🌈📄⬆️💩
Full Spectrum
File Uploads
Hey 👋
I'm Austin Gil
austingil.com | @heyAustinGil
- Hacking on websites since 2013
- Help folks build better websites
- Interests: bikes, soccer, camping, pinball, roller derby, my chiweenie
🌈📄⬆️💩
Full Spectrum
File Uploads
1
Hey 👋
I'm Austin Gil
austingil.com | @heyAustinGil
- Hacking on websites since 2013
- Help folks build better websites
- Interests: bikes, soccer, camping, pinball, roller derby, my chiweenie
2
🚧 DISCLOSURE 🚧
I work at Akamai (akamai.com)
We offer a lot of relevant services
Really hard not to mention (kind of my job)
Impossible to be 100% unbiased
3
🤝 ASSURANCE 😘
This is not a sales pitch in disguise
I’m here to teach practical, general concepts
I may mention Akamai because it’s familiar
But this info applies anywhere
4
HTTP: The language of the internet
Protocol for hypermedia communication between distributed computers.
Required: Method, Path, HTTP version
Optional: Headers, Body
GET / HTTP/1.1
Host: austingil.com
Accept: */*
Accept-Encoding: gzip
Connection: keep-alive
Say hi to your dog for me5
We don’t need to worry about that
6
Browsers are HTTP clients
- Make HTTP requests on our behalf.
- Convert HTTP responses into websites.
- Provide APIs to send files via HTML or JavaScript.
7
Upload Files with HTML
8
Construct an HTTP request
<form>
<button>Upload</button>
</form>9
Send Data As Request Body
<form method="post">
<button>Upload</button>
</form>10
Access Files
<form method="post">
File:
<input type="file" />
<button>Upload</button>
</form>11
Make it accessible
<form method="post">
<label for="file">File:</label>
<input type="file" id="file" />
<button>Upload</button>
</form>12
Actually Send File Contents
<form method="post" enctype="multipart/form-data">
<label for="file">File:</label>
<input type="file" id="file" name="file" />
<button>Upload</button>
</form>13
Behold The HTML File Upload Form
<form method="post" enctype="multipart/form-data">
<label for="file">File:</label>
<input type="file" id="file" name="file" />
<button>Upload</button>
</form>14
Translated To HTTP
POST / HTTP/1.1
Content-Type: multipart/form-data;boundary=
---------------------------735323031399963166993862150
Content-Length: 17
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="nugget.txt"
Content-Type: text/plain
Who's a good boy?
-----------------------------735323031399963166993862150--15
We’re Uploading Files
Yes!
- Users can select a file
- Browser is sending the file
But…
- Browser reloads every time
16
Improve UX with JavaScript
17
Same same but different
- Still need access to the file system
- Still need an HTTP request (
fetchorXMLHttpRequest) - Still need a
POSTmethod - Still need to put the file in the body
18
Technically, this works
<input type="file" onchange="handleFileChange">function handleFileChange(event) {
fetch('/some-url', {
method: 'post',
body: event.target.files[0],
});
}19
…But don’t do that
20
<form
method="post"
enctype="multipart/form-data"
onsumit="handleSubmit"
>
<!-- content -->
</form>async function handleSubmit(event) {
const request = submitFormWithJs(event.currentTarget)
event.preventDefault()
const response = await request
}21
function submitFormWithJs(form) {
const url = new URL(form.action);
const formData = new FormData(form);
const fetchOptions = {
method: form.method,
};
if (form.method.toLowerCase() === 'post') {
if (form.enctype === 'multipart/form-data') {
fetchOptions.body = formData; // multipart/form-data
} else {
fetchOptions.body = new URLSearchParams(formData); // application/x-www-form-urlencoded
}
} else {
url.search = new URLSearchParams(formData);
}
return fetch(url, fetchOptions);
}22
Why?
Progressive Enhancement
- Works with or without JS
- Maintains browser features
- Maintains accessibility
Simplicity
- Reusable function
- Declarative logic from HTML
- More resilient & maintainable
23
We’ve improved the UX
Yes!
- User doesn’t wait for page refresh
- Progressive enhancement
But…
- What do we do with the sent files?
