Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@bocoup/windows-sapi-tts-engine-for-automation
Advanced tools
A WebSocket server which allows clients to observe the text enunciated by a screen reader and to simulate user input
A WebSocket server which allows clients to observe the text enunciated by a screen reader and to simulate user input
aria-at-automation · aria-at-automation-harness · aria-at-automation-driver · aria-at-automation-results-viewer
"Tools for Native Modules" is required to install the "robotjs" npm module, which is a dependency of this project.
Install the project by executing the following command:
npm install -g @bocoup/windows-sapi-tts-engine-for-automation
If prompted for system administration permission, grant permission.
Start the server by executing the following command in a terminal:
at-driver
The process will write a message to the standard error stream when the
WebSocket server is listening for connections. The --help
flag will cause
the command to output advanced usage instructions (e.g. at-driver --help
).
Configure any screen reader to use the synthesizer named "Microsoft Speech API version 5" and the text-to-speech voice named "Bocoup Automation Voice."
Use any WebSocket client to connect to the server specifying
v1.aria-at.bocoup.com
as the
sub-protocol.
The protocol is described below. (The server will print protocol messages to
its standard error stream for diagnostic purposes only. Neither the format
nor the availability of this output is guaranteed, making it inappropriate
for external use.)
type
and data
"lifecycle"
, "speech"
, or "error"
"lifecycle"
- signifies that the message data is an expected lifecycle of
the automation voice (e.g. initialization and destruction)"speech"
- signifies that the message data is text which a screen reader
has requested the operating system annunciate"error"
- signifies that an exceptional circumstances has occurredThis project uses an application-level protocol named v1.aria-at.bocoup.com
to communicate with clients via a WebSocket connection. All messages are
encoded as JSON text.
// Clients may send Command messages to the server at any time. The server will
// respond to every Command it receives with a corresponding Response whose
// `id` value matches that of the Command which initiated it. The client may
// use any numeric value to uniquely identify the Command and to correlate the
// eventual Response.
interface PressKeyCommand {
type: 'command';
id: number;
name: 'pressKey';
params: [string];
}
interface ReleaseKeyCommand {
type: 'command';
id: number;
name: 'releaseKey';
params: [string];
}
interface SuccessResponse {
type: 'response';
id: number;
result: any;
}
interface ErrorResponse {
type: 'response';
id: number;
error: string;
message: string;
}
interface SpeechEvent {
type: 'event';
name: 'speech';
data: string;
}
interface LifecycleEvent {
type: 'event';
name: 'lifecycle';
data: string;
}
interface InternalErrorEvent {
type: 'event';
name: 'internalError';
data: string;
}
This tool is comprised of two main components: a text-to-speech voice and a WebSocket server.
The text-to-speech voice is written in C++ and integrates with the Microsoft Speech API (SAPI). Because it interfaces with the Windows operating system (that is: "below" the screen reader in the metaphorical software stack), it can observe speech from many screen readers without coupling to any particular screen reader.
The voice has two responsibilities. First, it emits the observed speech data and related events to a Windows named pipe. This allows the second component to present a robust public interface for programmatic consumption of the data. (The named pipe is an implementation detail. Neither its content nor its presence is guaranteed, making it inappropriate for external use.)
Second, the voice annunciates speech data. It does this by forwarding speech data to the system's default text-to-speech voice. This ensures that a system configured to use the voice remains accessible to screen reader users.
The WebSocket server is written in Node.js and allows an arbitrary number of clients to observe events on a standard interface. It has been designed as an approximation of an interface that may be exposed directly by screen readers in the future.
For details on contributing to this project, please refer to the file named
CONTRIBUTING.md
.
Licensed under the terms of the MIT Expat License; the complete text is available in the LICENSE file.
Copyright for portions of AT Driver are held by Microsoft as part of the "Sample Text-to-Speech Engine and MakeVoice" project. All other copyright for AT Driver are held by Bocoup.
A collection of projects for automating assistive technology tests from w3c/aria-at and beyond
aria-at-automation-harness
A command-line utility for executing test plans from w3c/aria-at without human intervention using the aria-at-automation-driver
aria-at-automation-driver
A WebSocket server which allows clients to observe the text enunciated by a screen reader and to simulate user input
aria-at-automation-results-viewer
A tool which translates the JSON-formatted data produced by the aria-at-automation-harness into a human-readable form
FAQs
A WebSocket server which allows clients to observe the text enunciated by a screen reader and to simulate user input
We found that @bocoup/windows-sapi-tts-engine-for-automation demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.