The latest articles on DEV Community by Ionx Solutions (@ionx). https://dev.to/ionx https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1275308%2Ff463ad98-3d70-4597-8432-bda6aeb7c0e4.png https://dev.to/ionx en Ionx Solutions Thu, 30 Apr 2026 12:15:56 +0000 https://dev.to/ionx/safely-handling-malware-samples-for-api-testing-16lf https://dev.to/ionx/safely-handling-malware-samples-for-api-testing-16lf <p>This is a developer's guide to safely submitting malware samples to Verisys Antivirus API.</p> <p><em>Malware samples can be a useful tool when testing an antivirus API - but handling live malware is <strong>genuinely dangerous</strong>. This guide covers everything you need to know: from safe test files for most developers, to a purpose-built, hardened environment for those who need the real thing.</em></p> <h2> Who This Guide is For </h2> <p>If you're building a file upload feature and want to verify that your integration with <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=blog" rel="noopener noreferrer">Verisys Antivirus API</a> works correctly before going to production, you've come to the right place. But before we go any further, we need to split this audience in two.</p> <ol> <li><p><strong>The vast majority of developers</strong> testing an antivirus integration don't need live malware at all. The EICAR test file - a purpose-built, universally recognised test vector - is all you need to validate that your API calls are correctly wired up, that malware detections are returned and handled properly, and that your application behaves as expected when a threat is found. If that's you, jump straight to Start here: the EICAR test file.</p></li> <li><p><strong>A small number of developers</strong> (such as those working in dedicated security roles, or researchers building specialised tooling) may legitimately need to work with real samples. The rest of this guide is written for you. But be warned: this is not a casual undertaking - <em>here be dragons!</em> Handling live malware without proper precautions can compromise your machine, your network, and potentially your colleagues' machines too.</p></li> </ol> <blockquote> <p><strong>NOTE</strong>: This guide is specifically about safely uploading malware samples to an antivirus API for detection testing. It is not a guide to malware analysis or reverse engineering. You will not be executing (or "detonating"), debugging, or decompiling anything. That distinction meaningfully reduces the risk profile, as we'll explain below.</p> </blockquote> <h2> Start Here: The EICAR Test File </h2> <p>The <a href="https://www.eicar.org/download-anti-malware-testfile/" rel="noopener noreferrer">EICAR Anti-Malware Test File</a> is the industry-standard way to test antivirus integrations without handling real malware. It was created in the 90s as a collaboration between antivirus vendors, and virtually every antivirus engine recognises it as a test threat and returns a detection.</p> <p>It's a completely harmless plain text file containing exactly this string:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* </code></pre> </div> <p>Despite containing no actual malicious code, every major antivirus engine flags it. It's entirely harmless - your machine is not at risk. But it lets you exercise the full detection path in your integration with confidence.</p> <p>You can download it directly from EICAR's website, or you can simply create the file yourself by copying the string above into a new file and save it with any extension (<code>.com</code>, <code>.txt</code>, or anything else).</p> <p>To scan it with Verisys Antivirus API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file \ --header 'X-API-Key: YOUR_API_KEY' \ --form file=@/path/to/eicar.com </code></pre> </div> <p>You should receive a response something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "id": "275d2ead-abb2-4764-a4d4-0797d1a2193d", "scan_type": "malware", "status": "threat", "content_length": 68, "content_type": "text/plain", "signals": ["Virus:EICAR_Test_File"], "metadata": { "hash_sha1": "3395856ce81f2b7382dee72602f798b642f14140", "hash_sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" } } </code></pre> </div> <p>A <code>status</code> of <code>threat</code> and the signal <code>Virus:EICAR_Test_File</code> tells you everything is working as intended. If you see this, your integration is correctly passing files to the API and receiving threat detections back. That's all you need to scan real malware too.</p> <blockquote> <p><strong>NOTE</strong>: Don't have an API key yet? <a href="https://www.ionxsolutions.com/products/antivirus-api/trial?utm_source=blog" rel="noopener noreferrer">Start a free trial of Verisys Antivirus API</a> - no credit card required. You'll be scanning files in no time!</p> </blockquote> <p>You can also scan the EICAR file by URL, without downloading it at all:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://eu1.api.av.ionxsolutions.com/v1/malware/scan/url <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'X-API-Key: YOUR_API_KEY'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/json'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'{"file_url": "https://secure.eicar.org/eicar.com.txt"}'</span> </code></pre> </div> <p>If you're satisfied that EICAR meets your needs, you're done - and your machine is safer for it. The rest of this guide covers the small number of scenarios where real malware samples are necessary - only proceed if you have a clear, justified need to work with real malware samples.</p> <h2> Why You Might Need Real Malware Samples </h2> <p>For the vast majority of file upload integrations, EICAR is sufficient. But there are legitimate reasons a developer might need to work with real samples:</p> <ul> <li> <strong>Detection rate validation:</strong> verifying that the API correctly detects a specific malware family or strain relevant to your threat model.</li> <li> <strong>Edge case testing</strong>: testing API behaviour with unusual file types, packed executables, or polyglot files that embed malicious payloads.</li> <li> <strong>QA pipeline stress testing</strong>: building a comprehensive test corpus that exercises multiple threat categories - ransomware, trojans, infostealers, and so on - to validate detection across the board.</li> <li> <strong>Security research tooling</strong>: building infrastructure that processes, classifies, or routes malware samples as part of a broader security product.</li> </ul> <p>If any of these apply to you, continue reading - but proceed cautiously.</p> <h2> The Dangers of Handling Live Malware </h2> <p>Let's be direct about what you're dealing with. Unlike the EICAR file, real malware is not inert - it is specifically designed to execute, propagate, and cause harm. Even if your intention is only to upload a file to an API for scanning, the risks are real:</p> <ul> <li><p><strong>Accidental execution</strong>: Double-clicking, previewing, or opening a file in the wrong application can trigger execution. Modern operating systems have many automatic file-handling behaviours - thumbnail generation, indexing, preview pane rendering - that can invoke malicious payloads without any deliberate action on your part.</p></li> <li><p><strong>Network propagation</strong>: Some malware families - worms in particular - are designed to scan the local network and spread to reachable hosts automatically upon execution. If your machine is connected to a shared network, a single accidental execution can cascade rapidly.</p></li> <li><p><strong>Lateral movement</strong>: Many modern malware strains include persistence mechanisms, credential harvesting, and lateral movement capabilities. If a sample executes on a machine with access to shared drives, password managers, or cloud sync folders, the damage can extend far beyond the original machine.</p></li> <li><p><strong>Legal and policy risk</strong>: Depending on your jurisdiction, possessing certain malware samples may carry legal implications. Always ensure you're operating within the law and within your organisation's acceptable use policies.</p></li> <li><p><strong>Human error</strong>: This is, honestly, the most common risk. Experienced security researchers have accidentally executed malware despite knowing better. Fatigue, distraction, and familiarity all contribute. A robust environment doesn't just protect against malware - it protects against <em>you</em>!</p></li> </ul> <h3> The Upload-Only Advantage </h3> <p>Here's the key insight that most general malware handling guides miss: if your goal is only to upload a sample to an API, your risk profile is <em>dramatically</em> lower than a malware analyst's.</p> <p>A malware analyst needs to execute samples, observe runtime behaviour, capture network traffic, and interact with live processes. That requires a fundamentally different (and far more complex) containment strategy.</p> <p>You don't need any of that. Your workflow is:</p> <ol> <li>Download the sample (remember that by convention, samples are compressed and password-protected)</li> <li>Extract the sample in an isolated environment</li> <li>Upload the file to the API via <code>curl</code> </li> <li>Observe the response</li> <li>Delete the sample</li> </ol> <p>You never <em>execute</em> anything. This means the primary risk is accidental execution, which a combination of isolation, careful tooling choices, and good habits can mitigate effectively.</p> <h2> Architecture Overview </h2> <p>The environment we'll build has two components: a <strong>dedicated physical host</strong> running Linux, and a <strong>sandbox virtual machine</strong> running inside it. The key design principle is a clean separation of responsibilities.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs8xk8awo7gzobd2bxyc8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs8xk8awo7gzobd2bxyc8.png" alt="System Architecture" width="800" height="738"></a></p> <p>The <strong>host</strong> is responsible for downloading compressed, password-protected malware archives from the internet. It stores them in <code>/malware-archives</code>, a bind-mounted directory with <code>noexec</code> and <code>nosuid</code> flags. The host never extracts or uploads these encrypted archives - it <em>only ever</em> downloads them to disk - so the risk of accidental execution on the host is <em>greatly</em> reduced.</p> <p>The <strong>sandbox VM</strong> is responsible for extracting archives and uploading the resulting files (typically binaries) to Verisys Antivirus API. It can see the host's <code>/malware-archives</code> as a read-only <a href="https://libvirt.org/kbase/virtiofs.html" rel="noopener noreferrer">virtiofs</a> mount - it can read archives, but cannot modify or add to them. Extracted binaries are stored in <code>/malware-binaries</code>, a <a href="https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html" rel="noopener noreferrer">tmpfs</a> RAM disk inside the sandbox with <code>noexec</code> flags. Crucially, the sandbox VM's network access is permanently and significantly locked down: it can make outbound <code>TCP/443</code> connections to exactly <em>one</em> IP address - your chosen Verisys Antivirus API endpoint - and <em>nothing else</em>. It cannot reach the internet, your local network, or any other host.</p> <p>This separation ensures that the two critical risk factors - extracted malware binaries and internet access - never coexist in the same environment. The host retains internet access, but never encounters the extracted binaries; the sandbox VM holds the malware binaries but has no meaningful network connectivity.</p> <p>The sandbox VM is also intended to be ephemeral; that is, <em>temporary</em> in nature. Every time the malware upload workflow is required, the sandbox VM is restored from a clean-state snapshot, and is then discarded afterwards. This means that malware binaries will only live for as long as needed, and even then, they will only exist on a RAM disk inside a disposable virtual machine.</p> <h3> What You'll Need </h3> <p>To follow this guide, you will need:</p> <ul> <li>A dedicated physical host, separate from your day-to-day machine. An old laptop or desktop works fine. Running a Linux host OS means that most Windows-targeted malware will not execute even if it somehow escapes its VM - it simply has no runtime to attach to</li> <li>At least 4GB RAM on the host (we'll allocate just 2GB for the sandbox VM OS)</li> <li>At least 40GB disk on the host (we'll allocate 16GB for the sandbox VM disk)</li> <li>Hardware virtualisation support (Intel VT-x or AMD-V) - verified during host setup</li> </ul> <h2> Setting Up the Host </h2> <p>Use a minimal, up-to-date Linux distribution for your host - Ubuntu Server LTS or Debian are good choices, and indeed we used Ubuntu Server 24.04 LTS here for this guide. There is no need to install a desktop environment, as a console is enough for our needs - this also helps reduce the attack surface. During installation you will be prompted to enter a username for a non-root account - in this guide we've used <code>ops</code> as that user.</p> <p>Once the host OS is installed, install KVM/QEMU and the management tools you'll need:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> qemu-kvm libvirt-daemon-system <span class="se">\</span> libvirt-clients bridge-utils virtinst dnsmasq </code></pre> </div> <p>Importantly, verify that the host hardware supports virtualisation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify hardware virtualisation support (output must be &gt; 0)</span> egrep <span class="nt">-c</span> <span class="s1">'(vmx|svm)'</span> /proc/cpuinfo </code></pre> </div> <p>Download an ISO for the sandbox VM's guest OS - just like our host, we'll stick with Ubuntu Server LTS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the directory for ISOs</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/lib/libvirt/images/iso <span class="c"># Download Ubuntu Server LTS</span> <span class="nb">sudo </span>wget https://releases.ubuntu.com/24.04/ubuntu-24.04.4-live-server-amd64.iso <span class="se">\</span> <span class="nt">-O</span> /var/lib/libvirt/images/iso/ubuntu-24.04-server.iso </code></pre> </div> <h2> Creating the Sandbox Virtual Network </h2> <p>The sandbox VM needs a dedicated virtual network, isolated from your main network. libvirt will NAT the VM's traffic through the host - in a later step, we'll use <code>iptables</code> to lock down exactly what the VM can actually reach.</p> <p>Create a network definition file for a libvirt network bridge named <code>virbr-sandbox</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> ~/sandbox-net.xml <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' &lt;network&gt; &lt;name&gt;sandbox-net&lt;/name&gt; &lt;forward mode='nat'/&gt; &lt;bridge name='virbr-sandbox' stp='on' delay='0'/&gt; &lt;ip address='192.168.100.1' netmask='255.255.255.0'&gt; &lt;dhcp&gt; &lt;host mac='52:54:00:10:24:24' name='sandbox' ip='192.168.100.10'/&gt; &lt;range start='192.168.100.100' end='192.168.100.150'/&gt; &lt;/dhcp&gt; &lt;/ip&gt; &lt;/network&gt; </span><span class="no">EOF </span></code></pre> </div> <p>The DHCP entry with a fixed MAC address (<code>52:54:00:10:24:24</code>) ensures the sandbox VM always gets the same IP (<code>192.168.100.10</code>). We'll use this same MAC when creating the sandbox VM, and the fixed IP is what we'll later target with <code>iptables</code> rules to lock down network access.