middlefiddle
Advanced tools
middlefiddle - npm Package Compare versions
| addCSP = (urlRegex) -> | ||
| (req, res, next) -> | ||
| if req.href.match(urlRegex) | ||
| res.addHeader 'x-content-security-policy', "allow 'self'" | ||
| res.on 'headers', (headers) -> | ||
| headers['x-content-security-policy'] = "allow 'self'" | ||
| next() | ||
@@ -6,0 +7,0 @@ |
| module.exports = (Mf) -> | ||
| ua = (req, res, next) -> | ||
| req.headers['user-agent'] = "GoogleBotZ" | ||
| res.addHeader("server", "Apachame") | ||
| res.on 'headers', (headers) -> | ||
| headers['server'] = "Apache" | ||
| next() | ||
@@ -6,0 +7,0 @@ |
+1
-1
| { | ||
| "name": "middlefiddle", | ||
| "version": "0.3.0", | ||
| "version": "0.3.1", | ||
| "description": "Middleware as a proxy for HTTP/HTTPS traffic", | ||
@@ -5,0 +5,0 @@ "keywords": ["proxy", "middleware", "connect"], |
+44
-15
@@ -9,3 +9,3 @@ # MiddleFiddle | ||
| npm install -g middlefiddle | ||
| $ npm install -g middlefiddle | ||
@@ -15,6 +15,6 @@ ## Installation via Github | ||
| # Depends on Node 0.6.x | ||
| git clone git://github.com/mdp/middlefiddle.git | ||
| cd middlefiddle | ||
| npm install | ||
| npm link #If you want to use it globally | ||
| $ git clone git://github.com/mdp/middlefiddle.git | ||
| $ cd middlefiddle | ||
| $ npm install | ||
| $ npm link #If you want to use it globally | ||
@@ -32,3 +32,3 @@ ## Usage | ||
| # Start middlefiddle with default options | ||
| middlefiddle | ||
| $ middlefiddle | ||
| # Proxy will be at port 8080 | ||
@@ -39,17 +39,17 @@ # and the web logger will be open at port 8411 | ||
| middlefiddle logger | ||
| $ middlefiddle logger | ||
| # Now open http://localhost:8411 | ||
| # Only log for a certain URL | ||
| middlefiddle logger --url google.com | ||
| $ middlefiddle logger --url google.com | ||
| # Only log certain statuses | ||
| middlefiddle logger --status 404 | ||
| $ middlefiddle logger --status 404 | ||
| # Only log responses containing text | ||
| middlefiddle logger --grep "setTimeout" | ||
| $ middlefiddle logger --grep "setTimeout" | ||
| # Also work with regex | ||
| middlefiddle logger -r --grep "Mark(Percival)?" | ||
| $ middlefiddle logger -r --grep "Mark(Percival)?" | ||
| # And case insensitive | ||
| middlefiddle logger -ri --grep "m@mdp\.im" | ||
| $ middlefiddle logger -ri --grep "m@mdp\.im" | ||
@@ -147,10 +147,39 @@ ## Site specific middleware | ||
| Connect typically doesn't have a simple way to hijack downstream responses, so | ||
| Connect typically doesn't have a simple way to hijack downstream responses since it's streaming, so | ||
| middlefiddle emits events on the response along with writing to the stream. | ||
| res.on 'data', (chunk) -> | ||
| console.log chunk.toString() | ||
| res.on 'end', (chunk) -> | ||
| console.log chunk.toString() | ||
| res.on 'close', (chunk) -> | ||
| console.log "Closed response" | ||
| You've also got a couple helper properties: | ||
| - req.fullUrl #=> The full requested URL, including the schema | ||
| - req.isSecure #=> Did it come via SSL? | ||
| - req.href #=> String: The full requested URL, including the scheme, | ||
| host, path, and query params | ||
| - req.ssl #=> Boolean: Did it come via SSL? | ||
| - req.startTime #=> Datetime: When the request was started | ||
| - res.endTime #=> Datetime: I'll let you guess | ||
| ## Modify responses | ||
| ### Modifying the headers | ||
| Response headers can be modified before they are sent to the browser. | ||
| Just wait till they're available: | ||
| *Example in [add_csp.coffee](https://github.com/mdp/middlefiddle/tree/master/.middlefiddle/fiddles/add_csp.coffee)* | ||
| ### Replace the response body | ||
| Modifying the a response body means buffering the stream, | ||
| waiting for it to finish, then making the replacement and sending it | ||
| back downstream. The 'replace' middleware provides this. | ||
| * Usage example in [github.com.coffee](https://github.com/mdp/middlefiddle/tree/master/.middlefiddle/sites/github.com.coffee)* | ||
| ## Testing | ||
@@ -157,0 +186,0 @@ |
@@ -80,5 +80,2 @@ util = require 'util' | ||
| res.addHeader = addHeader | ||
| res.removeHeader = removeHeader | ||
| res.modifyHeaders = modifyHeaders | ||
| bodyLogger req, 'request' | ||
@@ -94,3 +91,2 @@ next() | ||
| res.headers = upstream_res.headers | ||
| res.modifyHeaders() | ||
@@ -102,6 +98,8 @@ if res.headers && res.headers['content-type'] && res.headers['content-type'].search(/(text)|(application)/) >= 0 | ||
| res.emit 'headers', res.headers | ||
| # Store body data with the response | ||
| bodyLogger(res, 'response') | ||
| res.writeHead(upstream_res.statusCode, upstream_res.headers) | ||
| res.writeHead(res.statusCode, res.headers) | ||
| upstream_res.on 'data', (chunk) -> | ||
@@ -133,18 +131,2 @@ res.write(chunk, 'binary') | ||
| addHeader = (header, value) -> | ||
| @addedHeaders ||= [] | ||
| @addedHeaders.push([header, value]) | ||
| removeHeader = (header) -> | ||
| @removedHeaders ||= [] | ||
| @removedHeaders.push(header) | ||
| modifyHeaders = () -> | ||
| if @addedHeaders | ||
| for header in @addedHeaders | ||
| @headers[header[0]] = header[1] | ||
| if @removedHeaders | ||
| for header in @removedHeaders | ||
| delete @headers[header] | ||
| bodyLogger = (stream, type, callback) -> | ||
@@ -151,0 +133,0 @@ data = [] |
New alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 2 instances in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 2 instances in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
510564
0.12%- Number of lines in readme file
207
16.29%- Number of medium supply chain risk alerts
8
-20%