I need to save very sensitive data from an Excelfile that the user uploads. The data will then be saved to mySQL. All is done in Node.js.
Now I wonder what is the most secure way to upload the file.
Should I use Multer (https://expressjs.com/en/resources/middleware/multer.html) which has a memoryStorage option (a buffer of the entire file), or should I save the file to a folder and then delete it as soon as all data is added to mySQL?
From a security viewpoint, what is the best option?
In general memory-only leaves less cruft behind, particularly if you explicitly overwrite the memory when finished, assuming you can handle it all in memory.
Deleted files are recoverable to a large degree, but then again so is the mySQL content.
Realistically I think other factors are the main issue. How are you protecting the server and its content independent of the upload handler.
It depends on how big the files can be, how many users you have, how much RAM you have.
If the file size is limited and is relatively small, if the number of users is relatively small so that the volume of files they upload simultaneously is essentially less than RAM available, then it is fine to use memory-only approach.
If the volume of files that are being uploaded simultaneously is comparable with RAM available or greater, then memory-only approach can lead to a lot of swapping and considerable response delays, and even to timeouts. Application performance can degrade essentially for all users, even for those who don't upload anything at the moment. Then file based approach can be better.
If you fully control the server, then file based approach is as secure as memory-only. Memory-only approach does not mean that all your data are really all the time stored in memory. If the operating system decides to swap a part of its memory to disk, your data will be written to the disk.