</p> <p>Define, start, and persist the virtual network:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Define the network from the XML file</span> virsh net-define ~/sandbox-net.xml <span class="c"># Start the network</span> virsh net-start sandbox-net <span class="c"># Mark it to autostart with libvirtd</span> virsh net-autostart sandbox-net <span class="c"># Confirm it is active</span> virsh net-list <span class="nt">--all</span> </code></pre> </div> <h2> Setting Up Shared Directories </h2> <p>The host needs a directory to hold compressed, encrypted malware archives, and the sandbox VM needs a <em>read-only</em> view of that same directory. We use bind mounts to create both - one for host use, one specifically for sharing into the VM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># The backing directory - this is where archives actually live on the host disk</span> <span class="c"># Our non-root user is `ops` - replace with your own non-root user if required</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/lib/libvirt/shared/malware-archives <span class="nb">sudo chown </span>ops:ops /var/lib/libvirt/shared/malware-archives <span class="nb">sudo chmod </span>0755 /var/lib/libvirt/shared/malware-archives <span class="c"># A hardened bind mount for host usage - noexec, nosuid, nodev</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /malware-archives <span class="nb">sudo </span>mount <span class="nt">--bind</span> <span class="nt">-o</span> noexec,nodev,nosuid <span class="se">\</span> /var/lib/libvirt/shared/malware-archives /malware-archives <span class="c"># A separate read-only bind mount to share into the sandbox VM via virtiofs</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/lib/libvirt/shared/malware-archives-ro <span class="nb">sudo </span>mount <span class="nt">--bind</span> <span class="nt">-o</span> ro,nodev,nosuid,noexec <span class="se">\</span> /var/lib/libvirt/shared/malware-archives <span class="se">\</span> /var/lib/libvirt/shared/malware-archives-ro </code></pre> </div> <p>Make both mounts persistent by adding them to <code>/etc/fstab</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"/var/lib/libvirt/shared/malware-archives /malware-archives </span><span class="se">\</span><span class="s2"> none bind,noexec,nodev,nosuid 0 0"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/fstab <span class="nb">echo</span> <span class="s2">"/var/lib/libvirt/shared/malware-archives </span><span class="se">\</span><span class="s2"> /var/lib/libvirt/shared/malware-archives-ro </span><span class="se">\</span><span class="s2"> none bind,ro,nodev,nosuid,noexec 0 0"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/fstab </code></pre> </div> <p>Verify both mounts are in place:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mount | <span class="nb">grep </span>malware </code></pre> </div> <p>You should see output something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/dev/mapper/ubuntu--vg-ubuntu--lv on /malware-archives <span class="nb">type </span>ext4 <span class="o">(</span>rw,nosuid,nodev,noexec,relatime<span class="o">)</span> /dev/mapper/ubuntu--vg-ubuntu--lv on /var/lib/libvirt/shared/malware-archives-ro <span class="nb">type </span>ext4 <span class="o">(</span>ro,nosuid,nodev,noexec,relatime<span class="o">)</span> </code></pre> </div> <p>The reason for two separate mounts (rather than sharing the backing directory directly) is defence in depth: the host uses <code>/malware-archives</code> for its own operations; the sandbox VM receives only the dedicated read-only path. libvirt's <a href="https://libvirt.org/kbase/virtiofs.html" rel="noopener noreferrer">virtiofs</a> shares a directory from the host into the guest - by pointing it at the read-only bind mount rather than the live backing directory, we get kernel-level enforcement of the read-only constraint inside the VM, not just filesystem permissions.</p> <h2> Creating the Sandbox VM </h2> <p>With the network and shared directories in place, we are now ready to create the sandbox VM. We pass the read-only <code>malware-archives</code> directory in at creation time using a virtiofs filesystem share:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the VM disk image</span> <span class="nb">sudo </span>qemu-img create <span class="nt">-f</span> qcow2 /var/lib/libvirt/images/sandbox.qcow2 16G <span class="c"># Create the VM and boot the Ubuntu installer</span> <span class="nb">sudo </span>virt-install <span class="se">\</span> <span class="nt">--connect</span> qemu:///system <span class="se">\</span> <span class="nt">--name</span> sandbox <span class="se">\</span> <span class="nt">--vcpus</span> 4 <span class="se">\</span> <span class="nt">--memory</span> 2048 <span class="se">\</span> <span class="nt">--network</span> <span class="nv">network</span><span class="o">=</span>sandbox-net,mac<span class="o">=</span>52:54:00:10:24:24,model<span class="o">=</span>virtio <span class="se">\</span> <span class="nt">--graphics</span><span class="o">=</span>none <span class="se">\</span> <span class="nt">--disk</span> <span class="nv">path</span><span class="o">=</span>/var/lib/libvirt/images/sandbox.qcow2,format<span class="o">=</span>qcow2,bus<span class="o">=</span>virtio <span class="se">\</span> <span class="nt">--filesystem</span> <span class="nb">source</span><span class="o">=</span>/var/lib/libvirt/shared/malware-archives-ro,target<span class="o">=</span>malware-archives,accessmode<span class="o">=</span>passthrough,driver.type<span class="o">=</span>virtiofs <span class="se">\</span> <span class="nt">--location</span> /var/lib/libvirt/images/iso/ubuntu-24.04-server.iso,kernel<span class="o">=</span>casper/vmlinuz,initrd<span class="o">=</span>casper/initrd <span class="se">\</span> <span class="nt">--os-variant</span> ubuntu24.04 <span class="se">\</span> <span class="nt">--console</span> pty,target_type<span class="o">=</span>serial <span class="se">\</span> <span class="nt">--memorybacking</span> access.mode<span class="o">=</span>shared,source.type<span class="o">=</span>memfd <span class="se">\</span> <span class="nt">--extra-args</span><span class="o">=</span><span class="s2">"console=ttyS0,115200n8"</span> </code></pre> </div> <p>A few flags worth noting:</p> <ul> <li> <code>--network mac=52:54:00:10:24:24</code>: matches the fixed DHCP entry in the network definition, ensuring the VM always gets IP <code>192.168.100.10</code>.</li> <li> <code>--filesystem driver.type=virtiofs</code>: virtiofs is a high-performance virtio-based filesystem protocol for sharing host directories into guests. It requires <code>--memorybacking access.mode=shared,source.type=memfd</code>, which enables the shared memory backend virtiofs needs.</li> <li> <code>--graphics=none</code>: no VNC or SPICE surface is created; there is no clipboard or drag-and-drop channel to act as an escape vector.</li> <li> <code>--location</code>: if using a different Linux distribution other than Ubuntu Server LTS, you will need to change this value accordingly</li> </ul> <p>Follow the on-screen prompts to install Ubuntu Server in the guest VM. Accept defaults where possible - a minimal installation is fine. As with the host OS, during installation you will be prompted to enter a username for a non-root account - in this guide we've used <code>ops</code> as that user, just as we did for the host OS.</p> <h2> Configuring the Sandbox VM </h2> <p>Once the guest OS is installed, the VM should reboot into the fresh system. If you're no longer still in a console prompt in the sandbox, reconnect from the host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Connect to the sandbox VM console</span> <span class="nb">sudo </span>virsh <span class="nt">--connect</span> qemu:///system console sandbox </code></pre> </div> <p>Install the few tools you'll need for working with malware archives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> unzip p7zip-full jq </code></pre> </div> <p><code>unzip</code> and <code>p7zip-full</code> handle the compressed archives that malware repositories distribute samples in. <code>jq</code> is useful for pretty-printing the JSON responses from the Verisys API.</p> <p>Next, configure the mount points for the shared malware archives and the extraction RAM disk:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Mount point for the read-only virtiofs share from the host</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /malware-archives <span class="nb">echo</span> <span class="s2">"malware-archives /malware-archives virtiofs ro,nodev,nosuid,noexec,_netdev 0 0"</span> <span class="se">\</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/fstab <span class="c"># Mount point for a 1GB noexec tmpfs RAM disk - extracted binaries live here</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /malware-binaries <span class="nb">echo</span> <span class="s2">"malware-binaries /malware-binaries tmpfs rw,noexec,nodev,nosuid,size=1G 0 0"</span> <span class="se">\</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/fstab </code></pre> </div> <p>The <code>_netdev</code> flag on the virtiofs mount tells the init system to wait for the virtio network backend to be ready before mounting - without it, the mount may fail on boot. The <code>tmpfs</code> size of 1GB is a sensible ceiling for a working extraction area, but do adjust it if you expect to need more space (and you have the RAM, of course!).</p> <p>Reboot the sandbox VM to apply the <code>fstab</code> entries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>reboot now </code></pre> </div> <p>Once it's back up, verify both mounts are present:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mount | <span class="nb">grep </span>malware </code></pre> </div> <p>You should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>malware-binaries on /malware-binaries <span class="nb">type </span>tmpfs <span class="o">(</span>rw,nosuid,nodev,noexec,relatime,size<span class="o">=</span>1048576k,inode64<span class="o">)</span> malware-archives on /malware-archives <span class="nb">type </span>virtiofs <span class="o">(</span>ro,nosuid,nodev,noexec,relatime,_netdev<span class="o">)</span> </code></pre> </div> <p>With both mounts correctly in place, shut the VM down cleanly and take a snapshot - this is the clean baseline you'll revert to at the start of every malware upload session:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Still connected to the console of the sandbox VM, shut it down</span> <span class="nb">sudo </span>shutdown <span class="nt">-P</span> now </code></pre> </div> <p>Then once you're back at the host prompt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>virsh snapshot-create-as sandbox <span class="nt">--name</span> <span class="s2">"clean"</span> </code></pre> </div> <p>This snapshot captures the configured, clean state of the VM - mounts, installed tools, but no malware. Every session starts by reverting to this snapshot, which guarantees a completely clean environment regardless of what happened in the previous session.</p> <p>To start a new sandbox VM session:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>virsh shutdown sandbox virsh snapshot-revert sandbox <span class="nt">--snapshotname</span> <span class="s2">"clean"</span> virsh start sandbox <span class="c"># Connect to the VM console</span> <span class="nb">sudo </span>virsh <span class="nt">--connect</span> qemu:///system console sandbox </code></pre> </div> <h2> Locking Down the Network </h2> <p>The last piece of the setup - and arguably the most important - is restricting what the sandbox VM can do with its network connection. At this point, the VM still has full internet access via the NAT network, so we need to reduce that to a single outbound destination.</p> <p>First, save a backup of your current <code>iptables</code> rules so you can restore them if anything goes wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>iptables-save | <span class="nb">tee</span> ~/iptables_without_sandbox.conf </code></pre> </div> <p>Resolve the IP address of your chosen Verisys Antivirus API regional endpoint. We'll use <code>eu1</code> here - swap it for <code>gb1</code>, <code>us1</code>, or <code>ap1</code> depending on your region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig +short eu1.api.av.ionxsolutions.com </code></pre> </div> <p>This gives you the endpoint IP - <code>5.75.138.88</code> for <code>eu1</code> at time of writing. Note it down, as you'll use it in the rules below.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Region</th> <th>Endpoint</th> </tr> </thead> <tbody> <tr> <td>EU (Germany)</td> <td><code>eu1.api.av.ionxsolutions.com</code></td> </tr> <tr> <td>UK</td> <td><code>gb1.api.av.ionxsolutions.com</code></td> </tr> <tr> <td>US</td> <td><code>us1.api.av.ionxsolutions.com</code></td> </tr> <tr> <td>Asia Pacific (Singapore)</td> <td><code>ap1.api.av.ionxsolutions.com</code></td> </tr> </tbody> </table></div> <p>Now create a dedicated <code>iptables</code> chain for the sandbox and populate it with rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the chain (or flush it if it already exists from a previous run)</span> <span class="nb">sudo </span>iptables <span class="nt">-N</span> SANDBOX_LOCKDOWN 2&gt;/dev/null <span class="o">||</span> iptables <span class="nt">-F</span> SANDBOX_LOCKDOWN <span class="c"># Allow return traffic for connections the VM has already established</span> <span class="nb">sudo </span>iptables <span class="nt">-A</span> SANDBOX_LOCKDOWN <span class="nt">-m</span> conntrack <span class="nt">--ctstate</span> ESTABLISHED,RELATED <span class="nt">-j</span> ACCEPT <span class="c"># Allow outbound HTTPS to the Verisys Antivirus API endpoint only</span> <span class="c"># Replace 5.75.138.88 with the IP you resolved above if using a different region</span> <span class="nb">sudo </span>iptables <span class="nt">-A</span> SANDBOX_LOCKDOWN <span class="nt">-p</span> tcp <span class="nt">-d</span> 5.75.138.88 <span class="nt">--dport</span> 443 <span class="nt">-j</span> ACCEPT <span class="c"># Log anything that doesn't match the above rules, then drop it</span> <span class="nb">sudo </span>iptables <span class="nt">-A</span> SANDBOX_LOCKDOWN <span class="nt">-j</span> LOG <span class="nt">--log-prefix</span> <span class="s2">"SANDBOX DROP: "</span> <span class="nb">sudo </span>iptables <span class="nt">-A</span> SANDBOX_LOCKDOWN <span class="nt">-j</span> DROP <span class="c"># Attach the chain to the FORWARD table for traffic originating from the sandbox bridge</span> <span class="c"># The -C check avoids inserting a duplicate rule if this is re-run</span> <span class="nb">sudo </span>iptables <span class="nt">-C</span> FORWARD <span class="nt">-i</span> virbr-sandbox <span class="nt">-j</span> SANDBOX_LOCKDOWN 2&gt;/dev/null <span class="o">||</span> <span class="se">\</span> <span class="nb">sudo </span>iptables <span class="nt">-I</span> FORWARD 1 <span class="nt">-i</span> virbr-sandbox <span class="nt">-j</span> SANDBOX_LOCKDOWN </code></pre> </div> <p>Persist the rules across reboots:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>netfilter-persistent save </code></pre> </div> <p>The chain is attached using <code>-i virbr-sandbox</code> - matching on the bridge interface name rather than a source IP range. This means the rules apply to <em>all</em> traffic entering the host's <code>FORWARD</code> path from the sandbox bridge, regardless of what IP the guest happens to have. It's slightly more robust than source IP matching.</p> <p>The <code>LOG</code> rule before the final <code>DROP</code> means that any traffic the VM attempts to send that isn't to the Verisys endpoint will appear in your system logs (<code>/var/log/syslog</code> or via <code>journalctl -k</code>), prefixed with <code>SANDBOX DROP:</code>. This is useful for diagnosing unexpected behaviour.</p> <blockquote> <p><strong>NOTE</strong>: While we try hard not to, the IP addresses of Verisys API endpoints could change over time. If you need to update the rules to change the IP, update the <code>SANDBOX_LOCKDOWN</code> chain: flush it with <code>sudo iptables -F SANDBOX_LOCKDOWN</code>, re-add the rules above with the new IP, and then run <code>sudo netfilter-persistent save</code> to persist the changes.