Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/cafxx/httpcompression
This is a small Go package which wraps HTTP handlers to transparently compress response bodies using zstd, brotli, gzip or deflate - for clients which support them. Although it's usually simpler to leave that to a reverse proxy (like nginx or Varnish), this package is useful when that is undesirable. In addition, this package allows users to extend it by plugging in third-party or custom compression encoders.
Note: This package was recently forked from the dead NYTimes/gziphandler. Maintaining drop-in compatibility is not a goal of this fork, as the scope of this fork is significantly wider than the original package.
:warning: As we have not reached 1.0 yet, API is still subject to changes.
While no dedicated demo exists, the demo website
for regexp2go internally
uses
httpcompression
to transparently compress responses.
go get github.com/CAFxX/httpcompression
Call httpcompression.DefaultAdapter
to get an adapter that can be used to wrap
any handler (an object which implements the http.Handler
interface),
to transparently provide response body compression.
Note that httpcompression
automatically compresses using Zstandard, Brotli, Deflate,
and Gzip depending on the capabilities of the client (Accept-Encoding
)
and the configuration of this handler (by default, Zstandard, Brotli and gzip are
all enabled and, conditional on client support, used in that order of preference).
As a simple example:
package main
import (
"io"
"net/http"
"github.com/CAFxX/httpcompression"
)
func main() {
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/plain")
io.WriteString(w, "Hello, World")
})
compress, _ := httpcompression.DefaultAdapter() // Use the default configuration
http.Handle("/", compress(handler))
http.ListenAndServe("0.0.0.0:8080", nil)
}
It is possible to use custom compressor implementations by specifying a CompressorProvider
for each of the encodings the adapter should support. This also allows to support arbitrary
Content-Encoding
schemes (e.g. lzma
, or zstd with a static dictionary - see the
examples).
pgz, err := httpcompression.Compressor("gzip", 0, pgzip.New(pgzip.Options{Level: 6}))
if err != nil {
log.Fatal(err)
}
compress, err := httpcompression.Adapter(
// use klauspost/pgzip as compressor for the "gzip" content-encoding, with priority 0
pgz,
)
if err != nil {
log.Fatal(err)
}
http.Handle("/", compress(handler))
The contrib/
directory contains a number of bundled implementations that are ready for use:
Content-Encoding | Provider package | Implementation package | Notes | Dictionary | Go/cgo | Default | IANA registry |
---|---|---|---|---|---|---|---|
deflate | contrib/compress/zlib | compress/zlib | Slower than klauspost/zlib | Yes | Go | Yes | Yes |
deflate | contrib/klauspost/zlib | github.com/klauspost/compress/zlib | Yes | Go | No | Yes | |
gzip | contrib/compress/gzip | compress/gzip | Slower than klauspost/gzip | No | Go | Yes | Yes |
gzip | contrib/klauspost/gzip | github.com/klauspost/compress/gzip | No | Go | No | Yes | |
gzip | contrib/klauspost/pgzip | github.com/klauspost/pgzip | Parallel compression | No | Go | No | Yes |
zstd | contrib/klauspost/zstd | github.com/klauspost/compress/zstd | Yes | Go | Yes | Yes | |
zstd | contrib/valyala/gozstd | github.com/valyala/gozstd | Slower than klauspost/zstd | Yes | cgo | No | Yes |
brotli | contrib/andybalholm/brotli | github.com/andybalholm/brotli | Slower than google/brotli | No | Go | Yes | Yes |
brotli | contrib/google/cbrotli | github.com/google/brotli | Requires brotli libraries to be installed | No | cgo | No | Yes |
lz4 | contrib/pierrec/lz4 | github.com/pierrec/lz4/v4 | No | Go | No | No | |
xz | contrib/ulikunitz/xz | github.com/ulikunitz/xz | No | Go | No | No |
In addition to the default support for net/http
, httpcompression
provides adapters for the following web frameworks:
Framework | Adapter |
---|---|
github.com/gofiber/fiber/v2 | contrib/gofiber/fiber/v2 |
github.com/labstack/echo | contrib/labstack/echo |
github.com/gin-gonic/gin | contrib/gin-gonic/gin |
See the benchmark results to get an idea of the relative performance and compression efficiency of gzip, brotli and zstd in the current implementation.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.