Well currently I am disallowing all file uploads to routes by setting up the server like:

const upload = multer();
const server = express();

module.exports = () => {
    // ...
    server.use(logger('dev'));
    server.use(express.json());
    server.use(express.urlencoded({ extended: false }));
    server.use(express.raw());
    server.use(cookieParser());
    server.use(express.static(path.join(projectRoot, 'public')));
    server.set('trust proxy', 1);
 
    server.use(upload.none());
    
    server.use('/', router);
    // ...

}

Which correctly blocks all files. Now I wish to allow uploading files only in the POST request to /test:

import * as express from "express";
import multer from "multer";
const upload = multer({storage: multer.memoryStorage()});
const router = express.Router();
router.post('/test', upload.single('pdf'), function(req, res, next) {
  const r = 'respond with a test -  POST';
  res.send(r);
}); 

However when I try to use this in postman I get the error "multerError", "LIMIT_UNEXPECTED_FILE" for the field 'pdf'. I notice that if I remove the line server.use(multer.none()) it works, but then I can upload files to any place anyways, not exactly what I like?

CodePudding user response：

Nothing will be uploaded to your server unless you specify a multer middleware on the entire server, on a route, or on a particular path. So you can safely remove the server.use(upload.none());.

The middleware will then not try to consume the payload of the incoming request. How much load the receiving (without consumption) of the payload causes on the server, I don't know, but you could theoretically destroy the connection whenever the client tries to submit a payload:

req.on("data", function() {
  req.destroy();
});

But perhaps the creation of new connection afterwards causes more load on the server overall.