</p> </blockquote> <h2> Sourcing Malware Samples </h2> <p>With your environment ready, you now need malware samples to work with. The following are well-regarded, legitimate sources used by security researchers worldwide, and all provide samples in password-protected archives to prevent accidental execution. Remember that downloads will happen only on the host - the sandbox VM's network is locked down and can't reach them. Do not extract downloaded malware sample archives on the host system under any circumstances.</p> <blockquote> <p><strong>WARNING</strong>: Downloading malware samples is a deliberate, professional act. Only download what you actually need. Keep <code>/malware-archives</code> tidy - delete archives you're no longer working with. The directory is <code>noexec</code>, <code>nosuid</code>, and <code>nodev</code>, so archives cannot execute directly on the host; but good housekeeping is still important. And for extraction and upload, always, <em>always</em> only work within your isolated sandbox environment as described above.</p> </blockquote> <h3> MalwareBazaar </h3> <p><a href="https://bazaar.abuse.ch" rel="noopener noreferrer">MalwareBazaar</a> is run by <a href="https://abuse.ch" rel="noopener noreferrer">abuse.ch</a>, a Swiss non-profit security research organisation. It maintains a large, searchable database of malware samples contributed by the security community, browsable by malware family, file type, tag, and signature. Samples are distributed as password-protected ZIP archives (password: <code>infected</code>). It's one of the most reputable and widely used sources in the industry.</p> <p>Use the MalwareBazaar API to download a sample by its SHA-256 hash - find this on the sample's page on the MalwareBazaar website:</p> <p>As well as a website, MalwareBazaar also provides an API for programmatic access, which is useful if you're building a test corpus. Note that you'll need to create an account before you can use the API (it's free to use under their <a href="https://abuse.ch/terms-of-use/#principles" rel="noopener noreferrer">free use principles</a>) For example, to download a sample by its SHA-256 hash (such hashes can be found on the website):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On the host</span> <span class="nb">hash</span><span class="o">=</span><span class="s2">"&lt;YOUR_SHA256_HERE&gt;"</span> wget <span class="nt">-O</span> /malware-archives/<span class="k">${</span><span class="nv">hash</span><span class="k">}</span>.zip <span class="se">\</span> <span class="s2">"https://mb-api.abuse.ch/api/v1/"</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s2">"Auth-Key: YOUR_API_AUTH_KEY_HERE"</span> <span class="se">\</span> <span class="nt">--post-data</span><span class="o">=</span><span class="s2">"query=get_file&amp;sha256_hash=</span><span class="k">${</span><span class="nv">hash</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <h3> TheZoo </h3> <p><a href="https://github.com/ytisf/theZoo" rel="noopener noreferrer">TheZoo</a> is a curated GitHub repository of live malware samples, explicitly intended for security researchers. Samples are organised by family name and stored as password-protected ZIP archives (password: <code>infected</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On the host, download a sample directly from the GitHub repository</span> <span class="nv">family</span><span class="o">=</span><span class="s2">"&lt;MALWARE_FAMILY_NAME&gt;"</span> wget <span class="nt">-O</span> /malware-archives/<span class="k">${</span><span class="nv">family</span><span class="k">}</span>.zip <span class="se">\</span> https://github.com/ytisf/theZoo/raw/refs/heads/master/malware/Binaries/<span class="k">${</span><span class="nv">family</span><span class="k">}</span>/<span class="k">${</span><span class="nv">family</span><span class="k">}</span>.zip </code></pre> </div> <h3> vx-underground </h3> <p><a href="https://www.vx-underground.org/#E:/root" rel="noopener noreferrer">vx-underground</a> maintains one of the largest freely available malware archives on the internet, covering a wide range of families and historical strains. Samples are stored as password-protected 7z archives (password: <code>infected</code>).</p> <p>To obtain a sample's URL for download, navigate through the website to your chosen malware binary, and copy the download link. You can then use <code>wget</code> or <code>curl</code> to download the sample (note that VX Underground download links are only valid for <strong>1 hour</strong>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On the host</span> wget <span class="nt">-O</span> /malware-archives/sample.zip <span class="s2">"https://&lt;vx-underground-sample-url&gt;"</span> </code></pre> </div> <h2> End-to-End Workflow </h2> <p>Now everything is setup, let's walk through a complete workflow example from start to finish. We'll download a real malware sample (<code>Nivdort</code>, a Windows data-stealing trojan dating back to 2016) from the TheZoo repository, scan it with Verisys Antivirus API, and interpret the result.</p> <p><strong>Step 1 - Download the sample archive on the host:</strong><br> Download a sample of the <code>Nivdort</code> trojan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On the host</span> wget <span class="nt">-O</span> /malware-archives/Nivdort.zip <span class="se">\</span> https://github.com/ytisf/theZoo/raw/refs/heads/master/malware/Binaries/Nivdort/Nivdort.zip </code></pre> </div> <p><strong>Step 2 - Start a clean instance of the sandbox VM:</strong><br> Start a nice, clean sandbox instance to work in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On the host - revert to the clean snapshot and start afresh</span> virsh shutdown sandbox 2&gt;/dev/null virsh snapshot-revert sandbox <span class="nt">--snapshotname</span> <span class="s2">"clean"</span> virsh start sandbox <span class="c"># Connect to the VM console and log in when prompted</span> <span class="nb">sudo </span>virsh <span class="nt">--connect</span> qemu:///system console sandbox </code></pre> </div> <p><strong>Step 3 - Extract the archive inside the sandbox VM:</strong><br> The archive is visible inside the sandbox VM at <code>/malware-archives/Nivdort.zip</code> via the read-only virtiofs mount. Extract it to the <code>noexec</code> RAM disk, entering password <code>infected</code> when prompted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Inside the sandbox VM</span> unzip /malware-archives/Nivdort.zip <span class="nt">-d</span> /malware-binaries </code></pre> </div> <p>Note what's happening here: the archive comes in to the sandbox VM through a read-only mount (the sandbox can't modify or add to <code>/malware-archives</code>), and the extracted binary lands in a <code>tmpfs</code> RAM disk with <code>noexec</code> set at the mount level - the kernel will refuse to execute binaries directly from <code>/malware-binaries</code>, regardless of the file's permission bits.</p> <p><strong>Step 4 - Upload to Verisys Antivirus API:</strong><br> Now we'll upload the sample (change endpoint <code>eu1.api.av.ionxsolutions.com</code> if you're using a different one):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Inside the sandbox VM</span> curl https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'X-API-Key: YOUR_API_KEY'</span> <span class="se">\</span> <span class="nt">--form</span> <span class="nv">file</span><span class="o">=</span>@/malware-binaries/sample.exe | jq </code></pre> </div> <p>This is the only outbound network connection the VM is permitted to make - <code>TCP/443</code> to <code>5.75.138.88</code>. Any other network traffic from the VM is logged and dropped by the <code>SANDBOX_LOCKDOWN</code> chain.</p> <blockquote> <p><strong>NOTE</strong>: Don't have an API key yet? <a href="https://www.ionxsolutions.com/products/antivirus-api/trial?utm_source=blog" rel="noopener noreferrer">Start a free trial of Verisys Antivirus API</a> - no credit card required. You'll be scanning malware in minutes!</p> </blockquote> <h2> Interpreting the API Response </h2> <p>Verisys Antivirus API returns a consistent JSON structure for every scan. For a detected threat, like the <code>Nivdort</code> sample above, you'll see something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9f9590f6-1be7-4764-8e2e-233133aa4f13"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scan_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"malware"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"threat"</span><span class="p">,</span><span class="w"> </span><span class="nl">"content_length"</span><span class="p">:</span><span class="w"> </span><span class="mi">892416</span><span class="p">,</span><span class="w"> </span><span class="nl">"content_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.microsoft.portable-executable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"signals"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"TrojanSpy:Win32/Nivdort.DU"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"hash_sha1"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5b3e04f8208d3de912413efce27372255d6b3fe9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hash_sha256"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eea059174127860154f4dce1a7d8995a9a5056febf73819d63ddadb522ed6c8f"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And for a clean file you'll see something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"8f1c4b2d-3a9e-4f7c-b6d1-2e5a8c0f9b3e"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scan_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"malware"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"clean"</span><span class="p">,</span><span class="w"> </span><span class="nl">"content_length"</span><span class="p">:</span><span class="w"> </span><span class="mi">12288</span><span class="p">,</span><span class="w"> </span><span class="nl">"content_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/pdf"</span><span class="p">,</span><span class="w"> </span><span class="nl">"signals"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"hash_sha1"</span><span class="p">:</span><span class="w"> </span><span class="s2">"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hash_sha256"</span><span class="p">:</span><span class="w"> </span><span class="s2">"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Key fields to pay attention to:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>status</code></td> <td> <code>clean</code>, <code>threat</code> (or <code>error</code> if something went wrong)</td> </tr> <tr> <td><code>signals</code></td> <td>Names of identified threats (empty array if clean)</td> </tr> <tr> <td><code>content_type</code></td> <td>The <em>actual</em> detected file type, determined by binary signature analysis - not the filename or client-supplied <code>Content-Type</code> header</td> </tr> <tr> <td><code>metadata.hash_sha1</code></td> <td>SHA-1 hash of the scanned file</td> </tr> <tr> <td><code>metadata.hash_sha256</code></td> <td>SHA-256 hash of the scanned file - useful for cross-referencing against threat intelligence databases like MalwareBazaar</td> </tr> </tbody> </table></div> <p>The <code>content_type</code> field is worth highlighting: Verisys Antivirus API detects the <em>real</em> file type from the binary signature, independently of the file extension. A Windows executable renamed to <code>invoice.pdf</code> is still identified as a Windows binary - a critical defence against file type spoofing in production upload pipelines.</p> <p>SHA-1/SHA-256 hashes (<code>metadata.hash_sha*</code>) are particularly useful when working with known samples, as they provide a unique, verifiable file signature that can be cross-referenced against threat intelligence databases.</p> <h2> Closing Thoughts </h2> <p>The environment described in this guide is deliberately designed around a clean separation of concerns: the host handles internet access and storage of password-protected archives; the sandbox handles extraction and upload to Verisys Antivirus API. Neither environment does both. This means the two most dangerous moments in the workflow - open internet access and live, extracted binaries - never coincide in the same place.</p> <p>The key protections working together are:</p> <ul> <li>A dedicated physical host running Linux, so Windows-targeted malware has no runtime to attach to, even if it somehow broke out of the sandbox onto the host.</li> <li> <code>noexec</code> bind mounts on the host, so archives can't execute even if somehow triggered.</li> <li>A read-only virtiofs share into the sandbox VM, so the sandbox can read archives but cannot modify the source directory.</li> <li>A <code>noexec</code> tmpfs RAM disk for extracted binaries inside the sandbox VM, enforced at the mount level by the kernel.</li> <li>A permanent <code>iptables</code> lockdown allowing only <code>TCP/443</code> to one specific Verisys API IP - the sandbox VM cannot reach the internet, your local network, or any C2 (<a href="https://en.wikipedia.org/wiki/Botnet#Command_and_control" rel="noopener noreferrer">Command and Control</a>) infrastructure.</li> <li>Snapshot-based session management, so every sandbox session begins from a guaranteed clean state.</li> </ul> <p>For the majority of developers, the answer remains the same as it was at the beginning of this guide: use EICAR, validate your integration, and ship with confidence. But for those who need more, this architecture provides a secure, tightly controlled environment for safely acquiring and processing real-world malware samples.</p> <p>Learn more about <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=blog" rel="noopener noreferrer">Verisys Antivirus API</a>, our language-agnostic antivirus REST API that makes it simple to add malware scanning to any application.</p> infosec malware tutorial antivirus Ionx Solutions Mon, 12 May 2025 13:48:14 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-multer-edition-2olo https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-multer-edition-2olo <p>A variation on our earlier post 'How to Handle File Uploads with Node.js and Express' (which used express-fileupload). This time, we'll use Multer, a powerful middleware for handling file uploads with Node.js and Express.</p> <blockquote> <p><strong>NOTE</strong>: In order to follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://nodejs.org/" rel="noopener noreferrer">Node.js</a> installed on your machine</li> <li>Basic knowledge of JavaScript and <a href="https://expressjs.com/" rel="noopener noreferrer">Express</a> </li> <li>A text editor or lightweight IDE such as <a href="https://code.visualstudio.com" rel="noopener noreferrer">Visual Studio Code</a> </li> </ul> </blockquote> <h2> Why Choose Multer? </h2> <p>In our <a href="https://blog.ionxsolutions.com/p/file-uploads-with-nodejs-express" rel="noopener noreferrer">previous guide</a>, we showed how easy it is to handle file uploads using <a href="https://github.com/richardgirges/express-fileupload" rel="noopener noreferrer">express-fileupload</a>. <a href="https://github.com/expressjs/multer#readme" rel="noopener noreferrer">Multer</a> brings additional flexibility and control:</p> <ul> <li> <strong>Disk &amp; Memory Storage Engines</strong>: Choose between saving files directly to disk or keeping them in memory for immediate processing. Third parties even offer pluggable engines for cloud storage.</li> <li> <strong>File Filtering</strong>: Accept or reject files based on MIME type or custom criteria.</li> <li> <strong>Limits &amp; Validation</strong>: Set size limits, file count limits, and other constraints to protect your server.</li> <li> <strong>Streaming Support</strong>: Process large uploads efficiently without consuming excessive RAM.