Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@mercuryworkshop/wisp-js
Advanced tools
A client and server for the Wisp protocol, written in Javascript
This is an implementation of a Wisp client and server, written in Javascript for use in NodeJS and in the browser.
@mercuryworkshop/wisp-js/client
- Only contains the client code.@mercuryworkshop/wisp-js/server
- Contains the server code, and the logging module.@mercuryworkshop/wisp-js
- Contains the server, client, and logging code.All of these entrypoints support being imported as either a CommonJS or ES6 module.
THere is a CLI interface available for the Wisp server, and it can be used by installing the package with npm, then running:
$ npx wisp-js-server --help
Usage: wisp-js-server [options]
A Wisp server implementation written in Javascript. (v0.2.1)
Options:
-V, --version output the version number
-H, --host <host> The hostname the server will listen on. (default: "127.0.0.1")
-P, --port <port> The port number to run the server on. (default: 5001)
-L, --logging <log_level> The log level to use. This is either DEBUG, INFO, WARN, ERROR, or NONE. (default: "INFO")
-S, --static <static_dir> The directory to serve static files from. (optional) (default: null)
-C, --config <config_path> The path to your server config file. (optional) (default: null)
-h, --help display help for command
You may also clone this repository and run npn run server_cli -- --help
.
The config file is a JSON file with the same entries as the global server config in the API.
To use the library as an ES6 module, either in Node or using a bundler for the browser, include the following import:
import { client as wisp } from "@mercuryworkshop/wisp-js/client";
To use it in Node with CommonJS:
const { client: wisp } = require("@mercuryworkshop/wisp-js/client");
If you are not using a bundler, you may import the files in the dist folder of the package. The wisp-client.mjs
file is an ES6 module that has the same entrypoint as the example above. The wisp-client.js
file is a regular JS file that produce a global variable named wisp_client
, which contains all of the exported modules.
You can create a new Wisp connection by creating a new ClientConnection
object. The only argument to the constructor is the URL of the Wisp websocket server. Use the open
event to know when the Wisp connection is ready.
import { client as wisp } from "@mercuryworkshop/wisp-js/client";
let conn = new wisp.ClientConnection("wss://example.com/wisp/");
conn.onopen = () => {
console.log("wisp connection is ready!");
};
conn.onclose = () => {
console.log("wisp connection closed");
};
conn.onerror = () => {
console.log("wisp connection error");
};
Once you have your WispConnection
object, and you have waited for the connection to be established, you can use the WispConnection.create_stream
method to create new streams. The two arguments to this function are the hostname and port of the new stream, and a WispStream
object will be returned. You can also pass a third argument to create_stream
, which is the type of the stream, and it can be either "tcp"
(the default) or "udp"
.
For receiving incoming messages, use the onmessage
callback on the WispStream
object. The returned data will always be a Uint8Array
. The onclose
callback can be used to know when the stream is closed.
You can use stream.send
to send data to the stream, and it must take a Uint8Array
as the argument. Newly created streams are available for writing immediately, so you don't have to worry about waiting to send your data.
let stream = conn.create_stream("www.google.com", 80);
stream.onmessage = (data) => {
let text = new TextDecoder().decode(data);
console.log(text);
};
stream.onclose = (reason) => {
console.log("stream closed for reason: " + reason);
};
let payload = "GET / HTTP/1.1\r\nHost: www.google.com\r\nConnection: close\r\n\r\n";
stream.send(new TextEncoder().encode(payload));
The polyfill.js
file provides an API similar to the regular DOM WebSocket API. Instead of creating new WebSocket
objects, create WispWebSocket
objects. Make sure the URL ends with the hostname and port you want to connect to. If you have code that uses the older wsproxy protocol, you can use this polyfill to provide Wisp support easily.
import { client as wisp } from "@mercuryworkshop/wisp-js/client";
let ws = new wisp.WispWebSocket("wss://example.com/ws/alicesworld.tech:80");
ws.binaryType = "arraybuffer";
ws.addEventListener("open", () => {
let payload = "GET / HTTP/1.1\r\nHost: alicesworld.tech\r\nConnection: keepalive\r\n\r\n";
ws.send(payload);
});
ws.addEventListener("message", (event) => {
let text = new TextDecoder().decode(event.data);
console.log("message from stream 1: ", text.slice(0, 128));
});
The wisp_client._wisp_connections
object will be used to manage the active Wisp connections. This object is able to store multiple active Wisp connections, identified by the websocket URL.
