UNPKG

all-node-oracle

Version:

A NodeJS and Oracle DB integration, NodeJS act as http gateway for plsql server pages

github.com/kaven276/noradle

121 lines (115 loc) 3.93 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
var CRLF = '\r\n' , CRLF2 = '\r\n\r\n' , CRLF3 = '\r\n\r\n\r\n' , cfg = require('./../cfg.js') , util = require('./../util/util.js') , fs = require('fs') , C = require('./../constant.js') ; try { var formidable = require('formidable'); var uploadTrim = cfg.upload_dir.length; } catch (e) { console.warn('\n[WARN] Can not find/load "formidable" module, so multipart/form-data file upload is not supported !'); console.info('You can run "npm -g install formidable" to install formidable nodeJS module.\n'); } module.exports = function(req, oraReq, onResponse, next){ if (!formidable) { oraReq.end(onResponse); // todo: cleanup and release resource next(new Error(req.url + ' has file upload that is not support without formidable module')); return; } var form = new formidable.IncomingForm(); var fields = {}; var dirs = {}; form.uploadDir = cfg.upload_dir; form.keepExtensions = true; form.on('field', function(field, value){ if (field.substr(0, 1) === '_') { dirs[field.substr(1)] = value; } else { if (fields[field]) fields[field].push(value); else fields[field] = [value]; } }) .on('fileBegin', function(field, file){ var rpath; if (file.name === '') { file.path = cfg.upload_dir + 'null'; return; } if (dirs[field]) { switch (dirs[field].substr(-1)) { case '/': rpath = dirs[field] + file.name; break; case '.': rpath = dirs[field] + file.name.split('.').pop(); break; default: rpath = dirs[field]; } } else { rpath = file.path.split('/').pop(); switch (cfg.upload_depth || 2) { case 1: break; case 2: rpath = rpath.substr(0, 16) + '/' + rpath.substr(16); break; case 3: rpath = rpath.substr(0, 10) + '/' + rpath.substr(10, 10) + '/' + rpath.substr(20); break; case 4: rpath = rpath.substr(0, 8) + '/' + rpath.substr(8, 8) + '/' + rpath.substr(16, 8) + '/' + rpath.substr(24); break; default: rpath = rpath.substr(0, 16) + '/' + rpath.substr(16); } rpath = 'auto/' + rpath; } util.ensureDir(rpath); file.path = cfg.upload_dir + rpath; }) .on('file', function(field, file){ var value = file.path.substr(uploadTrim); if (value === 'null') { value = ''; } if (fields[field]) { fields[field].push(value); fields[field + '.size'].push(file.size); } else { fields[field] = [value]; fields[field + '.size'] = [file.size]; } // strip <script>...</script> for html if (!file.name || file.size === 0) return; var ext = file.name.split('.').pop(); if (!ext && file.mime() !== 'text/html') return; if (ext.match(/(html|htm)/ || file.mime() === 'text/html')) { // console.warn('html file "%s" upload to "%s", it may contain harmful script', file.name, file.path); fs.readFile(file.path, 'UTF8', function(err, data){ if (err) { console.error('Can not strip script tag in html file "%s" !', file.path); return; } data = data.replace(/<\s*script[^<>]+>(.|\n|\r)*?<\/\s*script\s*>/gim, "<em>The script tag and it's content has been striped for security reason at the time of file upload!</em>"); fs.writeFile(file.path, data, function(err){ if (err) console.warn('html upload file "%s" can not be striped of script tag !'); }); }); } }) .on('end', function(){ oraReq.addHeaders(fields, ''); oraReq.end(onResponse); }) .on('error', function(e){ // todo: clean up and release resource next(e); }) .parse(req); };