There are some very serious security issues in the code here. I appreciate it was written by a beginner, but I would be very careful indeed about promoting this code as good practice.
Not least that you're configuring express.static to serve your project's root directory, including the file containing your database credentials.
Also, because you save the files directly to the statically served directory without doing any checks on their type or content a malicious user can upload any file to your server and have it served on your domain.
I would probably do the following:
a) check the type and content of uploaded files and prevent saving any which are not valid
b) not serve the uploads directory directly, but do a lookup of the requested file in the database before serving
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
There are some very serious security issues in the code here. I appreciate it was written by a beginner, but I would be very careful indeed about promoting this code as good practice.
Not least that you're configuring
express.static
to serve your project's root directory, including the file containing your database credentials.In this instance at the very least you should do:
Also, because you save the files directly to the statically served directory without doing any checks on their type or content a malicious user can upload any file to your server and have it served on your domain.
I would probably do the following:
a) check the type and content of uploaded files and prevent saving any which are not valid
b) not serve the uploads directory directly, but do a lookup of the requested file in the database before serving