</li> </ul> <p>With these features, Multer is ideal for both simple and advanced upload workflows.</p> <h2> Project Scaffold/Setup </h2> <p>The first step is to create and initialize a new Express project.</p> <ul> <li>Open a terminal or command prompt, navigate to the directory where you want to store the project, and run the following commands: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx express-generator <span class="nt">--view</span><span class="o">=</span>pug myapp <span class="nb">cd </span>myapp npm <span class="nb">install</span> </code></pre> </div> <ul> <li>The generated app should have the following directory structure: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── app.js ├── package.json ├── bin │ └── www ├── package.json ├── public │ ├── images │ ├── javascripts │ └── stylesheets │ └── style.css ├── routes │ ├── index.js │ └── users.js ├── views │ ├── error.pug │ └── index.pug │ └── layout.pug </code></pre> </div> <ul> <li>Before we move on, make sure you are able to run the app and view it in a browser</li> </ul> <p>On MacOS, Linux or Git Bash on Windows, run the app with this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> npm start </code></pre> </div> <p>Or use this command for Windows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">set </span><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> &amp; npm start </code></pre> </div> <p>Or this command for Windows Powershell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">DEBUG</span><span class="o">=</span><span class="s1">'myapp:*'</span><span class="p">;</span><span class="w"> </span><span class="n">npm</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span></code></pre> </div> <p>Then navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> in your browser to access the app - you should see a page that looks like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" alt="Express web app running in a browser" width="627" height="371"></a></p> <ul> <li><p>Go ahead and stop the server by hitting <code>CTRL-C</code> at the command prompt</p></li> <li> <p>Next we’re going to add a few NPM packages:</p> <ul> <li>We'll add a package to deal with file uploads easier. There are several popular choices here, including <a href="https://github.com/node-formidable/formidable#readme" rel="noopener noreferrer">Formidable</a> and <a href="https://github.com/richardgirges/express-fileupload#readme" rel="noopener noreferrer">express-fileupload</a> - but for this tutorial, we'll use <a href="https://github.com/expressjs/multer#readme" rel="noopener noreferrer">Multer</a>.</li> <li>For this tutorial, we're going to scan the file for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>, and so we'll add a package to make it easier to make external HTTP requests. Popular choices include <a href="https://axios-http.com" rel="noopener noreferrer">Axios</a> and <a href="https://github.com/node-fetch/node-fetch#readme" rel="noopener noreferrer">node-fetch</a> - for this article, we'll use <code>node-fetch</code>.</li> <li>We'll also add the <a href="https://www.npmjs.com/package/form-data" rel="noopener noreferrer">form-data</a> package to allow working with multipart form data, which is used to perform file uploads. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>multer@^1.4.5-lts.2 npm <span class="nb">install </span>node-fetch@^2.7.0 npm <span class="nb">install </span>form-data </code></pre> </div> <h2> Frontend </h2> <p>Before we write JavaScript code to handle the file upload, let’s create a simple web page that lets the end user select a file to upload.</p> <ul> <li>Update the content of <code>myapp/views/index.pug</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>extends layout block content h2 File Upload <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/upload"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> br h2 Malware Scan <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/scan"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>We’ve added two forms to the page. When the <strong>File Upload</strong> form is submitted, the file will be sent to a route at <code>/upload</code> - the next step is to create the route and route handler. We’ll get back to the <strong>Malware Scan</strong> form later.</p> <h2> Backend - Simple File Upload </h2> <p>Now we’re going to add a route handler to process uploaded files, and then we’ll wire up the handler to the <code>/upload</code> route.</p> <ul> <li>Create file <code>myapp/routes/upload.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">multer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">multer</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="nx">multer</span><span class="p">.</span><span class="nf">diskStorage</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="nx">storage</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fileUpload</span><span class="p">.</span><span class="nf">single</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">),</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Original File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Path: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Return a web page showing information about the file</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">}</span><span class="s2">&lt;br&gt; File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">&lt;br&gt; File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>This simple handler will both print information about the file to the console and return it in as a web page, so you can see what has been received by your router.</p> <p>Next, we need to wire up this code to the /upload route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added 2 lines to the default code provided by the Express generator (lines <code>#9</code> and <code>#25</code> above), telling Express to use our <code>upload.js</code> router for the <code>/upload</code> route.</p> <h2> Testing File Uploads </h2> <p>Now we’re ready to test it! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>File Upload</strong> form, Browse to select a file and press the <strong>Upload File</strong> button</li> </ol> <p>If everything was set up correctly, you should see information about the file being printed to the console, and also shown in a web page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6sq4xkbes7c6pdhhrmzs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6sq4xkbes7c6pdhhrmzs.png" alt="Express console output" width="522" height="236"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3p1jxdf6soeqyk2az0z6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3p1jxdf6soeqyk2az0z6.png" alt="Successful file upload" width="628" height="202"></a></p> <h2> Backend - Malware Scanning </h2> <p>Now we’re going to add a route handler to perform a virus scan on uploaded files, and then we’ll wire up the handler to the <code>/scan</code> route.</p> <ul> <li>Create file <code>myapp/routes/scan.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fetch</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node-fetch</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">multer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">multer</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">FormData</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">form-data</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="nx">multer</span><span class="p">.</span><span class="nf">diskStorage</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">multer</span><span class="p">({</span> <span class="na">storage</span><span class="p">:</span> <span class="nx">storage</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fileUpload</span><span class="p">.</span><span class="nf">single</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">),</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Original File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Uploaded File Path: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Scan the file for malware using the Verisys Antivirus API - the same concepts can be</span> <span class="c1">// used to work with the uploaded file in different ways</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Attach the uploaded file to a FormData instance</span> <span class="kd">var</span> <span class="nx">form</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">();</span> <span class="nx">form</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">createReadStream</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">),</span> <span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">originalname</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-API-Key</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&lt;YOUR API KEY HERE&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*/*</span><span class="dl">'</span> <span class="p">};</span> <span class="c1">// Send the file to the Verisys Antivirus API</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">form</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">headers</span> <span class="p">});</span> <span class="c1">// Did we get a response from the API?</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Did the file contain a virus/malware?</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">clean</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Uploaded file is clean!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Uploaded file contained malware: &lt;b&gt;</span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">signals</span><span class="p">[</span><span class="mi">0</span><span class="p">]}</span><span class="s2">&lt;/b&gt;`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unable to scan file: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">response</span><span class="p">.</span><span class="nx">statusText</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Delete the uploaded file</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">rm</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{});</span> <span class="c1">// Forward the error to the Express error handler</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>As with the <code>/upload</code> handler, this new <code>/scan</code> handler will print information about the file to the console, so you can see what has been received by your route handler. It then uploads the file to Verisys Antivirus API to scan it for malware.</p> <blockquote> <p><strong>NOTE</strong>:<br> The <code>X-API-Key</code> in the above code will need to be replaced with a real API key to scan files. Don't have an API key? <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Subscribe</a> or <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">start a trial now</a>!</p> </blockquote> <p>Next, we need to wire up this code to the <code>/scan</code> route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">scanRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/scan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/scan</span><span class="dl">'</span><span class="p">,</span> <span class="nx">scanRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added two lines to the previous code (lines <code>#10</code> and <code>#27</code> above), telling Express to use our <code>scan.js</code> router for the <code>/scan</code> route.</p> <h2> Testing Malware Scanning </h2> <p>Now we’re ready to test malware scanning! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>Malware Scan</strong> form, Browse to select a file and press the <strong>Scan File</strong> button</li> </ol> <p>If everything was set up correctly, as before you should see information about the file being printed to the console, but you should also see a response from <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" alt="Successful malware scan on a clean file" width="630" height="222"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" alt="Successful malware scan on an infected file" width="628" height="222"></a></p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express-multer" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express-multer" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-express-multer</a></p> webdev javascript tutorial express Ionx Solutions Mon, 14 Oct 2024 11:14:52 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-python-and-fastapi-8cf https://dev.to/ionx/how-to-handle-file-uploads-with-python-and-fastapi-8cf <p>Handling file uploads securely is a common need for modern applications, but it comes with challenges. From managing large files to ensuring that the content isn't malicious, developers must implement robust solutions. In this guide, we'll walk through how to use Python's FastAPI to handle file uploads. Plus, we'll show you how to integrate Verisys Antivirus API to scan files for malware, protecting your application and users.</p> <blockquote> <p><strong>NOTE</strong>: To follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://www.python.org/" rel="noopener noreferrer">Python 3.7+</a> installed on your machine</li> <li>Basic knowledge of Python and <a href="https://github.com/fastapi/fastapi" rel="noopener noreferrer">FastAPI</a> </li> <li>A text editor or lightweight IDE such as <a href="https://code.visualstudio.com/" rel="noopener noreferrer">Visual Studio Code</a> </li> </ul> </blockquote> <h2> Why FastAPI? </h2> <p>FastAPI is a modern web framework for Python that enables you to build APIs quickly. It's built on standard Python type hints, making it easier to work with and maintain. With built-in support for asynchronous request handling, it's also ideal for high-performance applications.</p> <p>Combined with <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>, FastAPI helps you build secure file upload endpoints, crucial for any web or mobile app handling potentially unsafe files.</p> <h2> Project Scaffold/Setup </h2> <p>The first step is to create a Python environment, ready with the libraries we will use for the FastAPI project.</p> <ol> <li><p>Open a terminal or command prompt, and navigate to the directory where you want to store the project</p></li> <li><p>Create and activate a <a href="https://fastapi.tiangolo.com/virtual-environments/#create-a-virtual-environment" rel="noopener noreferrer">virtual environment</a></p></li> <li> <p>Install FastAPI, Uvicorn and <code>python-multipart</code>:<br> </p> <pre class="highlight shell"><code>pip <span class="nb">install </span>fastapi uvicorn python-multipart </code></pre> </li> <li> <p>For this tutorial, we'll also use the <code>requests</code> library to send uploaded files to Verisys Antivirus API for malware scanning:<br> </p> <pre class="highlight shell"><code>pip <span class="nb">install </span>requests </code></pre> </li> </ol> <h2> Creating the FastAPI App </h2> <p>Let's start by setting up a simple FastAPI app that will accept file uploads. Create a file <code>main.py</code> with this content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">File</span><span class="p">,</span> <span class="n">UploadFile</span> <span class="kn">import</span> <span class="n">uvicorn</span> <span class="kn">import</span> <span class="n">logging</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">'</span><span class="s">uvicorn.error</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">DEBUG</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="nb">file</span><span class="p">:</span> <span class="n">UploadFile</span> <span class="o">=</span> <span class="nc">File</span><span class="p">(...)):</span> <span class="n">content</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="c1"># Print information about the file to the console </span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Name: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Size: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">content</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File MIME Type: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">content_type</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Return information about the file to the caller - note that the </span> <span class="c1"># content_type can easily be spoofed </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">filename</span><span class="sh">"</span><span class="p">:</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">,</span> <span class="sh">"</span><span class="s">file_size</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">content</span><span class="p">),</span> <span class="sh">"</span><span class="s">file_mime_type</span><span class="sh">"</span><span class="p">:</span> <span class="nb">file</span><span class="p">.