be stored on disk.</p> <ul> <li><p><strong>Sanitise File Names</strong>: file names can contain malicious characters that your application may be unable to process correctly. Always sanitise file names by removing or replacing special characters, spaces, and potentially executable scripts. Consider renaming files upon upload to a standardised naming convention to prevent any harmful effects.</p></li> <li><p><strong>Secure Storage Location</strong>: if storing files on disk (rather than, for example, object storage), uploaded files should be stored in a directory that is not directly accessible via the web. This prevents direct execution or access to the files from a URL.</p></li> <li><p><strong>Set Appropriate Permissions</strong>: ensure that uploaded files have the minimum necessary permissions. For instance, files should not be executable if they don't need to be.</p></li> </ul> <h2> Closing Thoughts </h2> <p>By combining these strategies, developers can significantly enhance the security of file uploads in their applications. A layered approach, which includes malware scanning, provides comprehensive protection against a variety of attack vectors, ensuring that file uploads remain a safe and useful feature.</p> <p>For a comprehensive guide on securing file uploads and other web application security best practices, refer to <a href="https://owasp.org">OWASP</a> (Open Worldwide Application Security Project). OWASP provides a wealth of resources, including the <a href="https://owasp.org/www-project-top-ten/">OWASP Top Ten</a>, which highlights the most critical security risks to web applications. In particular, see <a href="https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload">Unrestricted File Upload</a>.</p> <p>Learn more about <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a>, our language-agnostic API that seamlessly integrates antivirus scanning into your mobile apps, web apps, and backend systems: <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">https://www.ionxsolutions.com/products/antivirus-api</a></p> webdev security guide Ionx Solutions Tue, 07 May 2024 11:21:02 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-aspnet-core-o62 https://dev.to/ionx/how-to-handle-file-uploads-with-aspnet-core-o62 <p>Managing file uploads from end users is often required in web apps and APIs. This tutorial will guide you through the process of handling uploaded files using using ASP.NET Core and C#.</p> <blockquote> <p><strong>NOTE</strong>: To follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://dotnet.microsoft.com/en-us/download" rel="noopener noreferrer">.NET SDK 8</a> installed on your machine</li> <li>Basic knowledge of .NET, <a href="https://dotnet.microsoft.com/en-us/apps/aspnet" rel="noopener noreferrer">ASP.NET Core</a> and C#</li> <li>An IDE or text editor; we'll use <a href="https://visualstudio.microsoft.com/vs/" rel="noopener noreferrer">Visual Studio 2022</a> for this tutorial, but a lightweight IDE such as <a href="https://code.visualstudio.com/" rel="noopener noreferrer">Visual Studio Code</a> will work just as well</li> </ul> </blockquote> <p>To allow files to be uploaded, you will:</p> <ol> <li>Create ASP.NET Core <a href="https://learn.microsoft.com/en-us/aspnet/core/mvc/views/razor?view=aspnetcore-8.0" rel="noopener noreferrer">Razor</a> <a href="https://learn.microsoft.com/en-us/aspnet/core/mvc/views/overview?view=aspnetcore-8.0" rel="noopener noreferrer">views</a> that allow the user to select a file to upload</li> <li>Create ASP.NET Core <a href="https://learn.microsoft.com/en-us/aspnet/core/mvc/overview?view=aspnetcore-8.0#controller-responsibilities" rel="noopener noreferrer">controllers</a> to work with uploaded files</li> </ol> <p>Of course, you will also want to <em>do something</em> with each uploaded file! In this tutorial, we're going to write C# code to show information about the file, and also to scan it for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>.</p> <blockquote> <p><em><a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> is a language-agnostic REST API that allows you to easily add malware scanning to mobile apps, web apps and backend processing.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <h2> Project Setup </h2> <p>First, we need to create a new ASP.NET Core MVC project.</p> <ul> <li><p>Start Visual Studio and select <strong>File &gt; New &gt; Project</strong></p></li> <li><p>Select the template named <strong>ASP.NET Core Web App (Model-View-Controller)</strong> and click <strong>Next</strong></p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyglhdi3tt8pagfm45o3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyglhdi3tt8pagfm45o3.png" alt="Visual Studio project template selection" width="800" height="508"></a></p> <ul> <li>Enter <strong>Web</strong> for the <strong>Project Name</strong>, choose a location to save the project, then click <strong>Next</strong> </li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0wdlm6j19vyr3o4bmyna.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0wdlm6j19vyr3o4bmyna.png" alt="Visual Studio project name" width="800" height="425"></a></p> <ul> <li>For the <strong>Framework</strong>, select <strong>.NET 8.0 (Long Term Support)</strong>, then click <strong>Create</strong> </li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fstg93yj804odjyvyv814.