Multer: How do I prevent issue #159 / #454 from being used maliciously to crash my server?

Created on 27 Nov 2017 · 4Comments · Source: expressjs/multer

So I also fell prey to bugs #159 and #454 by having a mismatch between the fieldname in my HTML vs. in my API.

What I want to know is: how do I capture this error and prevent it from crashing my server? Nowhere in the exception log does it show a line of my code, and I'm loading Multer into Express' Router as a callback function, so I don't see where I would put the try/catch.

As I see it, someone could change the value of the field in HTML, submit the form, and then cause my application to crash. This isn't something I would go into a production environment with knowing that it exists.

Source

NobleUplift

Most helpful comment

Thanks a lot Linus! I had the errorhandler in my app.use, but it seems like it was being hit before my Multer route defined in the Express Router. I added a route.use(errorhandler()) to the route and it catches errors correctly now.

NobleUplift on 28 Nov 2017

👍2 🎉1

All 4 comments

Multer uses standard express error handling, and it seems like the error here is actually due to some error handler trying to set the http status code to 0.

It's hard to say what exactly it is in you specific app without taking a look at the source. But if you follow the information on "Error handling" in the readme you should be able to gracefully handle them and send back error pages to the client.

Unfortunately the stack trace doesn't seem to show where writeHead was originally called since on-headers shims it... Do you have any global error-handeling middleware added? I think that's where the culprit is...