-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to multer 1.3.1 and automatically clean uploaded files #4704
Conversation
I've tried on 4.0.0-rc.1 and 4.0.0-beta.8 version but I met same error, every requests ends without respond. And I guess there is little mistake in server/bindBodyParser.js |
Thanks for catching that @intrnet Just to confirm, do you mean you tested merging this into your own branch based on We're looking into the failure to connect now. It all worked for me in local testing, but it looks like there is an issue with this in different environments. |
I tested it on 4.0.0-rc.1 and 4.0.0-beta.8. I simply update multer and selected files, according to your changes (Update to multer 1.3.1 and automatically clean uploaded files) in local testing based on linux ubuntu. |
@JedWatson I'm encountering the same issue with e2e tests (and keystone-demo) as reported in CI failures: I'm pulling from the |
lib/uploads.js
Outdated
var os = require('os'); | ||
|
||
function handleUploadedFiles (req, res, next) { | ||
if (!req.files || !Array.isArray(req.files)) return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be return next();
?
I like the approach of cleaning the files when the request ends. However, if someone relies on the files still being on the disk, would it be useful to add a possibilty for a flag in the request or response object which skips the deletion for that request? Or should we assume here that if the file is wanted to store permanently, it must be copied elsewhere? |
* Playing with Travic CI build * Playing with Travic CI build * Fix attempt for issue keystonejs#3979 packages.js generates a Uncaught SyntaxError: Unexpected string when minified, and fails to load the admin interface. After some digging I found that uglifyjs compresses the typeof checks into the following format "undefined"==typeof x which triggers a syntax error after passing through another minification process when deployed. A way to prevent this from happening is to allow semicolons in the uglifyjs command. Also needed to add the 'aphrodite/no-important' to the required packages for the Admin UI. * Updating contact info * Correcting password type check in PasswordType * fix:typo in handleError in screens/Item/index.js * fix:module-name in import statement in EditForm.js It was working before but the `./` was extraneous and redundant. * Fix: model with required field that defaults to 0 can't be saved Number.prototype.validateRequiredInput() merely checked if the getter for the field returned a truthy value. That fails if the default happens to be zero (which is a falsy value). The fix is to simply check if the return value is a number. * Fix: model with required field that defaults to false can't be saved Boolean variant of commit d28bacc. * Commenting out redundant code in www dir * Removing `path` from server/initViewEngine * Removing commented out PropTypes import * Removing redundant import * [WIP] Updating packages (only minors and patches) * [WIP] Updating more packages (minor & patch) * Updating last of the minor and patch packages * Removing old aphropdite references * Fixing some "Prop types declarations should be sorted alphabetically" (react/sort-prop-types) errors, allowing `npm run lint` to run * Changes to the few dependencies that were depending on mime@2.x: - knox has been replaced with keystonejs/knox as the package is not being maintained anymore and has a `*` for `mime` - superagent@3.6.0 uses mime@1.3.6 (which is compatible with node <=6.x) * Fixing CSRF by reverting the (well meaning) changes made in PR 3756 (keystonejs/keystone#3756). I don't know if this will resurface issue 3420 (keystonejs/keystone#3420), which the PR apparently addressed. * Add some functionality to prevent macro injection via CSV export * Fixing file extention * extract password validation so users can access the validation within their own code for things like password reset * Correcting password type check in PasswordType * Expanding password field configuration options and improving defaults (to align with current NIST guidelines). Updating, expanding on and clarifying relevant docs. * Escaping values in the raw value of markdown field so it can be safely displayed within an HTML document * Sanitization update to markdown fields -- remove unsafe html tags from the markdown value before it's rendered into html * Updating the markdown fieldtype docs to include the new sanitizer options * Prep'ing for release as 4.0.0-beta.6 * Fixed in Adapters.FS * nerfed strongly worded comment * Updating packages * v4.0.0-beta.7 * Documentation about customizing the