Skip to main content
In this lesson we perform a focused security audit for file upload functionality and file handling. The target application (Express Login Demo) does not implement file uploads, but this walkthrough demonstrates the audit process, the checks to apply when adding uploads, and secure implementation patterns you can adopt. Below is the interactive prompt session used to drive the automated audit: 
* Welcome to Claude Code!

/help for help, /status for your current setup

cwd: /Users/jeremy/Repos/Claude Code Course/Express-login-demo

> Try "fix typecheck errors"

? for shortcuts
All prompts referenced below and the audit artifacts are available in the repository linked in the session.
A desktop screenshot showing a browser open to a GitHub repository called "Claude-Code-Review-Prompts" with a list of markdown files. The browser window sits over a code editor/IDE showing a project file tree in the sidebar.

Audit checklist prompt (condensed)

The audit prompt instructs the assessor to review all file upload functionality and provide a structured findings report: 
Review all file upload functionality:

Check for:
1. File type validation (whitelist, not blacklist)
2. File size limits
3. Filename sanitization
4. Anti-virus scanning integration
5. Storage location (outside webroot)
6. Direct execution prevention
7. MIME type validation
8. Magic number verification
9. Image manipulation library vulnerabilities
10. ZIP bomb protection

Provide:
- Structured finding report per issue (Title, Severity, CWE, Evidence, Why it matters)
- Exploitability notes and safe PoC/reproduction steps
- Precise remediation (code-level fix/config snippets)
- Summary risk score (0–10) and top 3–5 prioritized fixes
- Checklist diff: Pass/Fail/Not Applicable for items above

Constraints:
Be concrete and cite exact code locations and identifiers.

Key checks explained (quick guide)

  • File type validation: Apply a whitelist of allowed MIME types and extensions. Avoid blacklists.
  • File size limits: Enforce server-side limits to prevent DoS and storage exhaustion. Client-side checks are helpful but not authoritative.
  • Filename sanitization: Normalize and sanitize filenames; prefer generated names or UUIDs to avoid directory traversal and encoding issues.
  • Anti-virus scanning: Integrate AV scanning for user-supplied files in production environments.
  • Storage location: Keep uploaded files outside the webroot and serve them through controlled handlers.
  • Direct execution prevention: Ensure uploaded files cannot be executed (file permissions, handler configuration).
  • MIME type and magic-number validation: Validate both reported MIME type and inspect file signatures before trusting content.
  • Image library vulnerabilities: Use safe image-processing libraries with resource limits to avoid parser bugs and decompression bomb issues.
  • ZIP bomb protection: Check total uncompressed size and nested archive levels.

Automated search results (what the audit looked for)

The audit script searched for common upload handlers and static-serving middleware: 
● Search(pattern: "POST.*upload|PUT.*upload|multipart|express\.static", glob: "*.js", output_mode: "content")
└ Found 17 lines (ctrl+r to expand)

● Search(pattern: "app\.use.*static|express\.static", glob: "*.js", output_mode: "content")
└ Found 0 lines
The automated results were used to generate audit todos and a focused exploration plan.

Todos generated for the audit

Update Todos:
- Explore codebase structure and identify file-upload functionality
- Analyze file-type validation mechanisms
- Check file-size limits implementation
- Review filename sanitization
- Examine storage location security
- Verify MIME type and magic number validation
- Check for anti-virus scanning integration
- Review direct execution prevention
- Assess image manipulation library vulnerabilities
- Check ZIP bomb protection
- Generate structured security findings report

Audit findings — summary

  • The Express Login Demo application is a minimal authentication service that accepts JSON credentials only.
  • No file upload libraries were found (for example, multer or express-fileupload).
  • The codebase does not handle multipart/form-data nor does it serve static files via express.static.
  • Because the application has no upload capability, all file-upload related checks are Not Applicable (N/A).

Checklist results

CheckStatus
File type validation (whitelist)Not Applicable
File size limitsNot Applicable
Filename sanitizationNot Applicable
Anti-virus scanning integrationNot Applicable
Storage location (outside webroot)Not Applicable
Direct execution preventionNot Applicable
MIME type validationNot Applicable
Magic number verificationNot Applicable
Image manipulation library vulnerabilitiesNot Applicable
ZIP bomb protectionNot Applicable

Automated report output (excerpt)

**Audit Date:** 2025-08-21
**Application:** Express Login Demo
**Scope:** File upload functionality security assessment
**Auditor:** Claude Code Security Assessment

## Executive Summary

**Finding:** No file upload functionality present in the application.

The Express Login Demo application does not implement any file upload capabilities. The application is a simple authentication-only service with a single login endpoint that accepts JSON credentials.

## Risk Assessment

**Overall Risk Score:** 0/10 (No file upload functionality present)

Since there is no file upload functionality in the application, there are no file upload-related security vulnerabilities to address.

## Detailed Analysis

- Detailed analysis of the current architecture
- Security checklist results (all N/A due to no file upload functionality)
- Comprehensive recommendations for secure implementation if file uploads are added in the future
- Example code snippets for proper file validation, sanitization, and security controls
A saved audit report is available at /audits/FILE_UPLOAD_SECURITY_AUDIT.md. The audit concluded with a risk score of 0/10 because upload functionality is absent. This is a valid result: the application’s attack surface is reduced by not accepting files.

Example secure multer configuration (if you add uploads)

If you later add file uploads, use this secure starter configuration as a baseline. It enforces a whitelist, size limits, and stores files outside the webroot. Adapt it for your environment and add magic-number checks, AV scanning, and ZIP handling as needed. 
const path = require('path');
const multer = require('multer');

const upload = multer({
  dest: '/app/uploads/', // store outside webroot
  limits: {
    fileSize: 5 * 1024 * 1024, // 5 MB limit
    files: 1
  },
  fileFilter: (req, file, cb) => {
    // Whitelist approach
    const allowedTypes = ['image/jpeg', 'image/png', 'application/pdf'];
    const allowedExtensions = ['.jpg', '.jpeg', '.png', '.pdf'];

    const ext = path.extname(file.originalname).toLowerCase();

    if (allowedTypes.includes(file.mimetype) && allowedExtensions.includes(ext)) {
      cb(null, true);
    } else {
      cb(new Error('Invalid file type'), false);
    }
  }
});
Note: The config above uses disk storage via dest. If you need to validate magic numbers or scan contents before saving, consider multer.memoryStorage() or accept uploads into a quarantine/temp directory and validate content before moving to permanent storage.

Practical notes for secure implementation (defense-in-depth)

  • Validate file magic numbers before finalizing storage; use memory storage or a quarantine directory to inspect content before moving it to permanent storage.
  • Sanitize and normalize filenames. Prefer generated filenames or UUIDs rather than user-supplied names.
  • Enforce strict file permissions and never place uploads within the webroot.
  • Integrate AV scanning for production systems that accept user files.
  • When processing archives or images, set strict decompression limits and guard against nested archives to mitigate ZIP bombs.
  • Log upload attempts and enforce rate limits to mitigate abuse.
  • Apply least privilege to any service processing uploaded files and isolate processing steps where feasible.

Final summary

  • Current posture: No upload functionality → minimal file-upload risk (0/10).
  • If adding uploads, prioritize:
    1. Whitelist validation + magic-number checks
    2. File size limits + storage outside webroot
    3. AV scanning + archive (ZIP) protections
This audit found no file upload functionality in the Express Login Demo application. If you add uploads later, follow the checklist above and combine multiple protections (whitelist, magic-number validation, size limits, AV scanning, and safe storage) for defense-in-depth.

Watch Video