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fstg93yj804odjyvyv814.png" alt="Visual Studio project SDK" width="800" height="425"></a></p> <ul> <li>The new project will be created, and you should see this folder structure in Visual Studio's <strong>Solution Explorer</strong>:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqeorayai7t53mzaqdkv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqeorayai7t53mzaqdkv.png" alt="Folder structure visible in Solution Explorer" width="437" height="368"></a></p> <h2> Running the App </h2> <p>Now we've created a new project, let's make sure it runs!</p> <ul> <li>Press <strong>CTRL+F5</strong>, or click the <strong>Start Without Debugging</strong> button:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F11ylvhzs6labtso0wpsr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F11ylvhzs6labtso0wpsr.png" alt="Start without debugging" width="800" height="136"></a></p> <ul> <li>The first time you run the project, you will be asked to install an SSL/TLS certificate - click <strong>Yes</strong> on both popups:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r7mng1fhwon6rd10cyh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r7mng1fhwon6rd10cyh.png" alt="Installation of SSL/TLS certificate" width="611" height="229"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglxmgubymkv5sbsgncbe.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglxmgubymkv5sbsgncbe.png" alt="Installation of SSL/TLS certificate" width="512" height="475"></a></p> <ul> <li>Visual Studio will then run the app, opening it in the default browser:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzr9e63mauylr4yv8ih.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzr9e63mauylr4yv8ih.png" alt="ASP.NET Core web app running in a browser" width="722" height="411"></a></p> <ul> <li>While running your project, Visual Studio will open a terminal as well as the browser - this is for the default web server, Kestrel. If you press <code>CTRL-C</code>, it will shut down the web server and stop running your project.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv713glfykd6gff3au24c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv713glfykd6gff3au24c.png" alt="Start without debugging" width="569" height="279"></a></p> <h2> File Upload </h2> <p>To enable file uploads, we need to add:</p> <ol> <li>View models, to encapsulate information about uploaded files</li> <li>A view with a form that allows users to select and upload a file</li> <li>A view to show information about the uploaded file</li> <li>A controller, to show the views and handle the uploaded file</li> <li>We'll also update the main layout view, just to add links to our new pages</li> </ol> <p>Let's get started!</p> <ul> <li>First, create file <code>Models/FileModels.cs</code>, with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">namespace</span> <span class="nn">Web.Models</span><span class="p">;</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">UploadModel</span><span class="p">(</span><span class="n">IFormFile</span> <span class="n">File</span><span class="p">);</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">ResultModel</span><span class="p">(</span><span class="kt">string</span> <span class="n">Name</span><span class="p">,</span> <span class="kt">long</span> <span class="n">Size</span><span class="p">,</span> <span class="kt">string</span> <span class="n">MimeType</span><span class="p">,</span> <span class="n">MalwareStatus</span> <span class="n">MalwareStatus</span><span class="p">,</span> <span class="kt">string</span><span class="p">[]</span> <span class="n">Signals</span><span class="p">);</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">ApiResultModel</span><span class="p">(</span><span class="n">Guid</span> <span class="n">Id</span><span class="p">,</span> <span class="n">MalwareStatus</span> <span class="n">Status</span><span class="p">,</span> <span class="kt">string</span><span class="p">[]</span> <span class="n">Signals</span><span class="p">);</span> <span class="k">public</span> <span class="k">enum</span> <span class="n">MalwareStatus</span> <span class="p">{</span> <span class="n">Unknown</span><span class="p">,</span> <span class="n">Clean</span><span class="p">,</span> <span class="n">Threat</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Next, create a folder <code>Views/Upload</code>, and inside a view file <code>Views/Upload/Index.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model UploadModel @{ ViewData["Title"] = "Upload File"; } <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">asp-for=</span><span class="s">"File"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>Note the form's <a href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/enctype" rel="noopener noreferrer">encoding type</a> (<code>enctype</code>) property is set to <code>multipart/form-data</code> - this is required for uploading files.</p> <ul> <li>Next, create view file <code>Views/Upload/Result.