Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The parseurl npm package is used to parse URLs. It provides utilities for URL resolution and parsing to work with the components of URLs. It can be particularly useful in HTTP server handling to extract parts of the request URL.
Parse the URL of an HTTP request
This feature allows you to parse the URL of an incoming HTTP request and obtain components such as pathname, query, etc. The code sample creates an HTTP server that responds with the pathname of the request URL.
const parseurl = require('parseurl');
const http = require('http');
http.createServer(function (req, res) {
const parsedUrl = parseurl(req);
res.end('Pathname: ' + parsedUrl.pathname);
}).listen(3000);
Parse the same URL only once
This feature ensures that the URL is only parsed once and the result is cached. Subsequent calls to parseurl with the same request object will return the cached parsed URL object, improving performance.
const parseurl = require('parseurl');
const http = require('http');
http.createServer(function (req, res) {
const parsedUrl = parseurl(req);
// parseurl caches the parsed object in req._parsedUrl
// Subsequent calls will return the cached version
const sameParsedUrl = parseurl(req);
res.end('Pathname: ' + sameParsedUrl.pathname);
}).listen(3000);
The url-parse package is similar to parseurl but offers more features, such as the ability to parse relative URLs and more detailed parsing of the query string. It can be used both in Node.js and in the browser.
While qs is not a direct alternative to parseurl, it provides advanced query string parsing and stringifying capabilities. It can be used in combination with parseurl to handle complex query string scenarios.
Parse a URL with memoization.
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install parseurl
var parseurl = require('parseurl')
Parse the URL of the given request object (looks at the req.url
property)
and return the result. The result is the same as url.parse
in Node.js core.
Calling this function multiple times on the same req
where req.url
does
not change will return a cached parsed object, rather than parsing again.
Parse the original URL of the given request object and return the result.
This works by trying to parse req.originalUrl
if it is a string, otherwise
parses req.url
. The result is the same as url.parse
in Node.js core.
Calling this function multiple times on the same req
where req.originalUrl
does not change will return a cached parsed object, rather than parsing again.
$ npm run-script bench
> parseurl@1.3.3 bench nodejs-parseurl
> node benchmark/index.js
http_parser@2.8.0
node@10.6.0
v8@6.7.288.46-node.13
uv@1.21.0
zlib@1.2.11
ares@1.14.0
modules@64
nghttp2@1.32.0
napi@3
openssl@1.1.0h
icu@61.1
unicode@10.0
cldr@33.0
tz@2018c
> node benchmark/fullurl.js
Parsing URL "http://localhost:8888/foo/bar?user=tj&pet=fluffy"
4 tests completed.
fasturl x 2,207,842 ops/sec ±3.76% (184 runs sampled)
nativeurl - legacy x 507,180 ops/sec ±0.82% (191 runs sampled)
nativeurl - whatwg x 290,044 ops/sec ±1.96% (189 runs sampled)
parseurl x 488,907 ops/sec ±2.13% (192 runs sampled)
> node benchmark/pathquery.js
Parsing URL "/foo/bar?user=tj&pet=fluffy"
4 tests completed.
fasturl x 3,812,564 ops/sec ±3.15% (188 runs sampled)
nativeurl - legacy x 2,651,631 ops/sec ±1.68% (189 runs sampled)
nativeurl - whatwg x 161,837 ops/sec ±2.26% (189 runs sampled)
parseurl x 4,166,338 ops/sec ±2.23% (184 runs sampled)
> node benchmark/samerequest.js
Parsing URL "/foo/bar?user=tj&pet=fluffy" on same request object
4 tests completed.
fasturl x 3,821,651 ops/sec ±2.42% (185 runs sampled)
nativeurl - legacy x 2,651,162 ops/sec ±1.90% (187 runs sampled)
nativeurl - whatwg x 175,166 ops/sec ±1.44% (188 runs sampled)
parseurl x 14,912,606 ops/sec ±3.59% (183 runs sampled)
> node benchmark/simplepath.js
Parsing URL "/foo/bar"
4 tests completed.
fasturl x 12,421,765 ops/sec ±2.04% (191 runs sampled)
nativeurl - legacy x 7,546,036 ops/sec ±1.41% (188 runs sampled)
nativeurl - whatwg x 198,843 ops/sec ±1.83% (189 runs sampled)
parseurl x 24,244,006 ops/sec ±0.51% (194 runs sampled)
> node benchmark/slash.js
Parsing URL "/"
4 tests completed.
fasturl x 17,159,456 ops/sec ±3.25% (188 runs sampled)
nativeurl - legacy x 11,635,097 ops/sec ±3.79% (184 runs sampled)
nativeurl - whatwg x 240,693 ops/sec ±0.83% (189 runs sampled)
parseurl x 42,279,067 ops/sec ±0.55% (190 runs sampled)
FAQs
parse a url with memoization
The npm package parseurl receives a total of 29,187,845 weekly downloads. As such, parseurl popularity was classified as popular.
We found that parseurl demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.