Secure File Upload Scanning for Node.js: Open-Source Pompelmi
▼ Summary
– Pompelmi is an open-source tool that embeds malware scanning and policy checks directly into Node.js applications to evaluate untrusted file uploads in memory before they are processed or stored.
– It operates without external network calls, keeping file data within the application boundary to address privacy, latency, and regulatory concerns.
– The toolkit enforces customizable policies, including file type validation and archive inspection, to prevent risks like archive bombs and nested malicious payloads.
– It supports pluggable scanning strategies and offers middleware for frameworks like Express and Koa, integrating seamlessly into existing upload workflows.
– Beyond runtime use, Pompelmi can be used in CI/CD pipelines via a GitHub Action to scan artifacts early, and it is freely available on GitHub.
For development teams working with Node.js, securing file uploads is a critical line of defense against malware and malicious content. An open-source toolkit named Pompelmi provides a solution by embedding real-time scanning and policy enforcement directly into the application process. This allows JavaScript and TypeScript applications to evaluate and block dangerous files before they ever reach storage systems or core business logic, enhancing security from the very first interaction.
The scanner operates inline within the application code. Developers integrate it directly into their upload handlers, where it assesses incoming files against a configurable set of rules. Files can be categorized as acceptable, suspicious, or malicious based on these checks. A key advantage is that the scanning process happens entirely in memory without requiring external network calls. This design keeps sensitive file data within the application boundary, addressing concerns related to data privacy, regulatory compliance, and latency. By inspecting file buffers before they are written to disk or sent to object storage, the tool prevents unsafe content from contaminating downstream systems.
Teams can define specific file policies to match their security requirements. Pompelmi supports controls for allowed file extensions, maximum file sizes, and server-side MIME type validation. The MIME check is particularly important, as it verifies a file’s actual signature against its declared content type, reducing dependence on potentially spoofed user metadata. Special attention is given to compressed archives. The toolkit can inspect the contents of ZIP files and similar archives before extraction, applying limits on recursion depth, total file counts, and potential size expansion. These measures help defend against archive bomb attacks and the delivery of nested malicious payloads.
The architecture is built for flexibility through pluggable scanning logic. While default checks look for risky patterns and structural indicators, the system provides interfaces for integrating custom scanners. An optional signature-based scanning engine can also be enabled, allowing teams to incorporate their own detection rules and signature sets tailored to specific threats.
To streamline implementation, Pompelmi offers ready-made integrations for popular Node.js frameworks. Middleware packages for Express and Koa allow file uploads to be automatically intercepted and scanned as part of standard request handling. Integration support for Next.js routing patterns is also available. In a typical setup, developers install the scanner and a framework adapter, which then applies the scanning logic to designated upload routes. The adapter controls request flow, blocking those with problematic files and routing rejections through standard application error paths.
Beyond runtime application security, Pompelmi’s utility extends into development pipelines. The project provides a GitHub Action, enabling teams to scan code repositories and build artifacts during continuous integration processes. This facilitates the early detection of unsafe content long before it reaches a production environment.
(Source: HelpNet Security)