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model ResultModel @{ ViewData["Title"] = "Result"; } <span class="nt">&lt;h1&gt;</span>Result<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div&gt;</span>File Name: @Model.Name<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>File Size: @Model.Size<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Mime Type: @Model.MimeType<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Malware Status: @Model.MalwareStatus<span class="nt">&lt;/div&gt;</span> </code></pre> </div> <ul> <li>Create a controller file <code>Controllers/UploadController.cs</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Web.Models</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">Web.Controllers</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">UploadController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Index</span><span class="p">(</span><span class="n">UploadModel</span> <span class="n">model</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ResultModel</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">FileName</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">Length</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">ContentType</span><span class="p">,</span> <span class="n">MalwareStatus</span><span class="p">.</span><span class="n">Unknown</span><span class="p">,</span> <span class="p">[]);</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="s">"Result"</span><span class="p">,</span> <span class="n">result</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Finally, update the content of <code>Views/Shared/_Layout.cshtml</code> to add links to our new pages: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"utf-8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>@ViewData["Title"]<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"~/lib/bootstrap/dist/css/bootstrap.min.css"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;header&gt;</span> <span class="nt">&lt;nav</span> <span class="na">class=</span><span class="s">"navbar navbar-expand border-bottom mb-3"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container-fluid"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"navbar-collapse"</span><span class="nt">&gt;</span> <span class="nt">&lt;a</span> <span class="na">class=</span><span class="s">"nav-link text-dark"</span> <span class="na">href=</span><span class="s">"/upload"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/a&gt;</span> <span class="nt">&lt;a</span> <span class="na">class=</span><span class="s">"nav-link text-dark"</span> <span class="na">href=</span><span class="s">"/scan"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/a&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/nav&gt;</span> <span class="nt">&lt;/header&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;main</span> <span class="na">role=</span><span class="s">"main"</span> <span class="na">class=</span><span class="s">"pb-3"</span><span class="nt">&gt;</span> @RenderBody() <span class="nt">&lt;/main&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>It really is that simple!</p> <h2> Testing File Uploads </h2> <p>Now we’re ready to test file uploads! 🎉</p> <ul> <li><p>Begin by running the project again, either by pressing <strong>CTRL+F5</strong>, or by click the <strong>Start Without Debugging</strong> button</p></li> <li><p>Your browser should open automatically, showing a page that looks like this:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytcg96p4h2xxy6fjuwzh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytcg96p4h2xxy6fjuwzh.png" alt="ASP.NET Core web app running in a browser" width="722" height="363"></a></p> <ul> <li>Click the link <strong>Upload File</strong>, and you should see one of the new views we created:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fji9p2iuucsu6xvsvytls.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fji9p2iuucsu6xvsvytls.png" alt="Upload file form" width="722" height="279"></a></p> <ul> <li><p>Press <strong>Choose File</strong> to select a file to upload, then and press the <strong>Upload File</strong> button</p></li> <li><p>If everything was set up correctly, you should see information about the file being shown in a web page:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xyj81spdwlchfl79har.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xyj81spdwlchfl79har.png" alt="Successful file upload" width="722" height="404"></a></p> <p>Note that the <strong>Malware Status</strong> is shown as <strong>Unknown</strong> - we'll fix that in the next section.</p> <h2> Malware Scanning </h2> <p>Now we're going to use <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> to scan uploaded files for malware. Following a similar pattern as for the previous section, we need to add:</p> <ol> <li>Registration of an HTTP client with the Dependency Injection (DI) container</li> <li>A view with a form that allows users to select and upload a file for scanning</li> <li>A view to show the results of the malware scan</li> <li>A controller, to show the views and send the uploaded file to <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> </li> </ol> <p>Let's get started!</p> <ul> <li>In file <code>Program.cs</code>, replace line <code>builder.Services.AddControllersWithViews();</code> with: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Register an HTTP client for use with Verisys Antivirus API</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddHttpClient</span><span class="p">&lt;</span><span class="n">HomeController</span><span class="p">&gt;(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">x</span><span class="p">.</span><span class="n">BaseAddress</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://eu1.api.av.ionxsolutions.com/v1/"</span><span class="p">);</span> <span class="n">x</span><span class="p">.</span><span class="n">DefaultRequestHeaders</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">);</span> <span class="n">x</span><span class="p">.