navigation bar * Add packages.js build * Fix Password `validateInput` breaking tests related to security updates * Revert "Merge branch 'jm-fork' into master" This reverts commit 8008781, reversing changes made to f08baa4. * (feat) implements image thumbnails for the File type * moved thumb check to field level * Fix for known security vulnerability in marked 0.3.6 dependency * updating packages * v4.0.0-beta.8 * Fix autocleanup for cloudinary fixes 3476 (keystonejs#4205) * Update `cloudinaryimage` to respect autocleanup * Fixes autocleanup for cloudinaryimages * Remove completed TODOs * Deprecate currency setting (keystonejs#4132) * fix paginate to return on count error (keystonejs#4167) * Update README.md (keystonejs#4569) Add field type Code (http://keystonejs.com/docs/database/#fieldtypes-code) * Should check undefined instead, otherwise value === 0 will not be able to show (keystonejs#4524) * Update application-updates.md (keystonejs#4582) * Update yo-generator.md (keystonejs#4581) * Update Readme.md (keystonejs#4583) * replace hardcode keystone to path admin variable (keystonejs#4586) * replace knox git dependency with knox-s3 (keystonejs#4574) - knox-s3 is a fork of knox with one difference: a mime 1.x dependency that avoids breaking changes in mime 2.x - this matches the `keystonejs/knox` repo, but is published to npm - allows keystone to be installed without git e.g. in a node:slim Docker container close keystonejs#4573 * Upgrade moment for CVE-2017-18214 (keystonejs#4592) For more info, see: https://nvd.nist.gov/vuln/detail/CVE-2017-18214 This is currently triggering github security alerts on all projects using keystone 4.x * Fix website (keystonejs#4615) * Update website to work * fixing one test at a time Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * fixed keystonejs#4628 Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * fixing some typos and unnessesary comments Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * removed commented out tests as there are not meaningful Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * fixing admin ui tests (thanks to Vito) Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * Fix test failure due to password complexity requirement added in 8ecb809 * Fix the wrong link to typography * Added the typopgrahy plugin into gatsby-config * Update typography to latest version * Fix typo in @keystonejs and change GitHub link to https * Remove failing tests as discussed with @JedWatson and @dominikwilkowski * Keystone 4 website clean up and fixing stuff * Home page clean up, inclulding Header redesign * Doc page clean up, refactor the navigation * Mobile optimisations * A lot of minor polishes * Replace window.location.pathname with this.props.location.pathname * Add React Helmet * Add Twitter Butotn * Mobile optimsations * Linting warning fix * Adding in the missing DayPicker-WeekdaysRow (keystonejs#4601) * Adding in the missing DayPicker-WeekdaysRow * Fix keystonejs#4652: Remove EOL Node releases from Travis testing * show color swatch on color field Fixes issue: keystonejs/keystone#4074 * Fix keystonejs#4665: Update Readme for Keystone 4.0.0-rc0 * Fix missing bullets and tweak per feedback from Jed * Fix bullets & update RC title * Fix Relationship Fields link * Fix for empty relationships submitting no value * Fix for updating single relationship values * updating packages bundle Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * Remove link to `keystone-starter` (currently a v0.3 demo that doesn't cleanly deploy to Heroku) * Add mention of new File API and link to Contributor Guide * Reorganise README sections and add Table of Contents * Move field type overview to documentation * Move dev & testing information to Contributor Guide * Change Netlify doc links to https * Change Thinkmill link to https * Consolidate the Contributing blurb * Update GitHub issue/PR templates * Tidy home page text & link to current release information * Fix keystonejs#4686: CloudinaryImage(s) fields were incorrectly marked as deprecated (keystonejs#4690) * Update deps according to semver * Remove --growl from Mocha options; fails on Mocha 4+ unless `growl-notify` is installed (ref: mochajs/mocha#3088) * Update to latest browserify * Upgrade `debug` dependency * Fix bug in Safari where XHR form submission fails with empty file input (keystonejs#4673) * Provides a fix for a bug in Safari where XHR form submission fails when input[type=file] is empty * Include keystone.version in startup message (keystonejs#4692) * Remove unused title markdown from README.md * updated packages