Software teams building services in JavaScript are adding more layers of defense to handle untrusted file uploads. An open-source project called Pompelmi aims to insert malware scanning and policy checks directly into Node.js applications before files reach storage or business logic.
Pompelmi is built for JavaScript and TypeScript environments and runs directly within the application process. Files are scanned in memory at upload time, allowing applications to make accept or reject decisions early in the request flow.
Inline scanning in application code
At its core, Pompelmi acts as a file scanner that developers can embed into upload handlers. Incoming files are evaluated against a series of checks that can flag content as acceptable, suspicious, or malicious based on configured rules.
The scanner operates without external network calls. This design allows scanning decisions to remain within the application boundary, which can be relevant for environments with privacy, latency, or regulatory constraints. File data does not leave the service during inspection.
Pompelmi is designed to work with file buffers before they are written to disk or object storage. This approach reduces exposure by preventing unsafe content from reaching downstream systems.
File policies and archive inspection
The toolkit supports multiple policy controls that teams can tailor to their risk requirements. Developers can enforce allowed file extensions, maximum file sizes, and server-side MIME type validation. MIME checks compare declared content types with detected file signatures to reduce reliance on user-provided metadata.
One focus area is compressed file handling. Pompelmi inspects archive contents prior to extraction and applies limits on recursion depth, total file counts, and archive size expansion. These controls are intended to reduce exposure to archive bomb techniques and nested payload delivery.
Policy configuration allows teams to define thresholds and rejection behavior. Scan outcomes can be logged or surfaced to application logic without storing the uploaded file.
Pluggable scanning logic
Pompelmi supports multiple scanning strategies that can be combined within a single workflow. Default checks look for risky patterns and structural indicators. The toolkit also provides interfaces for adding custom scanners.
Optional signature-based scanning can be enabled through a pluggable engine model. This allows developers to integrate signature sets or scanning logic that align with their own detection requirements.
Framework integrations and middleware
To simplify adoption, Pompelmi provides adapters for common Node.js web frameworks. Middleware packages are available for Express and Koa, allowing file uploads to be intercepted and scanned as part of request handling. The project also supports integration with Next.js routing patterns.
In typical deployments, developers install the scanner alongside a framework adapter. The adapter applies scanning logic to upload routes and controls whether requests proceed based on scan results. Rejected uploads can be handled through standard error paths.
Beyond runtime use, Pompelmi can be applied in build and pipeline workflows. A GitHub Action provided by the project allows teams to scan artifacts or repositories during continuous integration. This supports early detection of unsafe content before deployment.
Pompelmi is available for free download on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!