</span><span class="n">content_type</span><span class="p">}</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8000</span><span class="p">)</span> </code></pre> </div> <h2> Starting the FastAPI App </h2> <p>To run the API using the Uvicorn web server, execute the following from the same folder as <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uvicorn main:app <span class="nt">--reload</span> </code></pre> </div> <p>The <code>--reload</code> flag allows the server to automatically reload as we make changes to the code, which is helpful during development.</p> <p>Once Uvicorn starts, you'll see output indicating that the app is running, along with the URL where it's accessible. By default, it will run at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://127.0.0.1:8000 </code></pre> </div> <h2> Testing the API </h2> <p>To test the basic file upload functionality, you can simply use <code>curl</code>, or you could a tool like Postman or <a href="https://github.com/Kong/insomnia/" rel="noopener noreferrer">Insomnia</a>.</p> <p>Here's an example using curl, with a file <code>testfile.png</code> (substitute for any file you want to upload):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-F</span> <span class="s2">"file=@testfile.png"</span> http://127.0.0.1:8000/upload/ </code></pre> </div> <p>You should see a result similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"filename"</span>:<span class="s2">"testfile.png"</span>, <span class="s2">"file_size"</span>:26728, <span class="s2">"file_mime_type"</span>:<span class="s2">"image/png"</span> <span class="o">}</span> </code></pre> </div> <h2> Integrating Verisys Antivirus API </h2> <p>Uploading files is a start, but ensuring that uploaded files are free of malware is critical, especially when accepting files from end users. Verisys Antivirus API allows us to scan files before processing them further.</p> <blockquote> <p><em><a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> is a language-agnostic REST API that allows you to easily add malware scanning to mobile apps, web apps and backend processing.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <p>Here's how to integrate Verisys Antivirus API to scan uploaded files:</p> <ol> <li><p><strong>Get your Verisys API Key</strong>: Before we start, ensure you have your Verisys Antivirus API key. If you don't have one, visit <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> to get started or request a trial.</p></li> <li><p><strong>Send the file to Verisys Antivirus API</strong>: Once the file has been received, send it to the Verisys API for scanning.</p></li> </ol> <p>Update <code>main.py</code> with this content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">File</span><span class="p">,</span> <span class="n">UploadFile</span> <span class="kn">import</span> <span class="n">uvicorn</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">logging</span> <span class="n">VERISYS_API_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file</span><span class="sh">"</span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">your_api_key</span><span class="sh">"</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">'</span><span class="s">uvicorn.error</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">DEBUG</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="k">class</span> <span class="nc">ScanResult</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">filename</span><span class="o">=</span><span class="sh">""</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="sh">""</span><span class="p">,</span> <span class="n">content_type</span><span class="o">=</span><span class="sh">""</span><span class="p">,</span> <span class="n">signals</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">filename</span> <span class="o">=</span> <span class="n">filename</span> <span class="n">self</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="n">status</span> <span class="n">self</span><span class="p">.</span><span class="n">content_type</span> <span class="o">=</span> <span class="n">content_type</span> <span class="n">self</span><span class="p">.</span><span class="n">signals</span> <span class="o">=</span> <span class="n">signals</span> <span class="k">if</span> <span class="n">signals</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="p">[]</span> <span class="n">self</span><span class="p">.</span><span class="n">metadata</span> <span class="o">=</span> <span class="n">metadata</span> <span class="k">if</span> <span class="n">metadata</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">__repr__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">ScanResult(filename=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">filename</span><span class="si">}</span><span class="s">,status=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">status</span><span class="si">}</span><span class="s">, content_type=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">content_type</span><span class="si">}</span><span class="s">, signals=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">signals</span><span class="si">}</span><span class="s">, metadata=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">metadata</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">scan_file</span><span class="p">(</span><span class="n">file_content</span><span class="p">,</span> <span class="n">filename</span><span class="p">):</span> <span class="n">files</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="n">filename</span><span class="p">,</span> <span class="n">file_content</span><span class="p">)}</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">X-API-Key</span><span class="sh">'</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">'</span><span class="s">Accept</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">*/*</span><span class="sh">'</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">VERISYS_API_URL</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">files</span><span class="o">=</span><span class="n">files</span><span class="p">)</span> <span class="c1"># Was the scan successful? </span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">201</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="c1"># Print the full scan result to the console </span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Scan result: </span><span class="si">{</span><span class="n">result</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">scan_result</span> <span class="o">=</span> <span class="nc">ScanResult</span><span class="p">(</span> <span class="n">filename</span><span class="o">=</span><span class="n">filename</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">],</span> <span class="n">content_type</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">content_type</span><span class="sh">"</span><span class="p">],</span> <span class="n">signals</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">signals</span><span class="sh">"</span><span class="p">],</span> <span class="n">metadata</span><span class="o">=</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">metadata</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">scan_result</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="nc">ScanResult</span><span class="p">(</span><span class="n">status</span><span class="o">=</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Failed to scan file</span><span class="sh">"</span><span class="p">}])</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="nb">file</span><span class="p">:</span> <span class="n">UploadFile</span> <span class="o">=</span> <span class="nc">File</span><span class="p">(...)):</span> <span class="n">content</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="c1"># Print information about the file to the console </span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Name: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File Size: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">content</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">File MIME Type: </span><span class="si">{</span><span class="nb">file</span><span class="p">.</span><span class="n">content_type</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Scan file with Verisys API </span> <span class="n">scan_result</span> <span class="o">=</span> <span class="nf">scan_file</span><span class="p">(</span><span class="n">content</span><span class="p">,</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">)</span> <span class="c1"># In real-life, you'd now use the scan result to determine what to do </span> <span class="c1"># next - but here, we'll just return the scan results to the caller </span> <span class="k">return</span> <span class="n">scan_result</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8000</span><span class="p">)</span> </code></pre> </div> <p>In this modified version, after the file is uploaded, it's passed to the scan_file function, which sends the file to Verisys Antivirus API for scanning. The response from Verisys is returned as part of the result, indicating whether the file is safe or malicious.</p> <h2> Testing the Completed API </h2> <p>To test the file upload and scanning functionality, as before you can use <code>curl</code> or another tool of your preference.</p> <p>Here's an example using curl, with an <a href="https://www.eicar.org/download-anti-malware-testfile/" rel="noopener noreferrer">EICAR Anti-Virus Test File</a> <code>eicar.png</code> (substitute for any file you want to upload):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-F</span> <span class="s2">"file=@eicar.png"</span> http://127.0.0.1:8000/upload/ </code></pre> </div> <p>Depending on the file you upload, you should see the malware scan result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"filename"</span>: <span class="s2">"eicar.png"</span>, <span class="s2">"status"</span>: <span class="s2">"threat"</span>, <span class="s2">"content_type"</span>: <span class="s2">"text/plain"</span>, <span class="s2">"signals"</span>: <span class="o">[</span> <span class="s2">"Virus:EICAR_Test_File"</span> <span class="o">]</span>, <span class="s2">"metadata"</span>: <span class="o">{</span> <span class="s2">"hash_sha1"</span>: <span class="s2">"3395856ce81f2b7382dee72602f798b642f14140"</span>, <span class="s2">"hash_sha256"</span>: <span class="s2">"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Your upload endpoint could use the scan result to determine what to do next - for example, to prevent uploading files that contain malware.</p> <p>Note that while in this example the file masqueraded as a PNG image file, Verisys Antivirus API detected that it was actually a plain text file!</p> <h2> Handling File Uploads Securely </h2> <p>Here are a couple of additional tips to ensure your file upload system is secure:</p> <ul> <li><p><strong>Limit File Size</strong>: Ensure you're not accepting excessively large files, which could cause performance issues or even DoS attacks. FastAPI allows you to define custom file size limits.</p></li> <li><p><strong>Restrict File Types</strong>: Only accept specific file types (e.g., PDFs, images) to prevent the upload of executable or malicious files. </p></li> </ul> <p>{{% aside-note %}}<br> Checking the file extension and <code>Content-Type</code> header are basic steps towards securing file uploads. However, both of these can easily be spoofed.</p> <p>By scanning the actual file content, <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> can identify <a href="https://docs.av.ionxsolutions.com/?utm_source=devto#content-type-detection" rel="noopener noreferrer">50+ different file formats</a> for you, while also scanning files for malware.<br> {{% /aside-note %}}</p> <blockquote> <p><em>Checking the file extension and <code>Content-Type</code> header are basic steps towards securing file uploads. However, both of these can easily be spoofed.</em></p> <p><em>By scanning the actual file content, <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> can identify <a href="https://docs.av.ionxsolutions.com/?utm_source=devto#content-type-detection" rel="noopener noreferrer">50+ different file formats</a> for you, while also scanning files for malware.</em></p> </blockquote> <h2> Why Choose Verisys Antivirus API? </h2> <p>Verisys Antivirus API is specifically designed to ensure secure file uploads in your applications. Here's why it's a great fit for your project:</p> <ul> <li> <strong>Powerful Malware Detection</strong>: Verisys detects a wide range of threats, ensuring that no malicious files slip through.</li> <li> <strong>Easy Integration</strong>: The API is simple to integrate with any web framework, including FastAPI.</li> <li> <strong>Content Type Detection</strong>: Alongside malware scanning, the API also scans the file content to determine the <em>real</em> file type.</li> </ul> <h2> Conclusion </h2> <p>Handling file uploads is essential for many applications, but steps must be taken to ensure security. By using FastAPI and Verisys Antivirus API, you can create a secure file upload endpoint that scans files for malware before processing them further. Whether you're building a web app or an API for file storage, this approach ensures that your infrastructure - and your users - remain safe from harmful files.</p> <p>If you haven't yet, sign up for <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> today and start protecting your application against malware!</p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-fastapi" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-fastapi" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-fastapi</a></p> webdev tutorial python fastapi Ionx Solutions Thu, 06 Jun 2024 11:06:14 +0000 https://dev.to/ionx/securing-file-uploads-16kc https://dev.to/ionx/securing-file-uploads-16kc <p>File uploads are a common feature in web and mobile applications, but they can pose significant security risks if not handled properly. To ensure your apps remains secure, it's crucial to implement robust validation and security measures. This guide will help you to effectively secure file uploads, protecting your systems and end users from malicious intent and malware.</p> <p>File uploads present several security risks that could compromise both your apps and users. The main risks include:</p> <ul> <li><p><strong>Malicious Files</strong>: Uploaded files can contain viruses, malware, or executable code designed to exploit vulnerabilities.</p></li> <li><p><strong>Cross-Site Scripting (XSS)</strong>: Inadequately validated files can contain scripts that execute in the context of the user's browser.</p></li> <li><p><strong>Denial-of-Service (DoS) Attacks</strong>: Malicious users upload large files, or numerous smaller files, to exhaust server storage and processing capacities.</p></li> <li><p><strong>SQL Injection</strong>: If uploaded file metadata (e.g. filename) are not meticulously sanitised, they can serve as vectors for SQL injection attacks, potentially compromising the database.