bundle Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * bumped version to RC1 Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * Added session max age cookie to match keystone.uid cookie expiry * smooth scroll spped now based on current scroll position * Restore/repair S3 image uploading in tinymce * Use custom root for S3 paths * Check that req.session.cookie exists before setting maxAge * Make listing browser versions a more obvious PR testing requirement * Enhance numeric fields * Replace / with . to delimiter the file extension * Update part-4.md Corrected the api.event route. The "routes" was missing app.post('/api/event', routes.api.event.post); * Fix typo: s/gloing/going/ * Update options.md (keystonejs#4621) Fix typo error udpatedBy -> updatedBy * Fixed typo (keystonejs#4597) * Added letsencrypt configuration docs for keystonejs#4181 * Added more info on Application updates with required relationships. * Documented breaking change to `pre:routes` behaviour. * Update `package.json` reference to rc1 * Upgrade qs to 6.5.2 * Add pointer to Keystone 4 beta/RC release notes * - Upgrade to Mongoose 4.13.14: https://github.com/Automattic/mongoose/blob/master/History.md#41314--2018-05-25 - Add useMongoClient per http://thecodebarbarian.com/mongoose-4.11-use-mongo-client.html * Update z-index of color chooser The previous z-index of 2 was not enough for the popover to appear above the "Save" footer, which has z-index: 99 * Fix keystonejs#4706: Docs: Application Updates is 404 * Fix keystonejs#4707: Docs: Edit this page links are broken * Fix keystonejs#4688: Deprecated File field types have broken docs link * Remove WIP notes * Fix keystonejs#4708: Update Getting Started page * added semver notations to dependencies Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * fixed typo Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * Improve sanity checking for signin "from" param * Minor fixes and improvements to the location field type (keystonejs#4455) * Minor fix to location fields - no reason to depend on the order of address_components coming from Google * Minor fix to location fields - Better handling of `address_components` returned from Google API * Minor fix to location fields - no reason to depend on the order of address_components coming from Google * Minor fix to location fields - Better handling of `address_components` returned from Google API * Update to multer 1.3.1 and automatically clean uploaded files (keystonejs#4704) * Update to multer 1.3.1 and automatically clean uploaded files * Fix typo in bindBodyParser * Add missing next() (thanks @ttsirkia!) * Reviewed Getting Started documentation (keystonejs#4721) - FIxed spelling, grammar and broken link issues with the Getting Started documentation. - Ensured that Keystone is capitalised everywhere in the docs - Set Mongoose docs link to V4 * updating package bundle Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * bumped version 📣🎉 Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * FIxing broken links in README.md FIxing broken links in README.md * remove lock files Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * ignore lock files Signed-off-by: Dominik Wilkowski <Hi@Dominik-Wilkowski.com> * Adding Favicon to Keystone 4 website Tested with Chrome and Firefox. * Added Google Analytics Code to V4 website * Removed incorrect image Removed safari-pinned-tab.svg, which was a black square. * Created 404.js Currently giving errors TypeError: Cannot read property 'initial' of undefined - index.js:22 ExtractTextPlugin.<anonymous> [website]/[extract-text-webpack-plugin]/index.js:22:9 - Array.forEach - index.js:21 ExtractTextPlugin.mergeNonInitialChunks [website]/[extract-text-webpack-plugin]/index.js:21:16 - index.js:275 ExtractTextPlugin.<anonymous> [website]/[extract-text-webpack-plugin]/index.js:275:12 - Array.forEach - index.js:273 ExtractTextPlugin.<anonymous> [website]/[extract-text-webpack-plugin]/index.js:273:21 - async.js:52 [website]/[async]/lib/async.js:52:16 - async.js:236 Object.async.forEachOf.async.eachOf [website]/[async]/lib/async.js:236:30 - async.js:209 Object.async.forEach.async.each [website]/[async]/lib/async.js:209:22 - index.js:237 ExtractTextPlugin.<anonymous> [website]/[extract-text-webpack-plugin]/index.js:237:10 - Tapable.js:71 Compilation.applyPluginsAsync [website]/[tapable]/lib/Tapable.js:71:13 - Compilation.js:525 Compilation.seal [website]/[webpack]/lib/Compilation.js:525:7 - Compiler.js:397 Compiler.<anonymous> [website]/[webpack]/lib/Compiler.js:397:15 - Tapable.js:103 [website]/[tapable]/lib/Tapable.js:103:11 - Compilation.js:445 Compilation.