Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
A http/https file send
$ npm install file-send
const url = require('url');
const http = require('http');
const through2 = require('through2');
const FileSend = require('file-send');
http.createServer((request, response) => {
new FileSend(request, url.parse(request.url).pathname, {
root: '/',
etag: true,
maxAge: '30d'
})
.on('dir', function(realpath, next) {
// dir events
next('dir');
})
.on('error', function(error, next) {
// error events
next('error');
})
.use(through2()) // Set middleware
.pipe(response); // Send file to response
});
Create a new FileSend
for the given path and options to initialize.
The request
is the Node.js HTTP request and the path
is a urlencoded path to send (urlencoded, not the actual file-system path).
String
Set server root.
String|Array
Set ignore rules, support glob string. see: micromatch
String
Set how "ignore" are treated when encountered.
The default value is 'deny'
.
'deny'
Send a 403 for any request for ignore matched.'ignore'
Pretend like the ignore matched does not exist and 404.Object
Set micromatch options. see: micromatch
Boolean
Enable or disable accepting ranged requests, defaults to true. Disabling this will not send Accept-Ranges and ignore the contents of the Range request header.
String
Set Content-Type charset.
Boolean
Enable or disable setting Cache-Control
response header, defaults to true. Disabling this will ignore the immutable
and maxAge
options.
Boolean
Enable or disable etag generation, defaults to true.
String|Array|Boolean
By default send supports "index.html" files, to disable this set false
or to supply a new index pass a string or an array in preferred order.
Boolean
Enable or disable Last-Modified
header, defaults to true. Uses the file system's last modified value.
String|Number
Provide a max-age in milliseconds for http caching, defaults to 0. This can also be a string accepted by the ms module.
Boolean
Enable or diable the immutable directive in the Cache-Control response header, defaults to false. If set to true, the maxAge option should also be specified to enable caching. The immutable directive will prevent supported clients from making conditional requests during the life of the maxAge option to check if the file has changed.
The pipe
method is used to pipe the response into the Node.js HTTP response object, typically FileSend(request, path, [options]).pipe(response)
.
The mime export is the global instance of of the mime-types
npm module.
The FileSend
is an event emitter and will emit the following events:
dir
a directory was requested(realpath, next)
file
a file was requested (realpath, stats)
error
an error occurred (error, next)
By default when no error
listeners are present an automatic response will be made, otherwise you have full control over the response, aka you may show a 5xx page etc.
It does not perform internal caching, you should use a reverse proxy cache such as Varnish for this, or those fancy things called CDNs. If your application is small enough that it would benefit from single-node memory caching, it's small enough that it does not need caching at all ;).
$ npm install
$ npm test
'use strict';
const url = require('url');
const http = require('http');
const chalk = require('chalk');
const cluster = require('cluster');
const FileSend = require('file-send');
const NUMCPUS = require('os').cpus().length;
// create server
function createServer(root, port) {
http
.createServer(function(request, response) {
const send = new FileSend(request, url.parse(request.url).pathname, {
root: root || process.cwd(),
maxAge: '3day',
index: ['index.html'],
ignore: ['**/.*?(/**)']
});
send.pipe(response);
})
.listen(port || 8080);
}
if (cluster.isMaster) {
// fork workers
for (let i = 0; i < NUMCPUS; i++) {
const worker = cluster.fork();
// worker is listening
if (i === NUMCPUS - 1) {
worker.on('listening', address => {
console.log(
chalk.green.bold('Server run at:'),
chalk.cyan.bold((address.address || '127.0.0.1') + ':' + address.port),
'\r\n-----------------------------------------------------------------------------------------'
);
});
}
}
} else {
// workers can share any tcp connection
// in this case it is an http server
createServer();
}
FAQs
A http file send.
The npm package file-send receives a total of 8 weekly downloads. As such, file-send popularity was classified as not popular.
We found that file-send demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.