</p></li> </ul> <p>Due to the diverse range of risks, relying on a single method is not sufficient - a multi-layered approach is required, combining validation checks, metadata sanitisation, secure configuration and malware scanning.</p> <h2> Validate the File Extension </h2> <p>File extensions help in identifying the type of file and determining whether it should be accepted. However, just like the <code>Content-Type</code> header, file extensions can be manipulated. Despite this, enforcing a whitelist of allowed file extensions can act as a preliminary filter to block obviously dangerous file types. Ensure that only extensions pertinent to your application's needs are accepted.</p> <p>Checking the file extension is another basic step in securing file uploads. However, like other HTTP headers, file names and extensions can easily be spoofed. Use an allowlist approach, permitting only the specific extensions that your application requires (e.g., <code>.jpg</code>, <code>.png</code>, <code>.pdf</code>). This is a simple validation, and can act as a preliminary filter to block obviously dangerous/incorrect file types.</p> <h2> Validate the File Size </h2> <p>Limiting the file size is crucial to prevent denial-of-service (DoS) attacks where an attacker attempts to upload extremely large files to exhaust server resources. Set a maximum file size limit according to your application's requirements and enforce this limit server-side to ensure that oversized files are rejected immediately.</p> <h2> Validate the <code>Content-Type</code> Header </h2> <p>Depending on your application's requirements, you will want to accept only particular types of file; for example, for a profile picture you would only want to accept image files.</p> <p>The <code>Content-Type</code> header, sent by the client, indicates the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME type</a> of the file being uploaded. While it's useful to validate as a quick and easy check, it should never be fully trusted - malicious users can easily spoof this header. Therefore, treat the <code>Content-Type</code> header as just one of several checks.</p> <p>How to <em>definitively</em> determine the file type is covered in the next section.</p> <h2> Validate the File Type Based on Signature </h2> <p>As neither the file extension or <code>Content-Type</code> header can be trusted, the most effective and reliable way to verify a file's content/media type is by checking its file signature, or "magic number". These are unique <a href="https://www.garykessler.net/library/file_sigs.html">sequences of bytes</a>, usually at the beginning of a file, that indicate its true format. Validation can be performed by reading the first few bytes of the file and matching them against known signatures for allowed file types. For example, a PNG file typically starts with <code>89 50 4E 47</code>, and a JPEG file starts with <code>FF D8 FF</code>.</p> <p>This method ensures that the file content matches its purported type, providing a robust defence against file type spoofing. Libraries and tools are available in various programming languages to facilitate this check, or alternatively <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a> can identify <a href="https://docs.av.ionxsolutions.com/?utm_source=devto#content-type-detection">50+ different file formats</a> for you, while also scanning files for malware.</p> <h2> Scan for Malware </h2> <p>Incorporating malware scanning into your file upload process is a critical step to ensure the security of both your application and your end users. Malware can be hidden in seemingly harmless files, posing significant risks once they are uploaded and processed.</p> <p>While there are several malware scanning tools available, not all are equally effective. For instance, <a href="https://www.clamav.net">ClamAV</a> is a popular open-source antivirus engine, but has notable drawbacks such as poor detection rates, high resource usage, and slow scan times. These limitations can compromise your application's performance and security.</p> <p>Consider using a more robust and efficient solution like <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a>. Verisys Antivirus API offers vastly superior detection capabilities, faster scan times, and a ready-to-use <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">antivirus API</a>, making it a reliable choice for integrating malware scanning into your applications.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwvsq7e79j04hn1qu046e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwvsq7e79j04hn1qu046e.png" alt="JSON response from Verisys Antivirus API" width="717" height="395"></a></p> <blockquote> <p><em>Boost your app security with <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a>: our language-agnostic API seamlessly integrates malware scanning into your mobile apps, web apps, and backend systems.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <h2> Storing Files </h2> <p>Steps required to secure files at rest will depend on the location of stored files - for example, they could be uploaded to object storage such as S3, or they could be stored on disk.</p> <ul> <li><p><strong>Sanitise File Names</strong>: file names can contain malicious characters that your application may be unable to process correctly. Always sanitise file names by removing or replacing special characters, spaces, and potentially executable scripts. Consider renaming files upon upload to a standardised naming convention to prevent any harmful effects.</p></li> <li><p><strong>Secure Storage Location</strong>: if storing files on disk (rather than, for example, object storage), uploaded files should be stored in a directory that is not directly accessible via the web. This prevents direct execution or access to the files from a URL.</p></li> <li><p><strong>Set Appropriate Permissions</strong>: ensure that uploaded files have the minimum necessary permissions. For instance, files should not be executable if they don't need to be.</p></li> </ul> <h2> Closing Thoughts </h2> <p>By combining these strategies, developers can significantly enhance the security of file uploads in their applications. A layered approach, which includes malware scanning, provides comprehensive protection against a variety of attack vectors, ensuring that file uploads remain a safe and useful feature.</p> <p>For a comprehensive guide on securing file uploads and other web application security best practices, refer to <a href="https://owasp.org">OWASP</a> (Open Worldwide Application Security Project). OWASP provides a wealth of resources, including the <a href="https://owasp.org/www-project-top-ten/">OWASP Top Ten</a>, which highlights the most critical security risks to web applications. In particular, see <a href="https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload">Unrestricted File Upload</a>.</p> <p>Learn more about <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">Verisys Antivirus API</a>, our language-agnostic API that seamlessly integrates antivirus scanning into your mobile apps, web apps, and backend systems: <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto">https://www.ionxsolutions.com/products/antivirus-api</a></p> webdev security guide Ionx Solutions Tue, 07 May 2024 11:21:02 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-aspnet-core-o62 https://dev.to/ionx/how-to-handle-file-uploads-with-aspnet-core-o62 <p>Managing file uploads from end users is often required in web apps and APIs. This tutorial will guide you through the process of handling uploaded files using using ASP.NET Core and C#.</p> <blockquote> <p><strong>NOTE</strong>: To follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://dotnet.microsoft.com/en-us/download" rel="noopener noreferrer">.NET SDK 8</a> installed on your machine</li> <li>Basic knowledge of .NET, <a href="https://dotnet.microsoft.com/en-us/apps/aspnet" rel="noopener noreferrer">ASP.NET Core</a> and C#</li> <li>An IDE or text editor; we'll use <a href="https://visualstudio.microsoft.com/vs/" rel="noopener noreferrer">Visual Studio 2022</a> for this tutorial, but a lightweight IDE such as <a href="https://code.visualstudio.com/" rel="noopener noreferrer">Visual Studio Code</a> will work just as well</li> </ul> </blockquote> <p>To allow files to be uploaded, you will:</p> <ol> <li>Create ASP.NET Core <a href="https://learn.microsoft.com/en-us/aspnet/core/mvc/views/razor?view=aspnetcore-8.0" rel="noopener noreferrer">Razor</a> <a href="https://learn.microsoft.com/en-us/aspnet/core/mvc/views/overview?view=aspnetcore-8.0" rel="noopener noreferrer">views</a> that allow the user to select a file to upload</li> <li>Create ASP.NET Core <a href="https://learn.microsoft.com/en-us/aspnet/core/mvc/overview?view=aspnetcore-8.0#controller-responsibilities" rel="noopener noreferrer">controllers</a> to work with uploaded files</li> </ol> <p>Of course, you will also want to <em>do something</em> with each uploaded file! In this tutorial, we're going to write C# code to show information about the file, and also to scan it for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>.</p> <blockquote> <p><em><a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> is a language-agnostic REST API that allows you to easily add malware scanning to mobile apps, web apps and backend processing.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <h2> Project Setup </h2> <p>First, we need to create a new ASP.NET Core MVC project.</p> <ul> <li><p>Start Visual Studio and select <strong>File &gt; New &gt; Project</strong></p></li> <li><p>Select the template named <strong>ASP.NET Core Web App (Model-View-Controller)</strong> and click <strong>Next</strong></p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyglhdi3tt8pagfm45o3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyglhdi3tt8pagfm45o3.png" alt="Visual Studio project template selection" width="800" height="508"></a></p> <ul> <li>Enter <strong>Web</strong> for the <strong>Project Name</strong>, choose a location to save the project, then click <strong>Next</strong> </li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0wdlm6j19vyr3o4bmyna.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0wdlm6j19vyr3o4bmyna.png" alt="Visual Studio project name" width="800" height="425"></a></p> <ul> <li>For the <strong>Framework</strong>, select <strong>.NET 8.0 (Long Term Support)</strong>, then click <strong>Create</strong> </li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fstg93yj804odjyvyv814.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fstg93yj804odjyvyv814.png" alt="Visual Studio project SDK" width="800" height="425"></a></p> <ul> <li>The new project will be created, and you should see this folder structure in Visual Studio's <strong>Solution Explorer</strong>:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqeorayai7t53mzaqdkv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqeorayai7t53mzaqdkv.png" alt="Folder structure visible in Solution Explorer" width="437" height="368"></a></p> <h2> Running the App </h2> <p>Now we've created a new project, let's make sure it runs!</p> <ul> <li>Press <strong>CTRL+F5</strong>, or click the <strong>Start Without Debugging</strong> button:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F11ylvhzs6labtso0wpsr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F11ylvhzs6labtso0wpsr.png" alt="Start without debugging" width="800" height="136"></a></p> <ul> <li>The first time you run the project, you will be asked to install an SSL/TLS certificate - click <strong>Yes</strong> on both popups:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r7mng1fhwon6rd10cyh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r7mng1fhwon6rd10cyh.png" alt="Installation of SSL/TLS certificate" width="611" height="229"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglxmgubymkv5sbsgncbe.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglxmgubymkv5sbsgncbe.png" alt="Installation of SSL/TLS certificate" width="512" height="475"></a></p> <ul> <li>Visual Studio will then run the app, opening it in the default browser:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzr9e63mauylr4yv8ih.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzr9e63mauylr4yv8ih.png" alt="ASP.NET Core web app running in a browser" width="722" height="411"></a></p> <ul> <li>While running your project, Visual Studio will open a terminal as well as the browser - this is for the default web server, Kestrel. If you press <code>CTRL-C</code>, it will shut down the web server and stop running your project.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv713glfykd6gff3au24c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv713glfykd6gff3au24c.png" alt="Start without debugging" width="569" height="279"></a></p> <h2> File Upload </h2> <p>To enable file uploads, we need to add:</p> <ol> <li>View models, to encapsulate information about uploaded files</li> <li>A view with a form that allows users to select and upload a file</li> <li>A view to show information about the uploaded file</li> <li>A controller, to show the views and handle the uploaded file</li> <li>We'll also update the main layout view, just to add links to our new pages</li> </ol> <p>Let's get started!</p> <ul> <li>First, create file <code>Models/FileModels.cs</code>, with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">namespace</span> <span class="nn">Web.Models</span><span class="p">;</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">UploadModel</span><span class="p">(</span><span class="n">IFormFile</span> <span class="n">File</span><span class="p">);</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">ResultModel</span><span class="p">(</span><span class="kt">string</span> <span class="n">Name</span><span class="p">,</span> <span class="kt">long</span> <span class="n">Size</span><span class="p">,</span> <span class="kt">string</span> <span class="n">MimeType</span><span class="p">,</span> <span class="n">MalwareStatus</span> <span class="n">MalwareStatus</span><span class="p">,</span> <span class="kt">string</span><span class="p">[]</span> <span class="n">Signals</span><span class="p">);</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">ApiResultModel</span><span class="p">(</span><span class="n">Guid</span> <span class="n">Id</span><span class="p">,</span> <span class="n">MalwareStatus</span> <span class="n">Status</span><span class="p">,</span> <span class="kt">string</span><span class="p">[]</span> <span class="n">Signals</span><span class="p">);</span> <span class="k">public</span> <span class="k">enum</span> <span class="n">MalwareStatus</span> <span class="p">{</span> <span class="n">Unknown</span><span class="p">,</span> <span class="n">Clean</span><span class="p">,</span> <span class="n">Threat</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Next, create a folder <code>Views/Upload</code>, and inside a view file <code>Views/Upload/Index.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model UploadModel @{ ViewData["Title"] = "Upload File"; } <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">asp-for=</span><span class="s">"File"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>Note the form's <a href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/enctype" rel="noopener noreferrer">encoding type</a> (<code>enctype</code>) property is set to <code>multipart/form-data</code> - this is required for uploading files.</p> <ul> <li>Next, create view file <code>Views/Upload/Result.