<anonymous> [website]/[webpack]/lib/Compilation.js:445:10 - Compilation.js:417 [website]/[webpack]/lib/Compilation.js:417:12 * Fixed broken links to componants And added a link to the logo in the header * Tweaking the content * Adding Google Analytics and Favicons (keystonejs#4740) * Adding Favicon to Keystone 4 website * Added Google Analytics Code to V4 website * Removed safari-pinned-tab.svg, which was a black square. * Add Netlify redirects for v3 paths to v4 equivalents * Fixed a typo in Project-Options.md The `name` option appears twice, instead of the 2nd being `brand`. * Fixed links to configuration pages * Link to 4.x release history * Make titles for Setting Up sections consistent * Include defaultColumns in code example * Improve section labels for Get Started * Clean up text & formatting * Clean up text & formatting * Update index.md minor wording error fix * Update part-4.md * Fix keystonejs#4762: Bump kerberos & letsencrypt-express dependencies * Correct typo in templates/views/addEvent.pug Fix keystonejs#4805 * Fix typo in part 4 of tutorial (thanks @ebrahimamer) * add alt test to delete button * Fix keystonejs#4815: Typo in Getting started part 4 tutorial * Fix keystonejs#4818: Add redirect for /guide/config * documentation updates * DOCS: Fix typo for TextArray Field * Update Underscore-Methods.md underscore instead of undercore * Update options.md Link is broken without `http://` * Fixed incorrectly named API method label (fixes keystonejs#4825) * docs(syntax): update an upper-case (keystonejs#4810) By copying and pasting the site, I realized that the list was previously referenced with an uppercase. * incorrect link to database docs (keystonejs#4833) * fix: fields explorer invalid capitilisations (keystonejs#4834) * Bug - Fix UTC DateColumn vaue display (keystonejs#4841) Added toMoment method to allow Moment.js to use utc dates. Updated getValue to use toMoment for proper output. * Fixed typo in paginate() docs (keystonejs#4839) * Refer to the newest release "4.0.0" Probably forgot to update part of readme from the older release "4.0.0.rc.1" * Completed opening sentence The sentence "Once you retrieve a list from Keystone, the mongoose methods can be accessed from." seemed incomplete * Added option to hide Today button in Date field (keystonejs#4869) * Fixed dependsOn setting when applied to a boolean field set to false by default (keystonejs#4867) * UPDATE deleteItem action with custom error message (keystonejs#4683) * Return a 500 error when `item.remove` fails (keystonejs#4832) * Return a 500 error when `item.remove` fails Currently, errors from `item.remove` are not handled at all in the callback. This gives an empty 200 back to the frontend, which will do nothing with this response (no visual feedback on the error). We should return an actual error. All suggestions on how to return this error Keystone style are welcome. * directly send the `err` to `apiError` * Build S3 upload name when not present (keystonejs#4871) * Restore/repair S3 image uploading in tinymce * Use custom root for S3 paths * Build S3 upload name when not present * Fix markup typo in quick start docs. (keystonejs#4854) The `auto update` field was highlighted incorrectly. * Urlfield enahancement (keystonejs#4856) * add thumb option support to url type * do not fix the height of form input since it the value can be out of bound
* tag 'v4.0.0' of https://github.com/keystonejs/keystone: bumped version 📣🎉 updating package bundle Reviewed Getting Started documentation (keystonejs#4721) Update to multer 1.3.1 and automatically clean uploaded files (keystonejs#4704) Minor fixes and improvements to the location field type (keystonejs#4455) Improve sanity checking for signin "from" param fixed typo added semver notations to dependencies
This has been frustrating me for a long time, but I've worked out a way to update
multer
to the latest version and retain backwards compatibility while still being safe with uploaded files.This resolves several issue that have been raised about our use of an old multer version, including #4694 #4428 #3597 #3175 and #1563
It also introduces some new features:
handle uploads
Keystone option tofalse
(it will still be included by the admin UI)multer options
Keystone optione.g
Technically this is possibly a breaking change, because we now automatically clean up uploaded files. This was never a thing I'd expect to be used but any weird edge-case implementation that expects uploaded files to hang around after the request is completed will break. Because of this, I'd like to merge this for
4.0.0
final (not RC) and make a prominent note about it in the changelog.