惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CERT Recently Published Vulnerability Notes
U
Unit 42
T
The Blog of Author Tim Ferriss
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog RSS Feed
Microsoft Azure Blog
Microsoft Azure Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Securelist
L
Lohrmann on Cybersecurity
Blog — PlanetScale
Blog — PlanetScale
Recorded Future
Recorded Future
D
DataBreaches.Net
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
I
Intezer
P
Palo Alto Networks Blog
Simon Willison's Weblog
Simon Willison's Weblog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
I
InfoQ
宝玉的分享
宝玉的分享
Security Latest
Security Latest
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Threatpost
Cisco Talos Blog
Cisco Talos Blog
P
Proofpoint News Feed
博客园 - 司徒正美
H
Hacker News: Front Page
Y
Y Combinator Blog
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
NISL@THU
NISL@THU
月光博客
月光博客
有赞技术团队
有赞技术团队
Cloudbric
Cloudbric
酷 壳 – CoolShell
酷 壳 – CoolShell
G
Google Developers Blog
A
Arctic Wolf
博客园 - 【当耐特】
W
WeLiveSecurity
V
Visual Studio Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
V2EX
C
Cyber Attacks, Cyber Crime and Cyber Security
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
The Cloudflare Blog
Stack Overflow Blog
Stack Overflow Blog

Stack Overflow Blog

Paging Charity! How can engineering leaders avoid becoming Bond villains? Code isn’t the only thing causing your production failures Your AI shipped a backend that boots. That is the whole problem. The 2026 Developer Survey is now open (for human developers only)! Oh the places you’ll go with spatial data Dispatches from O'Reilly: From capabilities to responsibilities You don’t understand DNS like you think you do The new bottleneck - Stack Overflow AI agents are a confused deputy with the keys to your kingdom If context is king, architecture is the castle Selenium vs Cypress vs Playwright: Choosing Your Test Automation Framework AI agents expose the security checks you never actually wrote Designing CherryScript: Optimizing Data-Driven Workflows via Custom Python-Based Interpreters Paging Charity? How do I get my leaders to stop running teams Into the ground? Developers are emotionally attached to their tools When the cost of code approaches zero, what does engineering leadership look like? Announcing Stack Overflow for Agents Creating checkpoints by gaslighting a Postgres database What can 500 years of journalism teach developers about AI trustworthiness? Making the OWASP top ten in the vibe code era What it takes to be a player in the international AI game Best of the Heap: First post of the past The find out stage of AI is just supply chain and password protection In an AI world, the most valuable developers will be both artisans and builders Agents on a leash: Agentic AI remains mostly single-agent and monitored at work Do you have what it takes to run AI in production? Dispatches from O'Reilly: The accidental orchestrator Breaking your AI storage bottlenecks Coding agents are giving everyone decision fatigue Pack your agentic stack in Slack Your fridge could be a threat to national security Interviews aren’t about you (sorry) “You can't vibe code scale”: What the AI hype gets wrong about software engineering No Dumb Questions: What is cloud computing and why is everyone doing it? Observability and human intuition in an AI world How Braze’s CTO is rethinking engineering for the agentic area You shipped it fast. But did you ship it right? Building a Google Drive Sync Engine that Survives MV3 Service Workers Connecting the dots for accurate AI When the Sensor Starts Thinking: SnortML, Agentic AI, and the Evolving Architecture of Intrusion Detection OAuth 2.0 – Device flow explained for Engineers, especially for Backend Engineers Introducing the Heap, the software engineering blog for everyone Compile-Time Map and Compile-Time Mutable Variable with C++26 Reflection No Dumb Questions: What is an MCP server and why do I care? AI giveth and AI taketh CPU How we replaced Ingress-NGINX at Stack Overflow What (un)exactly do you mean by semantic search? Dispatches from O'Reilly: Fast paths and slow paths Time is a construct but it can still break your software The Worst Coder in the World goes agentic: building a leaderboard cracking AI Turning scattered knowledge into trusted intelligence: Stack Internal 2026.3 Your LLM issues are really data issues Welcome to the “find out” stage of AI Lights, camera, open source! - Stack Overflow Black box AI drift: AI tools are making design decisions nobody asked for How to get multiple agents to play nice at scale We still need developer communities No country left behind with sovereign AI Human input needed: take our survey on AI agents Why AI hasn't replaced human expertise—and what that means for your SaaS stack Who needs VCs when you have friends like these? The messy truth of your AI strategies Gen Z needs a knowledge base (and so do you) He designed C++ to solve your code problems Seizing the means of messenger production What the AI trust gap means for enterprise SaaS How can you test your code when you don’t know what’s in it? Prevent agentic identity theft - Stack Overflow Building shared coding guidelines for AI (and people too) Multi-stage attacks are the Final Fantasy bosses of security After all the hype, was 2025 really the year of AI agents? AI is becoming a second brain at the expense of your first one Building a global engineering team (plus AI agents) with Netlify Keeping the lights on for open source Domain expertise still wanted: the latest trends in AI-assisted knowledge for developers Open source for awkward robots The context problem: Why enterprise AI needs more than foundation models Even the chip makers are making LLMs Organizing productive platform teams - Stack Overflow Building brains for bulldozers - Stack Overflow DeveloperWeek 2026: Making AI tools that are actually good AI-assisted coding needs more than vibes; it needs containers and sandboxes No need for Ctrl+C when you have MCP What’s new at Stack Overflow: March 2026 To live in an AI world, knowing is half the battle Beyond block or allow: How pay-per-crawl is reshaping public data monetization Your sneak peek at the redesigned Stack Overflow Dogfood so nutritious it’s building the future of SDLCs Even GenAI uses Wikipedia as a source Why Stack Overflow and Cloudflare launched a pay-per-crawl model Mind the gap: Closing the AI trust gap for developers Data is the new oil, and your database is the only way to extract it Even your voice is a data problem How everyone and anyone can use AI for good Is anyone using AI for good? The logos, ethos, and pathos of your LLMs Why demand for code is infinite: How AI creates more developer jobs AI attention span so good it shouldn’t be legal Code smells for AI agents: Q&A with Eno Reyes of Factory Generating text with diffusion (and ROI with LLMs)
Defense against uploads: Q&A with OSS file scanner, pompelmi
2026-02-23 · via Stack Overflow Blog

