include::../description.adoc[]

== Noncompliant Code Example

https://www.npmjs.com/package/formidable[formidable] module:

----
const Formidable = require('formidable');

const form = new Formidable(); // Noncompliant, this form is not safe
form.uploadDir = ""; // because upload dir is not defined (by default os temp dir: /var/tmp or /tmp)
form.keepExtensions = true; // and file extensions are kept
----

https://www.npmjs.com/package/multer[multer] (Express.js middleware) module:

----
const multer = require('multer');

let diskStorage = multer.diskStorage({ // Noncompliant: no destination specified
  filename: (req, file, cb) => {
    const buf = crypto.randomBytes(20);
    cb(null, buf.toString('hex'))
  }
});

// This upload is not safe as no destination specified, /var/tmp or /tmp will be used
let diskupload = multer({ 
  storage: diskStorage,
});
----

== Compliant Solution

https://www.npmjs.com/package/formidable[formidable] module:

----
const Formidable = require('formidable');

const form = new Formidable(); // Compliant
form.uploadDir = "./uploads/";
form.keepExtensions = false;
----

https://www.npmjs.com/package/multer[multer] (Express.js middleware) module:

----
const multer = require('multer');

let diskStorage = multer.diskStorage({  // Compliant
  filename: (req, file, cb) => {
    const buf = crypto.randomBytes(20);
    cb(null, buf.toString('hex'))
  },
  destination: (req, file, cb) => {
    cb(null, './uploads/')
  }
});

let diskupload = multer({
  storage: diskStorage,
});
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]