
Research
npm Malware Targets Telegram Bot Developers with Persistent SSH Backdoors
Malicious npm packages posing as Telegram bot libraries install SSH backdoors and exfiltrate data from Linux developer machines.
The get-uri npm package is designed to retrieve the contents of a URI string using different protocols. It supports protocols like HTTP, HTTPS, Data, File, and more. The package provides a simple API to fetch URIs in a protocol-agnostic way, which can be particularly useful when working with a variety of resource identifiers.
HTTP/HTTPS URI retrieval
This feature allows you to retrieve resources over HTTP or HTTPS. The code sample demonstrates how to fetch a resource from 'http://example.com' and pipe the response stream to the standard output.
const getUri = require('get-uri');
getUri('http://example.com', function (err, rs) {
if (err) throw err;
rs.pipe(process.stdout);
});
Data URI retrieval
This feature enables you to decode Data URIs and access the data as a stream. The code sample shows how to decode a base64-encoded 'Hello, World!' message from a Data URI and pipe it to the standard output.
const getUri = require('get-uri');
getUri('data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==', function (err, rs) {
if (err) throw err;
rs.pipe(process.stdout);
});
File URI retrieval
This feature allows you to read local files using the file URI scheme. The code sample demonstrates how to create a file URI from a local file path and then use get-uri to read the file and pipe its contents to the standard output.
const getUri = require('get-uri');
const path = require('path');
const filePath = path.resolve('path/to/your/local/file.txt');
const fileUri = 'file://' + filePath;
getUri(fileUri, function (err, rs) {
if (err) throw err;
rs.pipe(process.stdout);
});
The 'request' package is a popular HTTP client for making HTTP requests. It is more focused on HTTP/HTTPS and does not support other URI schemes like get-uri does. However, it offers a rich set of features for interacting with HTTP resources.
Axios is a promise-based HTTP client for the browser and Node.js. Similar to 'request', it is primarily used for HTTP/HTTPS requests and does not natively handle other URI schemes. Axios provides a clean, promise-based API and is widely used for web service integration.
Node-fetch is a light-weight module that brings the Fetch API to Node.js. It is designed to provide a simple interface for fetching resources over HTTP/HTTPS, similar to what is available in modern browsers. Unlike get-uri, it does not support non-HTTP URI schemes.
stream.Readable
from a URI stringThis high-level module accepts a URI string and returns a Readable
stream
instance. There is built-in support for a variety of "protocols", and it's
easily extensible with more:
Protocol | Description | Example |
---|---|---|
data | Data URIs | data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D |
file | File URIs | file:///c:/windows/example.ini |
ftp | FTP URIs | ftp://ftp.kernel.org/pub/site/README |
http | HTTP URIs | http://www.example.com/path/to/name |
https | HTTPS URIs | https://www.example.com/path/to/name |
To simply get a stream.Readable
instance from a file:
URI, try something like:
import { getUri } from 'get-uri';
// `file:` maps to a `fs.ReadStream` instance…
const stream = await getUri('file:///Users/nrajlich/wat.json');
stream.pipe(process.stdout);
When you pass in a URI in which the resource referenced does not exist on the
destination server, then a NotFoundError
will be thrown. The code
of the
error instance is set to "ENOTFOUND"
, so you can check for that value
to detect when a bad filename is requested:
try {
await getUri('http://example.com/resource.json');
} catch (err) {
if (err.code === 'ENOTFOUND') {
// bad file path requested
} else {
// something else bad happened...
throw err;
}
}
When calling getUri()
with the same URI multiple times, the get-uri
module
supports sending an indicator that the remote resource has not been modified
since the last time it has been retrieved from that node process.
To do this, define a cache
property on the "options object" argument
with the value set to the stream.Readable
instance that was previously
returned. If the remote resource has not been changed since the last call for
that same URI, then a NotModifiedError
instance will be thrown with its
code
property set to "ENOTMODIFIED"
.
When the "ENOTMODIFIED"
error occurs, then you can safely re-use the
results from the previous getUri()
call for that same URI:
// First time fetches for real
const stream = await getUri('http://example.com/resource.json');
try {
// … some time later, if you need to get this same URI again, pass in the
// previous `stream.Readable` instance as `cache` option to potentially
// have an "ENOTMODIFIED" error thrown:
await getUri('http://example.com/resource.json', { cache: stream });
} catch (err) {
if (err.code === 'ENOTMODIFIED') {
// source file has not been modified since last time it was requested,
// so you are expected to re-use results from a previous call to `getUri()`
} else {
// something else bad happened...
throw err;
}
}
A uri
is required. An optional options
object may be passed in:
cache
- A stream.Readable
instance from a previous call to getUri()
with the same URI. If this option is passed in, and the destination endpoint has not been modified, then an ENOTMODIFIED
error is thrownAny other options passed in to the options
object will be passed through
to the low-level connection creation functions (http.get()
, ftp.connect()
,
etc).
Returns a stream.Readable
instance to read the resource at the given uri
.
FAQs
Returns a `stream.Readable` from a URI string
The npm package get-uri receives a total of 9,767,432 weekly downloads. As such, get-uri popularity was classified as popular.
We found that get-uri demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Malicious npm packages posing as Telegram bot libraries install SSH backdoors and exfiltrate data from Linux developer machines.
Security News
pip, PDM, pip-audit, and the packaging library are already adding support for Python’s new lock file format.
Product
Socket's Go support is now generally available, bringing automatic scanning and deep code analysis to all users with Go projects.