Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@xmtp/content-type-remote-attachment
Advanced tools
An XMTP content type to support sending file attachments that are stored off network
The @xmtp/content-type-remote-attachment package provides an XMTP content type to support sending file attachments that are stored off-network. Use it to enable your app to send and receive message attachments.
Open for feedback
You are welcome to provide feedback on this implementation by commenting on the Remote Attachment Content Type XIP (XMTP Improvement Proposal).
Attachments are files. More specifically, attachments are objects that have:
filename
Most files have names, at least the most common file types.mimeType
What kind of file is it? You can often assume this from the file extension, but it's nice to have a specific field for it. Here's a list of common mime types.data
What is this file's data? Most files have data. If the file doesn't have data, then it's probably not the most interesting thing to send.Because XMTP messages can only be up to 1MB in size, we need to store the attachment somewhere other than the XMTP network. In other words, we need to store it in a remote location.
End-to-end encryption must apply not only to XMTP messages, but to message attachments as well. For this reason, we need to encrypt the attachment before we store it.
# npm
npm i @xmtp/content-type-remote-attachment
# yarn
yarn add @xmtp/content-type-remote-attachment
# pnpm
pnpm i @xmtp/content-type-remote-attachment
const attachment: Attachment = {
filename: "screenshot.png",
mimeType: "image/png",
data: [the PNG data]
}
Once you have the attachment object created, you can also create a preview for what to show in a message input before sending:
URL.createObjectURL(
new Blob([Buffer.from(somePNGData)], {
type: attachment.mimeType,
}),
),
Use the RemoteAttachmentCodec.encodeEncrypted
to encrypt the attachment:
// Import the codecs we're going to use
import {
AttachmentCodec,
RemoteAttachmentCodec,
} from "@xmtp/content-type-remote-attachment";
// Encode the attachment and encrypt that encoded content
const encryptedAttachment = await RemoteAttachmentCodec.encodeEncrypted(
attachment,
new AttachmentCodec(),
);
Upload the encrypted attachment anywhere where it will be accessible via an HTTPS GET request. For example, you can use web3.storage:
const web3Storage = new Web3Storage({
token: "your web3.storage token here",
});
const upload = new Upload("XMTPEncryptedContent", encryptedEncoded.payload);
const cid = await web3Storage.put([upload]);
const url = `https://${cid}.ipfs.w3s.link/XMTPEncryptedContent`;
(Upload is a small class that implements Web3Storage's Filelike
interface for uploading)
Now that you have a url
, you can create a RemoteAttachment
.
const remoteAttachment: RemoteAttachment = {
// This is the URL string where clients can download the encrypted
// encoded content
url: url,
// We hash the encrypted encoded payload and send that along with the
// remote attachment. On the recipient side, clients can verify that the
// encrypted encoded payload they've downloaded matches what was uploaded.
// This is to prevent tampering with the content once it's been uploaded.
contentDigest: encryptedAttachment.digest,
// These are the encryption keys that will be used by the recipient to
// decrypt the remote payload
salt: encryptedAttachment.salt,
nonce: encryptedAttachment.nonce,
secret: encryptedAttachment.secret,
// For now, all remote attachments MUST be fetchable via HTTPS GET requests.
// We're investigating IPFS here among other options.
scheme: "https://",
// These fields are used by clients to display some information about
// the remote attachment before it is downloaded and decrypted.
filename: attachment.filename,
contentLength: attachment.data.byteLength,
};
Now that you have a remote attachment, you can send it:
await conversation.messages.send(remoteAttachment, {
contentType: ContentTypeRemoteAttachment,
});
Note
contentFallback
text is provided by the codec and gives clients that don't support a content type the option to display some useful context. For cases where clients do support the content type, they can use the content fallback as alt text for accessibility purposes.
Now that you can send a remote attachment, you need a way to receive a remote attachment. For example:
// Assume `loadLastMessage` is a thing you have
const message: DecodedMessage = await loadLastMessage();
if (!message.contentType.sameAs(ContentTypeRemoteAttachment)) {
// We do not have a remote attachment. A topic for another blog post.
return;
}
// We've got a remote attachment.
const remoteAttachment: RemoteAttachment = message.content;
Now that you can receive a remote attachment, you need to download, decrypt, and decode it so your app can display it. For example:
const attachment: Attachment = await RemoteAttachmentCodec.load(
remoteAttachment,
client, // <- Your XMTP Client instance
);
You now have the original attachment:
attachment.filename; // => "screenshot.png"
attachment.mimeType; // => "image/png",
attachment.data; // => [the PNG data]
Display the attachment in your app as you please. For example, you can display it as an image:
const objectURL = URL.createObjectURL(
new Blob([Buffer.from(attachment.data)], {
type: attachment.mimeType,
}),
);
const img = document.createElement("img");
img.src = objectURL;
img.title = attachment.filename;
To learn more, see Introducing remote media attachments.
Run yarn dev
to build the content type and watch for changes, which will trigger a rebuild.
Before running unit tests, start the required Docker container at the root of this repository. For more info, see Running tests.
yarn build
: Builds the content typeyarn clean
: Removes node_modules
, dist
, and .turbo
foldersyarn dev
: Builds the content type and watches for changes, which will trigger a rebuildyarn lint
: Runs ESLintyarn test:setup
: Starts a necessary docker container for testingyarn test:teardown
: Stops docker container for testingyarn test
: Runs all unit testsyarn typecheck
: Runs tsc
FAQs
An XMTP content type to support sending file attachments that are stored off network
The npm package @xmtp/content-type-remote-attachment receives a total of 2,081 weekly downloads. As such, @xmtp/content-type-remote-attachment popularity was classified as popular.
We found that @xmtp/content-type-remote-attachment demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.