</span><span class="n">DefaultRequestHeaders</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"X-API-Key"</span><span class="p">,</span> <span class="s">"&lt;YOUR API KEY HERE&gt;"</span><span class="p">);</span> <span class="p">});</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddControllersWithViews</span><span class="p">().</span><span class="nf">AddJsonOptions</span><span class="p">(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">x</span><span class="p">.</span><span class="n">JsonSerializerOptions</span><span class="p">.</span><span class="n">Converters</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="k">new</span> <span class="nf">JsonStringEnumConverter</span><span class="p">());</span> <span class="n">x</span><span class="p">.</span><span class="n">JsonSerializerOptions</span><span class="p">.</span><span class="n">PropertyNameCaseInsensitive</span> <span class="p">=</span> <span class="k">false</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <blockquote> <p><strong>NOTE</strong>:<br> The <code>X-API-Key</code> in the above code will need to be replaced with a real API key to scan files for real. Don’t have an API key? <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Subscribe now</a>!</p> </blockquote> <ul> <li>Create a folder <code>Views/Scan</code>, and inside a view file <code>Views/Scan/Index.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model UploadModel @{ ViewData["Title"] = "Scan File"; } <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">asp-for=</span><span class="s">"File"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <ul> <li>Next, create view file <code>Views/Scan/Result.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model ResultModel @{ ViewData["Title"] = "Result"; } <span class="nt">&lt;h1&gt;</span>Result<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div&gt;</span>File Name: @Model.Name<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>File Size: @Model.Size<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Mime Type: @Model.MimeType<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Malware Status: @Model.MalwareStatus<span class="nt">&lt;/div&gt;</span> @if (Model.MalwareStatus == MalwareStatus.Threat) { foreach (var signal in Model.Signals) { <span class="nt">&lt;div&gt;</span>Signal: @signal<span class="nt">&lt;/div&gt;</span> } } </code></pre> </div> <ul> <li>Finally, create a controller file <code>Controllers/ScanController.cs</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Options</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Text.Json</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Web.Models</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">Web.Controllers</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ScanController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IHttpClientFactory</span> <span class="n">clientFactory</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">JsonSerializerOptions</span> <span class="n">jsonOptions</span><span class="p">;</span> <span class="k">public</span> <span class="nf">ScanController</span><span class="p">(</span><span class="n">IHttpClientFactory</span> <span class="n">clientFactory</span><span class="p">,</span> <span class="n">IOptions</span><span class="p">&lt;</span><span class="n">JsonOptions</span><span class="p">&gt;</span> <span class="n">jsonOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="n">clientFactory</span> <span class="p">=</span> <span class="n">clientFactory</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="n">jsonOptions</span> <span class="p">=</span> <span class="n">jsonOptions</span><span class="p">.</span><span class="n">Value</span><span class="p">.</span><span class="n">JsonSerializerOptions</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">Index</span><span class="p">(</span><span class="n">UploadModel</span> <span class="n">model</span><span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">client</span> <span class="p">=</span> <span class="k">this</span><span class="p">.</span><span class="n">clientFactory</span><span class="p">.</span><span class="nf">CreateClient</span><span class="p">(</span><span class="k">nameof</span><span class="p">(</span><span class="n">HomeController</span><span class="p">));</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">formData</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">MultipartFormDataContent</span><span class="p">();</span> <span class="n">formData</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="k">new</span> <span class="nf">StreamContent</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="nf">OpenReadStream</span><span class="p">()),</span> <span class="s">"file"</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">FileName</span><span class="p">);</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">PostAsync</span><span class="p">(</span><span class="s">"malware/scan/file"</span><span class="p">,</span> <span class="n">formData</span><span class="p">);</span> <span class="n">response</span><span class="p">.</span><span class="nf">EnsureSuccessStatusCode</span><span class="p">();</span> <span class="kt">var</span> <span class="n">apiModel</span> <span class="p">=</span> <span class="k">await</span> <span class="n">response</span><span class="p">.</span><span class="n">Content</span><span class="p">.