Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
express-body-parser-error-handler
Advanced tools
middleware to be set right after body parser in order to return 4xx error back to the client
middleware to be set right after body parser in order to handle all body parser errors and return 4xx responses to the client
99.9% of the time your going to use body parser on your express server application , even if your going to use express.json,raw,text or urlencoded under the hood it also uses body parser express source code
There’re multiple kinds of errors raised by body-parser. They involve sending bad headers or data that are not accepted by it, or canceling requests before all the data is read. Various 400 series error status codes will be sent as the response along with the corresponding error messages and stack trace the problem is when errors thrown from this middleware you need to handle them by yourself and all errors thrown from body parser are usually 4xx errors caused by client
for example:
Type | Code | description |
---|---|---|
encoding.unsupported | 415 | content encoding unsupported |
entity.parse.failed | 400 | |
entity.verify.failed | 403 | |
request.aborted | 400 | request is aborted by the client before reading the body has finished |
request.size.invalid | 400 | request size did not match content length |
stream.encoding.set | 500 | stream encoding should not be set |
parameters.too.many | 413 | |
charset.unsupported | 415 | unsupported charset “BOGUS” |
encoding.unsupported | 415 | unsupported content encoding “bogus” |
entity.too.large | 413 |
use this package if you don't want to handle them yourself :-)
$ npm i express-body-parser-error-handler
request(app)
.post('/')
.set('Content-Type', 'application/json')
.send('{ email: \'email\', password: \'password\'') // <==== missing "}" - invalid json
.expect(400, function (err, res) {
expect(JSON.parse(res.text).message).to.equal(
====> 'Body Parser failed to parse request --> Unexpected token e in JSON at position 2'
)
})
const bodyParserErrorHandler = require('express-body-parser-error-handler')
const { urlencoded, json } = require('body-parser')
const express = require('express')
const app = express();
router.route('/').get(function (req, res) {
return res.json({message:"🚀"});
});
// body parser initilization
app.use(urlencoded({extended: false, limit: '250kb'}));
app.use('/', json({limit: '250kb'}));
// body parser error handler
app.use(bodyParserErrorHandler());
app.use(router);
...
onError - function(err, req, res) => { }
Custom on error callback useful if you want to log the error message or send metrics
app.use(bodyParserErrorHandler({
onError = (err, req, res) => {
...
}
}))
errorMessage - function(err) => { }
default:
errorMessage = (err) => {
return `Body Parser failed to parse request --> ${err.message}`
}
app.use(bodyParserErrorHandler({
errorMessage = (err) => {
...
}
}))
if (this.repo.isAwesome || this.repo.isHelpful) {
Star(this.repo);
}
FAQs
middleware to be set right after body parser in order to return 4xx error back to the client
The npm package express-body-parser-error-handler receives a total of 4,169 weekly downloads. As such, express-body-parser-error-handler popularity was classified as popular.
We found that express-body-parser-error-handler demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.