Image file validation in NodeJS?

A

Andrey2017-07-29 15:42:38

Node.js

Andrey, 2017-07-29 15:42:38

How to check if the uploaded file is an image (or something else)?
A simple check of the mimetype or extension is done by simply renaming the file.
Here , a colleague recommends checking some "magic numbers". As far as I understand, this is roughly the same as what the file-type module does , which checks

if (check([0xFF, 0xD8, 0xFF])) {
    return {
      ext: 'jpg',
      mime: 'image/jpeg'
    };
  }

How reliable is such a check?
What prevents an attacker from adding the necessary characters to the beginning of the file?
Plus, one more problem: since the server receives data in the multipart form format and the file is present there not as a stream, but as a File object, you will first have to upload the file, then check it and then delete it if something is wrong - that's it The solution is provided in the link above. It seems to me that this is somehow not very ...
Please share your best practices for checking downloaded files.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Michael, 2017-08-01
@f-end

Solution "check magic numbers (signatures) before uploading" https://gist.github.com/anonymous/3eb41bad8e9bc7ef... or so https://gist.github.com/anonymous/f8d6fc6544be4e04... if there is something with the file not so, he simply will not write it down anywhere.

D

Dimonchik, 2017-07-29
@dimonchik2013

usually imghdr
with broken jpegs works well, but not 100%, alas