With bad code being easier than ever to write thanks to AI, application security is ever more important. One of the earliest attack vectors for the internet are file uploads, and they are still a threat. Open source projects like pompelmi provide easy and flexible ways to defend against this attack using modern tech. I spoke with the creator of the project, Tommaso Bertocchi, about how it works.

—---------------------------

Q: When people think of application security today, they usually think in terms of network connections, user auth, and API security. File uploads seems like a niche and/or early internet problem. What made you want to create a solution for this issue?

Tommaso Bertocchi: You're right that file upload security is often overshadowed by network or API security, but it remains a critical attack vector that is frequently overlooked because of its perceived complexity. I created pompelmi because I noticed a significant gap: there were no modern, developer-friendly solutions that could be integrated quickly. Traditionally, setting up a malware scanner required deep domain expertise and hours of configuration, which often discourages solo developers. By making the integration seamless and 'plug-and-play' for Node.js environments, I wanted to encourage more developers to secure their applications, ultimately making the web safer.

Q: You call file uploads "a critical attack vector that is frequently overlooked because of its perceived complexity." Could you expand on this? What's the risk here? Are there recent breaches that came from file uploads? Why is this attack vector complex to deal with? Is there something more than just block .exe files?

TB: File uploads look simple, but they introduce a meaningful security boundary because you’re accepting untrusted, complex inputs into your system. The risk isn’t only “someone uploads a virus.” In practice, weak upload handling can increase exposure to issues such as unintended execution or unsafe processing paths (depending on how files are stored and later handled), denial-of-service scenarios via pathological inputs (e.g., archives designed to consume resources), and bypasses of superficial checks (extensions, client-provided MIME types, filename tricks). This tends to happen most often when uploads are implemented quickly and rely on minimal validation.

Q: Why node.js for this instead of language that compiles to bytecode?