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model ResultModel @{ ViewData["Title"] = "Result"; } <span class="nt">&lt;h1&gt;</span>Result<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div&gt;</span>File Name: @Model.Name<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>File Size: @Model.Size<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Mime Type: @Model.MimeType<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Malware Status: @Model.MalwareStatus<span class="nt">&lt;/div&gt;</span> </code></pre> </div> <ul> <li>Create a controller file <code>Controllers/UploadController.cs</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Web.Models</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">Web.Controllers</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">UploadController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Index</span><span class="p">(</span><span class="n">UploadModel</span> <span class="n">model</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ResultModel</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">FileName</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">Length</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">ContentType</span><span class="p">,</span> <span class="n">MalwareStatus</span><span class="p">.</span><span class="n">Unknown</span><span class="p">,</span> <span class="p">[]);</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="s">"Result"</span><span class="p">,</span> <span class="n">result</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Finally, update the content of <code>Views/Shared/_Layout.cshtml</code> to add links to our new pages: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"utf-8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>@ViewData["Title"]<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"~/lib/bootstrap/dist/css/bootstrap.min.css"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;header&gt;</span> <span class="nt">&lt;nav</span> <span class="na">class=</span><span class="s">"navbar navbar-expand border-bottom mb-3"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container-fluid"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"navbar-collapse"</span><span class="nt">&gt;</span> <span class="nt">&lt;a</span> <span class="na">class=</span><span class="s">"nav-link text-dark"</span> <span class="na">href=</span><span class="s">"/upload"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/a&gt;</span> <span class="nt">&lt;a</span> <span class="na">class=</span><span class="s">"nav-link text-dark"</span> <span class="na">href=</span><span class="s">"/scan"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/a&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/nav&gt;</span> <span class="nt">&lt;/header&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;main</span> <span class="na">role=</span><span class="s">"main"</span> <span class="na">class=</span><span class="s">"pb-3"</span><span class="nt">&gt;</span> @RenderBody() <span class="nt">&lt;/main&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>It really is that simple!</p> <h2> Testing File Uploads </h2> <p>Now we’re ready to test file uploads! 🎉</p> <ul> <li><p>Begin by running the project again, either by pressing <strong>CTRL+F5</strong>, or by click the <strong>Start Without Debugging</strong> button</p></li> <li><p>Your browser should open automatically, showing a page that looks like this:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytcg96p4h2xxy6fjuwzh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytcg96p4h2xxy6fjuwzh.png" alt="ASP.NET Core web app running in a browser" width="722" height="363"></a></p> <ul> <li>Click the link <strong>Upload File</strong>, and you should see one of the new views we created:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fji9p2iuucsu6xvsvytls.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fji9p2iuucsu6xvsvytls.png" alt="Upload file form" width="722" height="279"></a></p> <ul> <li><p>Press <strong>Choose File</strong> to select a file to upload, then and press the <strong>Upload File</strong> button</p></li> <li><p>If everything was set up correctly, you should see information about the file being shown in a web page:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xyj81spdwlchfl79har.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xyj81spdwlchfl79har.png" alt="Successful file upload" width="722" height="404"></a></p> <p>Note that the <strong>Malware Status</strong> is shown as <strong>Unknown</strong> - we'll fix that in the next section.</p> <h2> Malware Scanning </h2> <p>Now we're going to use <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> to scan uploaded files for malware. Following a similar pattern as for the previous section, we need to add:</p> <ol> <li>Registration of an HTTP client with the Dependency Injection (DI) container</li> <li>A view with a form that allows users to select and upload a file for scanning</li> <li>A view to show the results of the malware scan</li> <li>A controller, to show the views and send the uploaded file to <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> </li> </ol> <p>Let's get started!</p> <ul> <li>In file <code>Program.cs</code>, replace line <code>builder.Services.AddControllersWithViews();</code> with: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Register an HTTP client for use with Verisys Antivirus API</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddHttpClient</span><span class="p">&lt;</span><span class="n">HomeController</span><span class="p">&gt;(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">x</span><span class="p">.</span><span class="n">BaseAddress</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://eu1.api.av.ionxsolutions.com/v1/"</span><span class="p">);</span> <span class="n">x</span><span class="p">.</span><span class="n">DefaultRequestHeaders</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">);</span> <span class="n">x</span><span class="p">.</span><span class="n">DefaultRequestHeaders</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"X-API-Key"</span><span class="p">,</span> <span class="s">"&lt;YOUR API KEY HERE&gt;"</span><span class="p">);</span> <span class="p">});</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddControllersWithViews</span><span class="p">().</span><span class="nf">AddJsonOptions</span><span class="p">(</span><span class="n">x</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">x</span><span class="p">.</span><span class="n">JsonSerializerOptions</span><span class="p">.</span><span class="n">Converters</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="k">new</span> <span class="nf">JsonStringEnumConverter</span><span class="p">());</span> <span class="n">x</span><span class="p">.</span><span class="n">JsonSerializerOptions</span><span class="p">.</span><span class="n">PropertyNameCaseInsensitive</span> <span class="p">=</span> <span class="k">false</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <blockquote> <p><strong>NOTE</strong>:<br> The <code>X-API-Key</code> in the above code will need to be replaced with a real API key to scan files for real. Don’t have an API key? <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Subscribe now</a>!</p> </blockquote> <ul> <li>Create a folder <code>Views/Scan</code>, and inside a view file <code>Views/Scan/Index.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model UploadModel @{ ViewData["Title"] = "Scan File"; } <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">asp-for=</span><span class="s">"File"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <ul> <li>Next, create view file <code>Views/Scan/Result.cshtml</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@model ResultModel @{ ViewData["Title"] = "Result"; } <span class="nt">&lt;h1&gt;</span>Result<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div&gt;</span>File Name: @Model.Name<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>File Size: @Model.Size<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Mime Type: @Model.MimeType<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>Malware Status: @Model.MalwareStatus<span class="nt">&lt;/div&gt;</span> @if (Model.MalwareStatus == MalwareStatus.Threat) { foreach (var signal in Model.Signals) { <span class="nt">&lt;div&gt;</span>Signal: @signal<span class="nt">&lt;/div&gt;</span> } } </code></pre> </div> <ul> <li>Finally, create a controller file <code>Controllers/ScanController.cs</code> with content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Options</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Text.Json</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Web.Models</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">Web.Controllers</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ScanController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IHttpClientFactory</span> <span class="n">clientFactory</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">JsonSerializerOptions</span> <span class="n">jsonOptions</span><span class="p">;</span> <span class="k">public</span> <span class="nf">ScanController</span><span class="p">(</span><span class="n">IHttpClientFactory</span> <span class="n">clientFactory</span><span class="p">,</span> <span class="n">IOptions</span><span class="p">&lt;</span><span class="n">JsonOptions</span><span class="p">&gt;</span> <span class="n">jsonOptions</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="n">clientFactory</span> <span class="p">=</span> <span class="n">clientFactory</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="n">jsonOptions</span> <span class="p">=</span> <span class="n">jsonOptions</span><span class="p">.</span><span class="n">Value</span><span class="p">.</span><span class="n">JsonSerializerOptions</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">Index</span><span class="p">(</span><span class="n">UploadModel</span> <span class="n">model</span><span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">client</span> <span class="p">=</span> <span class="k">this</span><span class="p">.</span><span class="n">clientFactory</span><span class="p">.</span><span class="nf">CreateClient</span><span class="p">(</span><span class="k">nameof</span><span class="p">(</span><span class="n">HomeController</span><span class="p">));</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">formData</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">MultipartFormDataContent</span><span class="p">();</span> <span class="n">formData</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="k">new</span> <span class="nf">StreamContent</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="nf">OpenReadStream</span><span class="p">()),</span> <span class="s">"file"</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">FileName</span><span class="p">);</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">PostAsync</span><span class="p">(</span><span class="s">"malware/scan/file"</span><span class="p">,</span> <span class="n">formData</span><span class="p">);</span> <span class="n">response</span><span class="p">.</span><span class="nf">EnsureSuccessStatusCode</span><span class="p">();</span> <span class="kt">var</span> <span class="n">apiModel</span> <span class="p">=</span> <span class="k">await</span> <span class="n">response</span><span class="p">.</span><span class="n">Content</span><span class="p">.</span><span class="n">ReadFromJsonAsync</span><span class="p">&lt;</span><span class="n">ApiResultModel</span><span class="p">&gt;(</span><span class="k">this</span><span class="p">.</span><span class="n">jsonOptions</span><span class="p">);</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ResultModel</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">FileName</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">Length</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">File</span><span class="p">.</span><span class="n">ContentType</span><span class="p">,</span> <span class="n">apiModel</span><span class="p">!.</span><span class="n">Status</span><span class="p">,</span> <span class="n">apiModel</span><span class="p">.</span><span class="n">Signals</span><span class="p">);</span> <span class="k">return</span> <span class="nf">View</span><span class="p">(</span><span class="s">"Result"</span><span class="p">,</span> <span class="n">result</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Malware Scanning </h2> <p>Now we’re ready to test malware scanning! 🎉</p> <ul> <li><p>Begin by running the project again, either by pressing <strong>CTRL+F5</strong>, or by click the <strong>Start Without Debugging</strong> button</p></li> <li><p>Your browser should open automatically, showing a page that looks like this:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hlesgfjbphq3yp69mc0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hlesgfjbphq3yp69mc0.png" alt="ASP.NET Core web app running in a browser" width="722" height="363"></a></p> <ul> <li>Click the link <strong>Scan File</strong>, and you should see one of the new views we created:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5su0x07aeenuugom4ni.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5su0x07aeenuugom4ni.png" alt="Scan file form" width="722" height="279"></a></p> <ul> <li><p>Press <strong>Choose File</strong> to select a file to upload, then and press the <strong>Upload File</strong> button</p></li> <li><p>If everything was set up correctly, you should see malware scan results from <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> being shown in a web page:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo97m4dlg0u77290u3bix.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo97m4dlg0u77290u3bix.png" alt="Scan result of a clean, virus-free file" width="722" height="404"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyb08y01jdcg8gkg60hc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyb08y01jdcg8gkg60hc.png" alt="Scan result of an infected file" width="722" height="434"></a></p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-aspnetcore" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-aspnetcore" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-aspnetcore</a></p> webdev tutorial aspdotnet csharp Ionx Solutions Wed, 07 Feb 2024 13:47:30 +0000 https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-34i4 https://dev.to/ionx/how-to-handle-file-uploads-with-nodejs-and-express-34i4 <p>A common requirement in web apps and APIs is handling file uploads from end users. In this tutorial you will learn how to work with uploaded files using Node.js and Express.</p> <blockquote> <p><strong>NOTE</strong>: In order to follow this tutorial, you will need the following:</p> <ul> <li> <a href="https://nodejs.org/" rel="noopener noreferrer">Node.js</a> installed on your machine</li> <li>Basic knowledge of JavaScript and <a href="https://expressjs.com/" rel="noopener noreferrer">Express</a> </li> <li>A text editor or lightweight IDE such as <a href="https://code.visualstudio.com" rel="noopener noreferrer">Visual Studio Code</a> </li> </ul> </blockquote> <h2> Overview </h2> <p>To allow files to be uploaded, you will:</p> <ol> <li>Create a web page with a form that allows the user to select a file to upload</li> <li>Create Express route handlers to work with uploaded files</li> </ol> <p>Of course, you will also want to <em>do something</em> with each uploaded file! In this tutorial, we're going to write JavaScript code to display some information about the file, and also to scan it for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>.</p> <blockquote> <p><em><a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a> is a language-agnostic REST API that allows you to easily add malware scanning to mobile apps, web apps and backend processing.</em></p> <p><em>By scanning user-generated content and file uploads, Verisys Antivirus API can stop dangerous malware at the edge, before it reaches your servers, applications - or end users.</em></p> </blockquote> <h2> Project Setup </h2> <p>The first step is to create and initialize a new Express project.