Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
busboy multipart parser using co
or koa
.
var parse = require('co-busboy')
app.use(function* (next) {
// the body isn't multipart, so busboy can't parse it
if (!this.request.is('multipart/*')) return yield next
var parts = parse(this)
var part
while (part = yield parts()) {
if (part.length) {
// arrays are busboy fields
console.log('key: ' + part[0])
console.log('value: ' + part[1])
} else {
// otherwise, it's a stream
part.pipe(fs.createWriteStream('some file.txt'))
}
}
console.log('and we are done parsing the form!')
})
Note that parts will be delievered in the order they are defined in the form. Put your CSRF token first in the form and your larger files last.
If you want co-busboy
to automatically handle the fields,
set the autoFields: true
option.
Now all the parts will be streams and a field object and array will automatically be populated.
var parse = require('co-busboy')
app.use(function* (next) {
var parts = parse(this, {
autoFields: true
})
var part
while (part = yield parts()) {
// it's a stream
part.pipe(fs.createWriteStream('some file.txt'))
}
console.log('and we are done parsing the form!')
// .field holds all the fields in key/value form
console.log(parts.field._csrf)
// .fields holds all the fields in [key, value] form
console.log(parts.fields[0])
})
Use options.checkField
hook function(name, val, fieldnameTruncated, valTruncated)
can handle fields check.
var parse = require('co-busboy')
app.use(function* (next) {
var ctx = this
var parts = parse(this, {
checkField: function (name, value) {
if (name === '_csrf' && !checkCSRF(ctx, value)) {
var err = new Error('invalid csrf token')
err.status = 400
return err
}
}
})
var part
while (part = yield parts()) {
// ...
}
})
Use options.checkFile
hook function(fieldname, file, filename, encoding, mimetype)
can handle filename check.
var parse = require('co-busboy')
var path = require('path')
app.use(function* (next) {
var ctx = this
var parts = parse(this, {
// only allow upload `.jpg` files
checkFile: function (fieldname, file, filename) {
if (path.extname(filename) !== '.jpg') {
var err = new Error('invalid jpg image')
err.status = 400
return err
}
}
})
var part
while (part = yield parts()) {
// ...
}
})
var parse = require('co-busboy')
var parts = parse(stream, {
autoFields: true
})
options
are passed to busboy.
The only additional option is autoFields
.
Note: If busboy events partsLimit
, filesLimit
, fieldsLimit
is emitted, will throw an error.
Yield the next part.
If autoFields: true
, this will always be a file stream.
Otherwise, it will be a field as an array.
Readable Stream
fieldname
filename
transferEncoding
or encoding
mimeType
or mime
Field[]
fieldname
value
valueTruncated
- Boolean
fieldnameTruncated
- BooleanIf falsey, then the parser is done.
If autoFields: true
, this object will be populated with key/value pairs.
If autoFields: true
, this array will be populated with all fields.
The MIT License (MIT)
Copyright (c) 2013 Jonathan Ong me@jongleberry.com Copyright (c) 2015 cojs and other contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Busboy multipart parser as a yieldable
The npm package co-busboy receives a total of 14,443 weekly downloads. As such, co-busboy popularity was classified as popular.
We found that co-busboy demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.