To use the library as an ES6 module, either in Node or using a bundler for the browser, include the following import:
import { server as wisp } from "@mercuryworkshop/wisp-js/server";
To use it in Node with CommonJS:
const { server: wisp } = require("@mercuryworkshop/wisp-js/client");
This is designed to be a drop-in replacement for wisp-server-node. You can replace your old import with one of the above examples, and your application will still work in the same way.
This example uses the node:http
module as a basic web server. It accepts new Wisp connections from incoming websockets.
import { server as wisp } from "@mercuryworkshop/wisp-js/server";
import http from "node:http";
const server = http.createServer((req, res) => {
res.writeHead(200, { "Content-Type": "text/plain" });
res.end("wisp server js rewrite");
});
server.on("upgrade", (req, socket, head) => {
wisp.routeRequest(req, socket, head);
});
server.on("listening", () => {
console.log("HTTP server listening");
});
server.listen(5001, "127.0.0.1");
import { server as wisp } from "@mercuryworkshop/wisp-js/server";
import express from "express";
import morgan from "morgan";
const app = express();
const port = process.env.PORT || 5001;
app.use(morgan("combined"));
app.use(express.static("./"));
const server = app.listen(port, () => {
console.log("Listening on port: ", port)
});
server.on("upgrade", (request, socket, head) => {
wisp.routeRequest(request, socket, head);
});
By default, all info messages are shown. You can change this by importing logging
from the module, and calling logging.set_level
to set it to one of the following values:
logging.DEBUG
logging.INFO
(default)logging.WARN
logging.ERROR
logging.NONE
import { server as wisp, logging } from "@mercuryworkshop/wisp-js/server";
logging.set_level(logging.DEBUG);
To change settings globally for the Wisp server, you can use the wisp.options
object.
The available settings are:
options.hostname_blacklist
- An array of regex objects to match against the destination server. Any matches will be blocked.options.hostname_whitelist
- Same as hostname_blacklist
, but only matches will be allowed through, and setting this will supersede hostname_blacklist
.options.port_blacklist
- An array of port numbers or ranges to block on the destination server. Specific ports are expressed as a single number, and ranges consist of a two element array containing the start and end. For example 80
and [3000, 4000]
are both valid entries in this array.options.port_whitelist
- Same as port_whitelist
, but only matches will be allowed through, and setting this will supersede port_blacklist
.options.stream_limit_per_host
- The maximum number of streams that may be open to a single hostname, per connection. Defaults to no limit.options.stream_limit_total
- The total number of streams that may be open to all hosts combined, per connection. Defaults to no limit.options.allow_udp_streams
- If this is false
, UDP streams will be blocked. Defaults to true
.options.allow_tcp_streams
- If this is false
, TCP streams will be blocked. Defaults to true
.For example:
wisp.options.port_whitelist = [
[5000, 6000],
80,
443
]
wisp.options.hostname_blacklist = [
/google\.com/,
/reddit\.com/,
]
This library is licensed under the GNU AGPL v3.
wisp-js: a Wisp client implementation written in JavaScript
Copyright (C) 2024 Mercury Workshop
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
FAQs
A client and server for the Wisp protocol, written in Javascript
The npm package @mercuryworkshop/wisp-js receives a total of 652 weekly downloads. As such, @mercuryworkshop/wisp-js popularity was classified as not popular.
We found that @mercuryworkshop/wisp-js demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.