24
Receive Files in Node.js
25
Node is event-driven
During HTTP requests, each chunk triggers the request.on() method.
function processNodeRequest(request) {
request.on("data", (data) => {
console.log(data);
}
}
26
function processNodeRequest(request) {
return new Promise((resolve, reject) => {
const chunks = [];
request.on('data', (data) => {
chunks.push(data);
});
request.on('end', () => {
const payload = Buffer.concat(chunks).toString()
resolve(payload);
});
request.on('error', reject);
});
}27
console.log(await processNodeRequest(request))POST / HTTP/1.1
Content-Type: multipart/form-data;boundary=
---------------------------WebKitFormBoundary4Ay52hDeKB5x2vXP
Content-Length: 19
------WebKitFormBoundary4Ay52hDeKB5x2vXP--
Content-Disposition: form-data; name="file"; filename="dear-nugget.txt"
Content-Type: text/plain
I love you, Nugget!
------WebKitFormBoundary4Ay52hDeKB5x2vXP--28
We’ve made a terrible mistake…
- Whole file contents in memory?
- Manually parsing HTTP requests?
29
Use streaming library (formidable)
function processNodeRequest(request) {
return new Promise((resolve, reject) => {
const form = formidable({ multiples: true })
form.parse(request, (error, fields, files) => {
if (error) {
reject(error);
return;
}
resolve({ ...fields, ...files });
});
});
}30
{
file: PersistentFile {
lastModifiedDate: 2023-03-21T22:57:42.332Z,
filepath: '/tmp/d53a9fd346fcc1122e6746600',
newFilename: 'd53a9fd346fcc1122e6746600',
originalFilename: 'dear-nugget.txt',
mimetype: 'text/plain',
hashAlgorithm: false,
size: 19,
hash: null,
}
}31
We’re Saving Files to Disk
Yes!
- Access to file metadata
- Using streams instead of memory
- Not reinventing the wheel
But…
- What happens when space runs out
- What if we have a distributed system
32
Saving Files to
Object Storage
33
What is Object Storage?
A single, central place to store and access all of your uploads.
Highly available, easily scalable, and often 10x cheaper than server space.
Ideally should be S3-compatible.
34
What is S3?
S3 ("Simple Storage Service") is AWS’s object storage product.
Has become a standard communication protocol for Object Storage solutions.
Libraries: @aws-sdk/client-s3 @aws-sdk/lib-storage
35
Getting files to Object Storage
- Signed URLs
- Stream through proxy
36
Signed URLs
- Frontend request asks for a signed URL.
- Backend gets it from Object Storage provider.
- Backend gives signed URL to the frontend.
- Frontend uploads directly to provider.
Pros
- Moves work off your servers.
- Moves bandwidth off your server.
- Simpler architecture.
Cons
- Harder to coordinate database.
- Less control (malware protection, optimized images).
- No progressive enhancement.
37
Streaming through formidable
const form = formidable({
multiples: true,
fileWriteStreamHandler: fileWriteStreamHandler,
});
function fileWriteStreamHandler(file) {
// TODO
}38
Getting into the weeds
- formidable wants to write chunks to a stream.
- S3 upload wants to read chunks from a stream.
- We need to store the file’s location somewhere.
- We need to track pending upload requests.
39
const s3Uploads = [];
function fileWriteStreamHandler(file) {
const fileStream = new PassThrough(); // from 'stream' module
const upload = new Upload({
client: s3Client,
params: {
Bucket: 'austins-bucket',
Key: `files/${file.newFilename}`,
ContentType: file.mimetype,
ACL: 'public-read',
Body: fileStream,
},
});
const uploadRequest = upload.done().then((response) => {
file.location = response.Location;
});
s3Uploads.push(uploadRequest);
return fileStream;
}40
file: {
lastModifiedDate: null,
filepath: '/tmp/93374f13c6cab7a01f7cb5100',
newFilename: '93374f13c6cab7a01f7cb5100',
originalFilename: 'nugget.jpg',
mimetype: 'image/jpeg',
hashAlgorithm: false,
createFileWriteStream: [Function: fileWriteStreamHandler],
size: 82298,
hash: null,
location: 'https://austins-bucket.us-southeast-1.linodeobjects.com/files/nugget.jpg',
}41
The MAJOR Caveat
🚨 Double the bandwidth 🚨
In to your server and out to Object Storage.