TB: The choice of Node.js was purely strategic and driven by Developer Experience (DX). If I had built this in a language that compiles to bytecode, it would have introduced another layer of friction—requiring developers to manage external runtimes or complex IPC. Since modern web development is heavily centered around the Node.js ecosystem (React, Angular, Next.js), building pompelmi in the same language allows for a 'native' integration. It lives where the code lives, ensuring that security doesn't feel like a clunky external chore.

Q: How do you scan suspect files without persisting them and keep everything fast?

TB: The core of pompelmi's performance lies in its in-process, stream-based architecture. We achieve this by using Node.js streams and configurable buffer limits to analyze file bytes directly in memory as they are uploaded, avoiding the heavy I/O overhead of disk writes. Additionally, since the engine runs within the same process, there is no network latency. We also use 'magic bytes' to quickly identify file types; if a file violates a policy (like a ZIP bomb), we terminate the scan instantly before the entire file is even processed.

Q: There's a lot of flexibility built in with YARA and multiple composed scanners, but that could put some of the identification burden on the user. Do you provide YARA recipes or other best practices for identification?

Q: I agree that flexibility shouldn't come at the cost of usability. To prevent the 'blank page' problem, pompelmi comes with built-in policy presets and a Common Heuristics Scanner. These handle the most frequent threats out of the box, such as ZIP bombs and MIME/Magic Byte verification. We also provide a set of standard YARA recipes and 'reason codes' to explain why a file was flagged. Our goal is a 'secure-by-default' experience where developers can start protected and then add custom rules as they evolve.

Q: Do people need to keep up with the latest security news in order to protect their file upload systems? Or this a case of protecting against the most common attacks gets you pretty solid security?

TB: Keeping up with every new exploit in real time is difficult in practice, especially across many technologies. A more realistic approach is to implement a strong baseline that addresses common, repeatable failure modes (e.g., strict allowlists, server-side type validation, safe storage/handling, resource/time bounds, archive hardening), and then keep the parts that change frequently updated where relevant (e.g., patching dependencies and refreshing detection content such as scanning rules). pompelmi is built around this layered, policy-driven approach — providing guardrails like server-side validation, archive checks, resource limits, and optional YARA-based scanning — to help teams adopt a solid baseline without building a custom pipeline from scratch.

Q: Is it hard being the primary maintainer of this project? Do you prefer having the control?

TB: Being the sole maintainer allows me the creative freedom to make swift decisions and keep the project’s vision focused. However, I’m also realistic. My goal is to scale this from a personal project into a full-fledged organization. I want to build a team and an infrastructure that can provide advanced resources and consistent updates, moving beyond a single-person dependency while maintaining that core developer-centric spirit.

Q: What was something unexpectedly complex or difficult in creating this project?

TB: The most unexpectedly challenging part was framework compatibility. Each Node.js framework handles uploads differently—middleware vs. plugins, request/response lifecycles, body parsing, streaming vs in-memory buffers, and error-handling conventions. Building pompelmi as a “drop-in” upload protection layer across multiple stacks meant designing a consistent core policy and then maintaining dedicated adapters so developers can apply the same rules and get predictable behavior across environments.

Q: We've seen a lot of important OSS projects run into trouble when the lead maintainer burns out or needs to get a day job. Are you actively looking for contributors, ways to monetize, or foundational support?

TB: I am very conscious of the burnout risk, which is why I’m currently looking to partner with or gain the backing of an established company—ideally a leader in the tech industry. Such support would provide the infrastructure and resources to transition the project to a professional-grade standard. Whether through corporate sponsorship or foundational support, my priority is to secure the project’s future so it can continue to serve the community reliably in the long term.

Q: Have you contributed to other OSS projects? If so, what did you learn about maintaining a project and dealing with contributors?

TB: pompelmi is my first open-source project and the first one I’ve maintained end-to-end. What I’ve learned quickly is that the most useful feedback isn’t just stars or download counts — it’s direct human feedback through issues, pull requests, and reviews. That’s where you see real user needs, edge cases, and expectations around reliability. Those discussions have helped me iterate: fix bugs, refine APIs, improve docs/examples, and add features that address recurring problems, while keeping the project stable and predictable. Maintaining it mostly solo is challenging, but I aim to be responsive, transparent about trade-offs, and careful about changes that could affect users.