</span><span class="n">ReadFromJsonAsync</span><span class="p">&lt;</span><span class="n">ApiResultModel</span><span class="p">&gt;(</span><span class="k">this</span><span class="p">.</span><span class="n">jsonOptions</span><span class="p">);</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ResultModel</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">FileName</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">Length</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">ContentType</span><span class="p">,</span> <span class="n">apiModel</span><span class="p">!.</span><span class="n">Status</span><span class="p">,</span> <span class="n">apiModel</span><span class="p">.</span><span class="n">Signals</span><span class="p">);</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="s">"Result"</span><span class="p">,</span> <span class="n">result</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Malware Scanning </h2> <p>Now we’re ready to test malware scanning! 🎉</p> <ul> <li><p>Begin by running the project again, either by pressing <strong>CTRL+F5</strong>, or by click the <strong>Start Without Debugging</strong> button</p></li> <li><p>Your browser should open automatically, showing a page that looks like this:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hlesgfjbphq3yp69mc0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hlesgfjbphq3yp69mc0.png" alt="ASP.NET Core web app running in a browser" width="722" height="363"></a></p> <ul> <li>Click the link <strong>Scan File</strong>, and you should see one of the new views we created:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5su0x07aeenuugom4ni.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5su0x07aeenuugom4ni.png" alt="Scan file form" width="722" height="279"></a></p> <ul> <li><p>Press <strong>Choose File</strong> to select a file to upload, then and press the <strong>Upload File</strong> button</p></li> <li><p>If everything was set up correctly, you should see malware scan results from <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> being shown in a web page:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo97m4dlg0u77290u3bix.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo97m4dlg0u77290u3bix.png" alt="Scan result of a clean, virus-free file" width="722" height="404"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyb08y01jdcg8gkg60hc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyb08y01jdcg8gkg60hc.png" alt="Scan result of an infected file" width="722" height="434"></a></p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-aspnetcore" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-aspnetcore" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-aspnetcore</a></p> webdev tutorial aspdotnet csharp Ionx Solutions Wed, 07 Feb 2024 13:47:30 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-34i4 https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-34i4 <p>A common requirement in web apps and APIs is handling file uploads from end users. In this tutorial you will learn how to work with uploaded files using Node.js and Express.</p> <blockquote> <p><strong>NOTE</strong>: In order to follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://nodejs.org/" rel="noopener noreferrer">Node.js</a> installed on your machine</li> <li>Basic knowledge of JavaScript and <a href="https://expressjs.com/" rel="noopener noreferrer">Express</a> </li> <li>A text editor or lightweight IDE such as <a href="https://code.visualstudio.com" rel="noopener noreferrer">Visual Studio Code</a> </li> </ul> </blockquote> <h2> Overview </h2> <p>To allow files to be uploaded, you will:</p> <ol> <li>Create a web page with a form that allows the user to select a file to upload</li> <li>Create Express route handlers to work with uploaded files</li> </ol> <p>Of course, you will also want to <em>do something</em> with each uploaded file! In this tutorial, we're going to write JavaScript code to display some information about the file, and also to scan it for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>.</p> <blockquote> <p><em><a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> is a language-agnostic REST API that allows you to easily add malware scanning to mobile apps, web apps and backend processing.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <h2> Project Setup </h2> <p>The first step is to create and initialize a new Express project.</p> <ul> <li>Open a terminal or command prompt, navigate to the directory where you want to store the project, and run the following commands: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx express-generator <span class="nt">--view</span><span class="o">=</span>pug myapp <span class="nb">cd </span>myapp npm <span class="nb">install</span> </code></pre> </div> <ul> <li>The generated app should have the following directory structure: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── app.js ├── package.json ├── bin │ └── www ├── package.json ├── public │ ├── images │ ├── javascripts │ └── stylesheets │ └── style.css ├── routes │ ├── index.js │ └── users.js ├── views │ ├── error.pug │ └── index.pug │ └── layout.pug </code></pre> </div> <ul> <li>Before we move on, make sure you are able to run the app and view it in a browser</li> </ul> <p>On MacOS, Linux or Git Bash on Windows, run the app with this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> npm start </code></pre> </div> <p>Or use this command for Windows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">set </span><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> &amp; npm start </code></pre> </div> <p>Or this command for Windows Powershell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">DEBUG</span><span class="o">=</span><span class="s1">'myapp:*'</span><span class="p">;</span><span class="w"> </span><span class="n">npm</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span></code></pre> </div> <p>Then navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> in your browser to access the app - you should see a page that looks like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" alt="Express web app running in a browser" width="627" height="371"></a></p> <ul> <li><p>Go ahead and stop the server by hitting <code>CTRL-C</code> at the command prompt</p></li> <li> <p>Next we’re going to add a few NPM packages:</p> <ul> <li>We’ll add a package to deal with file uploads easier. There are several popular choices here, including <a href="https://github.com/expressjs/multer#readme" rel="noopener noreferrer">Multer</a>, <a href="https://github.com/node-formidable/formidable#readme" rel="noopener noreferrer">Formidable</a> and <a href="https://github.com/richardgirges/express-fileupload#readme" rel="noopener noreferrer">express-fileupload</a> - they are all fairly similar, and for this tutorial, we’ll use <code>express-fileupload</code> </li> <li>For this tutorial, we’re going to scan the file for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>, and so we’ll add a package to make it easier to make external HTTP requests. Popular choices include <a href="https://axios-http.com" rel="noopener noreferrer">Axios</a> and <a href="https://github.com/node-fetch/node-fetch#readme" rel="noopener noreferrer">node-fetch</a> - for this article, we’ll use <code>node-fetch</code> </li> <li>We’ll also add the <a href="https://www.npmjs.com/package/form-data" rel="noopener noreferrer">form-data</a> package to allow working with multipart form data, which is used to perform file uploads </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>express-fileupload npm <span class="nb">install </span>node-fetch@^2.7.0 npm <span class="nb">install </span>form-data </code></pre> </div> <h2> Frontend </h2> <p>Before we write JavaScript code to handle the file upload, let’s create a simple web page that lets the end user select a file to upload.</p> <ul> <li>Update the content of <code>myapp/views/index.pug</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>extends layout block content h2 File Upload <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/upload"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> br h2 Malware Scan <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/scan"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>We’ve added two forms to the page. When the <strong>File Upload</strong> form is submitted, the file will be sent to a route at <code>/upload</code> - the next step is to create the route and route handler. We’ll get back to the <strong>Malware Scan</strong> form later.</p> <h2> Backend - Simple File Upload </h2> <p>Now we’re going to add a route handler to process uploaded files, and then we’ll wire up the handler to the <code>/upload</code> route.</p> <ul> <li>Create file <code>myapp/routes/upload.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-fileupload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">fileUpload</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">},</span> <span class="c1">// Temporarily store uploaded files to disk, rather than buffering in memory</span> <span class="na">useTempFiles</span> <span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">tempFileDir</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">/tmp/</span><span class="dl">'</span> <span class="p">}));</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File MD5 Hash: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">md5</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Return a web page showing information about the file</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">&lt;br&gt; File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">&lt;br&gt; File MD5 Hash: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">md5</span><span class="p">}</span><span class="s2">&lt;br&gt; File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>This simple handler will both print information about the file to the console and return it in as a web page, so you can see what has been received by your router.</p> <p>Next, we need to wire up this code to the /upload route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added 2 lines to the default code provided by the Express generator (lines <code>#9</code> and <code>#25</code> above), telling Express to use our <code>upload.js</code> router for the <code>/upload</code> route.</p> <h2> Testing File Uploads </h2> <p>Now we’re ready to test it! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>File Upload</strong> form, Browse to select a file and press the <strong>Upload File</strong> button</li> </ol> <p>If everything was set up correctly, you should see information about the file being printed to the console, and also shown in a web page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz7fdyk7nnqmo4ussm1g8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz7fdyk7nnqmo4ussm1g8.png" alt="Express console output" width="389" height="177"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58gv1221qy63yau1drcs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58gv1221qy63yau1drcs.png" alt="Successful file upload" width="628" height="222"></a></p> <h2> Backend - Malware Scanning </h2> <p>Now we’re going to add a route handler to perform a virus scan on uploaded files, and then we’ll wire up the handler to the <code>/scan</code> route.