Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The brfs npm package is a browserify transform that allows you to inline the contents of files into your JavaScript bundle. It is particularly useful for including static assets like HTML, CSS, or text files directly into your JavaScript code, making it easier to manage dependencies and resources in a single bundle.
Inline File Contents
This feature allows you to read the contents of a file and inline it directly into your JavaScript code. The example demonstrates how to read an HTML file and log its contents to the console.
const fs = require('fs');
const html = fs.readFileSync(__dirname + '/template.html', 'utf8');
console.log(html);
Transform Static Assets
This feature enables you to include static assets like CSS files directly into your JavaScript bundle. The example shows how to read a CSS file and log its contents to the console.
const fs = require('fs');
const css = fs.readFileSync(__dirname + '/styles.css', 'utf8');
console.log(css);
Browserify is a tool that allows you to use Node.js-style require() statements in the browser. While brfs is a transform for browserify to inline file contents, browserify itself is a more general tool for bundling JavaScript files and their dependencies for use in the browser.
Webpack is a module bundler that can handle various types of assets, including JavaScript, CSS, and HTML. It offers more advanced features like code splitting and hot module replacement. Compared to brfs, webpack provides a more comprehensive solution for managing and bundling assets.
Rollup is a module bundler for JavaScript that focuses on creating smaller and faster bundles. It supports various plugins to handle different types of assets. While brfs is specifically for inlining file contents, Rollup offers a broader range of functionalities for optimizing and bundling JavaScript code.
fs.readFileSync() and fs.readFile() static asset browserify transform
This module is a plugin for browserify to parse the AST
for fs.readFileSync()
calls so that you can inline file contents into your
bundles.
Even though this module is intended for use with browserify, nothing about it is particularly specific to browserify so it should be generally useful in other projects.
for a main.js:
var fs = require('fs');
var html = fs.readFileSync(__dirname + '/robot.html', 'utf8');
console.log(html);
and a robot.html:
<b>beep boop</b>
first npm install brfs
into your project, then:
$ browserify -t brfs example/main.js > bundle.js
now in the bundle output file,
var html = fs.readFileSync(__dirname + '/robot.html', 'utf8');
turns into:
var html = "<b>beep boop</b>\n";
var browserify = require('browserify');
var fs = require('fs');
var b = browserify('example/main.js');
b.transform('brfs');
b.bundle().pipe(fs.createWriteStream('bundle.js'));
You can also use fs.readFile()
:
var fs = require('fs');
fs.readFile(__dirname + '/robot.html', 'utf8', function (err, html) {
console.log(html);
});
When you run this code through brfs, it turns into:
var fs = require('fs');
process.nextTick(function () {(function (err, html) {
console.log(html);
})(null,"<b>beep boop</b>\n")});
brfs looks for:
fs.readFileSync(pathExpr, enc=null)
fs.readFile(pathExpr, enc=null, cb)
fs.readdirSync(pathExpr)
fs.readdir(pathExpr, cb)
Inside of each pathExpr
, you can use
statically analyzable expressions and
these variables and functions:
__dirname
__filename
path
if you var path = require('path')
firstrequire.resolve()
Just like node, the default encoding is null
and will give back a Buffer
.
If you want differently-encoded file contents for your inline content you can
set enc
to 'utf8'
, 'base64'
, or 'hex'
.
In async mode when a callback cb
is given, the contents of pathExpr
are
inlined into the source inside of a process.nextTick()
call.
When you use a 'file'
-event aware watcher such as
watchify, the inlined assets will be
updated automatically.
If you want to use this plugin directly, not through browserify, the api follows.
var brfs = require('brfs')
Return a through stream tr
inlining fs.readFileSync()
file contents
in-place.
Optionally, you can set which opts.vars
will be used in the
static argument evaluation
in addition to __dirname
and __filename
.
opts.parserOpts
can be used to configure the parser brfs uses,
acorn.
For every file included with fs.readFileSync()
or fs.readFile()
, the tr
instance emits a 'file'
event with the file
path.
A tiny command-line program ships with this module to make debugging easier.
usage:
brfs file
Inline `fs.readFileSync()` calls from `file`, printing the transformed file
contents to stdout.
brfs
brfs -
Inline `fs.readFileSync()` calls from stdin, printing the transformed file
contents to stdout.
With npm do:
npm install brfs
then use -t brfs
with the browserify command or use .transform('brfs')
from
the browserify api.
Since brfs
evaluates your source code statically, you can't use dynamic expressions that need to be evaluated at run time. For example:
// WILL NOT WORK!
var file = window.someFilePath;
var str = require('fs').readFileSync(file, 'utf8');
Instead, you must use simpler expressions that can be resolved at build-time:
var str = require('fs').readFileSync(__dirname + '/file.txt', 'utf8');
Another gotcha: brfs
does not yet support ES module import
statements. See brfs-babel for an experimental replacement that supports this syntax.
MIT
FAQs
browserify fs.readFileSync() static asset inliner
We found that brfs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 38 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.