</p> <ul> <li>Open a terminal or command prompt, navigate to the directory where you want to store the project, and run the following commands: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx express-generator <span class="nt">--view</span><span class="o">=</span>pug myapp <span class="nb">cd </span>myapp npm <span class="nb">install</span> </code></pre> </div> <ul> <li>The generated app should have the following directory structure: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── app.js ├── package.json ├── bin │ └── www ├── package.json ├── public │ ├── images │ ├── javascripts │ └── stylesheets │ └── style.css ├── routes │ ├── index.js │ └── users.js ├── views │ ├── error.pug │ └── index.pug │ └── layout.pug </code></pre> </div> <ul> <li>Before we move on, make sure you are able to run the app and view it in a browser</li> </ul> <p>On MacOS, Linux or Git Bash on Windows, run the app with this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> npm start </code></pre> </div> <p>Or use this command for Windows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">set </span><span class="nv">DEBUG</span><span class="o">=</span>myapp:<span class="k">*</span> &amp; npm start </code></pre> </div> <p>Or this command for Windows Powershell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">DEBUG</span><span class="o">=</span><span class="s1">'myapp:*'</span><span class="p">;</span><span class="w"> </span><span class="n">npm</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span></code></pre> </div> <p>Then navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> in your browser to access the app - you should see a page that looks like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fray16xujfqhtvzp26eqc.png" alt="Express web app running in a browser" width="627" height="371"></a></p> <ul> <li><p>Go ahead and stop the server by hitting <code>CTRL-C</code> at the command prompt</p></li> <li> <p>Next we’re going to add a few NPM packages:</p> <ul> <li>We’ll add a package to deal with file uploads easier. There are several popular choices here, including <a href="https://github.com/expressjs/multer#readme" rel="noopener noreferrer">Multer</a>, <a href="https://github.com/node-formidable/formidable#readme" rel="noopener noreferrer">Formidable</a> and <a href="https://github.com/richardgirges/express-fileupload#readme" rel="noopener noreferrer">express-fileupload</a> - they are all fairly similar, and for this tutorial, we’ll use <code>express-fileupload</code> </li> <li>For this tutorial, we’re going to scan the file for malware using <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>, and so we’ll add a package to make it easier to make external HTTP requests. Popular choices include <a href="https://axios-http.com" rel="noopener noreferrer">Axios</a> and <a href="https://github.com/node-fetch/node-fetch#readme" rel="noopener noreferrer">node-fetch</a> - for this article, we’ll use <code>node-fetch</code> </li> <li>We’ll also add the <a href="https://www.npmjs.com/package/form-data" rel="noopener noreferrer">form-data</a> package to allow working with multipart form data, which is used to perform file uploads </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>express-fileupload npm <span class="nb">install </span>node-fetch@^2.7.0 npm <span class="nb">install </span>form-data </code></pre> </div> <h2> Frontend </h2> <p>Before we write JavaScript code to handle the file upload, let’s create a simple web page that lets the end user select a file to upload.</p> <ul> <li>Update the content of <code>myapp/views/index.pug</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>extends layout block content h2 File Upload <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/upload"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> br h2 Malware Scan <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/scan"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Scan File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>We’ve added two forms to the page. When the <strong>File Upload</strong> form is submitted, the file will be sent to a route at <code>/upload</code> - the next step is to create the route and route handler. We’ll get back to the <strong>Malware Scan</strong> form later.</p> <h2> Backend - Simple File Upload </h2> <p>Now we’re going to add a route handler to process uploaded files, and then we’ll wire up the handler to the <code>/upload</code> route.</p> <ul> <li>Create file <code>myapp/routes/upload.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-fileupload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">fileUpload</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">},</span> <span class="c1">// Temporarily store uploaded files to disk, rather than buffering in memory</span> <span class="na">useTempFiles</span> <span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">tempFileDir</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">/tmp/</span><span class="dl">'</span> <span class="p">}));</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File MD5 Hash: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">md5</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Return a web page showing information about the file</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">&lt;br&gt; File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">&lt;br&gt; File MD5 Hash: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">md5</span><span class="p">}</span><span class="s2">&lt;br&gt; File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>This simple handler will both print information about the file to the console and return it in as a web page, so you can see what has been received by your router.</p> <p>Next, we need to wire up this code to the /upload route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added 2 lines to the default code provided by the Express generator (lines <code>#9</code> and <code>#25</code> above), telling Express to use our <code>upload.js</code> router for the <code>/upload</code> route.</p> <h2> Testing File Uploads </h2> <p>Now we’re ready to test it! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>File Upload</strong> form, Browse to select a file and press the <strong>Upload File</strong> button</li> </ol> <p>If everything was set up correctly, you should see information about the file being printed to the console, and also shown in a web page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz7fdyk7nnqmo4ussm1g8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz7fdyk7nnqmo4ussm1g8.png" alt="Express console output" width="389" height="177"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58gv1221qy63yau1drcs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58gv1221qy63yau1drcs.png" alt="Successful file upload" width="628" height="222"></a></p> <h2> Backend - Malware Scanning </h2> <p>Now we’re going to add a route handler to perform a virus scan on uploaded files, and then we’ll wire up the handler to the <code>/scan</code> route.</p> <ul> <li>Create file <code>myapp/routes/scan.js</code> with the following content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fetch</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node-fetch</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fileUpload</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-fileupload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">FormData</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">form-data</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">fileUpload</span><span class="p">({</span> <span class="c1">// Configure file uploads with maximum file size 10MB</span> <span class="na">limits</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSize</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span> <span class="p">},</span> <span class="c1">// Temporarily store uploaded files to disk, rather than buffering in memory</span> <span class="na">useTempFiles</span> <span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">tempFileDir</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">/tmp/</span><span class="dl">'</span> <span class="p">}));</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Was a file submitted?</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">No files were uploaded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadedFile</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">file</span><span class="p">;</span> <span class="c1">// Print information about the file to the console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Name: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Size: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">size</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File MD5 Hash: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">md5</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`File Mime Type: </span><span class="p">${</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">mimetype</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Scan the file for malware using the Verisys Antivirus API - the same concepts can be</span> <span class="c1">// used to work with the uploaded file in different ways</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Attach the uploaded file to a FormData instance</span> <span class="kd">var</span> <span class="nx">form</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">();</span> <span class="nx">form</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">,</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">createReadStream</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">tempFilePath</span><span class="p">),</span> <span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-API-Key</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&lt;YOUR API KEY HERE&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*/*</span><span class="dl">'</span> <span class="p">};</span> <span class="c1">// Send the file to the Verisys Antivirus API</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://eu1.api.av.ionxsolutions.com/v1/malware/scan/file</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">form</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">headers</span> <span class="p">});</span> <span class="c1">// Did we get a response from the API?</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Did the file contain a virus/malware?</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">clean</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Uploaded file is clean!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="s2">`Uploaded file contained malware: &lt;b&gt;</span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">signals</span><span class="p">[</span><span class="mi">0</span><span class="p">]}</span><span class="s2">&lt;/b&gt;`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unable to scan file: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">response</span><span class="p">.</span><span class="nx">statusText</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Forward the error to the Express error handler</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="c1">// Remove the uploaded temp file</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">rm</span><span class="p">(</span><span class="nx">uploadedFile</span><span class="p">.</span><span class="nx">tempFilePath</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{});</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>As with the <code>/upload</code> handler, this new <code>/scan</code> handler will print information about the file to the console, so you can see what has been received by your route handler. It then uploads the file to Verisys Antivirus API to scan it for malware.</p> <blockquote> <p><strong>NOTE</strong>:<br> The <code>X-API-Key</code> in the above code will need to be replaced with a real API key to scan files for real. Don’t have an API key? <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Subscribe now</a>!</p> </blockquote> <p>Next, we need to wire up this code to the <code>/scan</code> route.</p> <ul> <li>Update the content of <code>myapp/app.js</code> to contain the following: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">createError</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-errors</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">morgan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">indexRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/index</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">usersRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/users</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uploadRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/upload</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">scanRouter</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./routes/scan</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// view engine setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">view engine</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pug</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">logger</span><span class="p">(</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">indexRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">usersRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/upload</span><span class="dl">'</span><span class="p">,</span> <span class="nx">uploadRouter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/scan</span><span class="dl">'</span><span class="p">,</span> <span class="nx">scanRouter</span><span class="p">);</span> <span class="c1">// catch 404 and forward to error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="nf">createError</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// error handler</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// set locals, only providing error in development</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">err</span> <span class="p">:</span> <span class="p">{};</span> <span class="c1">// render the error page</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">||</span> <span class="mi">500</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>We’ve only added two lines to the previous code (lines <code>#10</code> and <code>#27</code> above), telling Express to use our <code>scan.js</code> router for the <code>/scan</code> route.</p> <h2> Testing Malware Scanning </h2> <p>Now we’re ready to test malware scanning! 🎉</p> <ol> <li>Begin by starting your Node.js server using the same command as before</li> <li>Open your browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a> - you should see a page that looks like this:</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymrmeavxeggq46but20d.png" alt="Upload forms" width="628" height="448"></a></p> <ol> <li>Use the <strong>Malware Scan</strong> form, Browse to select a file and press the <strong>Scan File</strong> button</li> </ol> <p>If everything was set up correctly, as before you should see information about the file being printed to the console, but you should also see a response from <a href="https://www.ionxsolutions.com/products/antivirus-api?utm_source=devto" rel="noopener noreferrer">Verisys Antivirus API</a>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xif4huvadglfzjaripo.png" alt="Successful malware scan on a clean file" width="630" height="222"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lh7fuiobbzxtoryz5l4.png" alt="Successful malware scan on an infected file" width="628" height="222"></a></p> <p>Code for this tutorial can be found on <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express" rel="noopener noreferrer">GitHub</a>: <a href="https://github.com/IonxSolutions/tutorial-file-uploads-express" rel="noopener noreferrer">https://github.com/IonxSolutions/tutorial-file-uploads-express</a></p> webdev javascript tutorial express