</p> <ul> <li>Create file <code>myapp/routes/scan.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fetch</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node-fetch</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-fileupload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">FormData</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">form-data</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">fileUpload</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">},</span> <span class="c1">// Temporarily store uploaded files to disk, rather than buffering in memory</span> <span class="na">useTempFiles</span> <span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">tempFileDir</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">/tmp/</span><span class="dl">'</span> <span class="p">}));</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File MD5 Hash: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">md5</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Scan the file for malware using the Verisys Antivirus API - the same concepts can be</span> <span class="c1">// used to work with the uploaded file in different ways</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Attach the uploaded file to a FormData instance</span> <span class="kd">var</span> <span class="nx">form</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">();</span> <span class="nx">form</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">createReadStream</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">tempFilePath</span><span class="p">),</span> <span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-API-Key</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&lt;YOUR API KEY HERE&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*/*</span><span class="dl">'</span> <span class="p">};</span> <span class="c1">// Send the file to the Verisys Antivirus API</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">form</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">headers</span> <span class="p">});</span> <span class="c1">// Did we get a response from the API?</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Did the file contain a virus/malware?</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">clean</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Uploaded file is clean!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Uploaded file contained malware: &lt;b&gt;</span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">signals</span><span class="p">[</span><span class="mi">0</span><span class="p">]}</span><span class="s2">&lt;/b&gt;`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unable to scan file: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">response</span><span class="p">.</span><span class="nx">statusText</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Forward the error to the Express error handler</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="c1">// Remove the uploaded temp file</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">rm</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">tempFilePath</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{});</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>As with the <code>/upload</code> handler, this new <code>/scan</code> handler will print information about the file to the console, so you can see what has been received by your route handler. It then uploads the file to Verisys Antivirus API to scan it for malware.</p> <blockquote> <p><strong>NOTE</strong>:<br> The <code>X-API-Key</code> in the above code will need to be replaced with a real API key to scan files for real. Don’t have an API key? <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Subscribe now</a>!</p> </blockquote> <p>Next, we need to wire up this code to the <code>/scan</code> route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">scanRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/scan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/scan</span><span class="dl">'</span><span class="p">,</span> <span class="nx">scanRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added two lines to the previous code (lines <code>#10</code> and <code>#27</code> above), telling Express to use our <code>scan.js</code> router for the <code>/scan</code> route.</p> <h2> Testing Malware Scanning </h2> <p>Now we’re ready to test malware scanning! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>Malware Scan</strong> form, Browse to select a file and press the <strong>Scan File</strong> button</li> </ol> <p>If everything was set up correctly, as before you should see information about the file being printed to the console, but you should also see a response from <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" alt="Successful malware scan on a clean file" width="630" height="222"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" alt="Successful malware scan on an infected file" width="628" height="222"></a></p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-express</a></p> webdev javascript tutorial express