42
We’re Using Object Storage
Yes!
- Get more space for much less cost
- All files stored in single place
- Separation between server and files
But…
- Object Storage exists in one region
- Could cause latency issues
43
Put Files Closer
44
Content Delivery Networks (CDNs)
Globally distributed network of servers that caches content close to users.
Initial requests pass through CDN node, grab content from origin, and get cached. Subsequent requests use cached content.
Faster deliver of static assets (HTML, CSS, JavaScript, images, fonts, etc.)
45
46
47
Things to consider…
- Compounding impact for render blocking resources
- Caching strategy is really hard to get right
- Duration
- Invalidation
- Host URL (subpath vs subdomain, cookies, etc)
- CDNs have evolved in the last 25 years
- Edge-layer security (DDoS, bots, etc)
- Automatic media optimization
- Edge compute
48
We’re Delivering Files Quickly
Yes!
- Faster responses
- Less bandwidth
- Higher availability
But…
- What about malware
49
Secure our application
50
OWASP File Upload Cheat Sheet
- Extension Validation
- Filename Sanitization
- Upload and Download Limits
- File Storage Location
- Content-Type Validation
- File Content Validation
- Malware Scanning Architecture
51
Filename Sanitization
Prevent excessively long file names or invalid characters for OS.
const form = formidable({
// other config options
filename(file) {
// return some random string
},
});(formidable does this by default)
52
File Size Limits
File upload & download size impacts storage, bandwidth, and performance.
const form = formidable({
// other config options
maxFileSize: 1024 * 1024 * 10, // 10mb
});(formidable defaults to 200mb max file size)
53
File Storage Location
Quarantine files away from running application and with limited permissions.
const form = formidable({
// other config options
uploadDir: './uploads',
});(formidable defaults to OS’s temp folder)
54
Extension Validation **
Only allow files with allowed extensions into your system.
const form = formidable({
// other config options
filter(file) {
const allowed = /\.(jpe?g|png|gif|avif|webp|svg)$/i;
return allowed.test(file.originalFilename)
}
});55
Content-Type Validation **
Only allow files with allowed MIME-types into your system.
const form = formidable({
// other config options
filter(file) {
const mimetype = file.mimetype ?? '';
return Boolean(mimetype.includes('image'));
}
});(formidable bases file.mimetype from file extension)
56
File Content Validation **
Scanning files for malware is one of the more important security steps you can take when accepting file uploads.
- The file must already be on our server to scan.
- Scans take too long for the reqquest/response cycle.
- This requires a whole new architecture.
57
Malware Scanning Architecture
- Store files in quatantine
- Save file metadata and scan status in DB
- Respond to user with upload pending info
- Allow users to view file metadata
- Background process scans pending files
- Clean files get updated in DB
- Decided on strategy for dirty files
58
59
Block Malware at the Edge
(WARNING: Uniquely Akamai Product Content)
60
App & API Protector
Akamai customers have access to App & API Protector which provides:
- IP/Geo Firewall
- Denial of Service (DoS) protection
- Web Application Firewall (WAF)
- Malware Protection
61
62
63
App & API Protector Review
Pros
- Convenient to set up and modify
- No changes to application
- Files scanned at the edge
- Does its job well
- I don’t have to maintain it
Cons
- Limited max file size
64
We’ve secured our files
Yes!
- Files are quarantined
- Users still have fast responses
- Scans happen in the background
But…
- You weren’t paying attention
65
Blog & Video Tutorial Series
austingil.com/uploading-files-with-html
Covers HTML, JavaScript, Node.js (Nuxt), Object Storage, CDNs, Malware
66
Relevant Akamai Products
- VPS - Host your application
- Object Storage - Store uploads cheaply and reliably
- CDN - Deliver files faster
- Malware Protection - Pretty obvious, no?
67
This is the last slide (stop clicking)
$100 for you!
A tweet for me?
Let’s connect
68