Security News
Supply Chain Attack Detected in Solana's web3.js Library
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
async-busboy
Advanced tools
The typical use case for this library is when handling forms that contain file upload field(s) mixed with other inputs. Parsing logic relies on busboy. Designed for use with Koa2 and Async/Await.
import asyncBusboy from 'async-busboy';
// Koa 2 middleware
async function(ctx, next) {
const {files, fields} = await asyncBusboy(ctx.req);
// Make some validation on the fields before upload to S3
if ( checkFiles(fields) ) {
files.map(uploadFilesToS3)
} else {
return 'error';
}
}
import asyncBusboy from 'async-busboy';
// Koa 2 middleware
async function(ctx, next) {
const { fields } = await asyncBusboy(ctx.req, {
onFile: function(fieldname, file, filename, encoding, mimetype) {
uploadFilesToS3(file);
}
});
// Do validation, but files are already uploading...
if ( !checkFiles(fields) ) {
return 'error';
}
}
var asyncBusboy = require('async-busboy');
function(someHTTPRequest) {
asyncBusboy(someHTTPRequest).then(function(formData) {
// do something with formData.files
// do someting with formData.fields
});
}
The request streams are first written to temporary files using os.tmpdir()
. File read streams associated with the temporary files are returned from the call to async-busboy. When the consumer has drained the file read streams, the files will be automatically removed, otherwise the host OS should take care of the cleaning process.
If a custom onFile handler is specified in the options to async-busboy it
will only resolve an object containing fields, but instead no temporary files
needs to be created since the file stream is directly passed to the application.
Note that all file streams need to be consumed for async-busboy to resolve due
to the implementation of busboy. If you don't care about a received
file stream, simply call stream.resume()
to discard the content.
Make sure to serialize objects before sending them as formData. i.e:
// Given an object that represent the form data:
{
'field1': 'value',
'objectField': {
'key': 'anotherValue'
},
'arrayField': ['a', 'b']
//...
};
Should be sent as:
// -> field1[value]
// -> objectField[key][anotherKey]
// -> arrayField[0]['a']
// -> arrayField[1]['b']
// .....
Here is a function that can take care of this process
const serializeFormData = (obj, formDataObj, namespace = null) => {
var formDataObj = formDataObj || {};
var formKey;
for(var property in obj) {
if(obj.hasOwnProperty(property)) {
if(namespace) {
formKey = namespace + '[' + property + ']';
} else {
formKey = property;
}
var value = obj[property];
if(typeof value === 'object' && !(value instanceof File) && !(value instanceof Date)) {
serializeFormData(value, formDataObj, formKey);
} else if(value instanceof Date) {
formDataObj[formKey] = value.toISOString();
} else {
formDataObj[formKey] = value;
}
}
}
return formDataObj;
};
// -->
If you want to run some test locally, clone this repo, then run: node examples/index.js
From there you can use something like Postman to send POST
request to localhost:8080
.
Note: When using Postman make sure to not send a Content-Type
header, if it's filed by default, just delete it. (This is to let the boudary
header be generated automaticaly)
Form sending only octet-stream (files)
Form sending file octet-stream (files) and input fields. a. File and fields are processed has they arrive. Their order do not matter. b. Fields must be processed (for example validated) before processing the files.
FAQs
Promise based multipart form parser
We found that async-busboy demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.