Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The raw-body npm package is used to obtain the raw body of an incoming stream and supports decoding, parsing, and handling of different encodings. It is commonly used in the context of HTTP server handling, where it can be used to read and parse request bodies before they are processed by request handlers or middleware.
Getting raw body from a stream
This code creates an HTTP server that uses raw-body to read the request body as a string. It takes into account the content length and encoding specified in the request headers.
const http = require('http');
const getRawBody = require('raw-body');
http.createServer((req, res) => {
getRawBody(req, {
length: req.headers['content-length'],
encoding: 'utf8'
}, function (err, string) {
if (err) return res.end('Error');
res.end('Received: ' + string);
});
}).listen(3000);
Handling different encodings
This code demonstrates how to use raw-body to handle different text encodings by specifying the encoding option. The promise interface is used for asynchronous handling.
const getRawBody = require('raw-body');
function handleRequest(req) {
return getRawBody(req, {
encoding: 'utf8'
}).then(body => {
// body is now a string in utf8 encoding
}).catch(err => {
// handle error
});
}
Limiting body size
This code shows how to limit the size of the request body using raw-body by setting a limit option, which can help prevent denial of service attacks or other resource exhaustion issues.
const getRawBody = require('raw-body');
function handleRequest(req) {
return getRawBody(req, {
limit: '1mb'
}).then(body => {
// body will not be larger than 1mb
}).catch(err => {
// handle error if body is too large
});
}
body-parser is a popular Express middleware that parses incoming request bodies before your handlers, available under the req.body property. It wraps around raw-body and adds additional parsing capabilities for JSON, URL-encoded, and other formats. Unlike raw-body, which provides the raw buffer, body-parser converts the body into more usable formats.
co-body is a body parser for koa and express, built on top of raw-body, designed to work with co for generator-based flow control. It supports json, form and text types of bodies, but is more tailored for use with Koa and generators.
busboy is a streaming parser for HTML form data for node.js. It handles multipart/form-data, which is primarily used for uploading files. It differs from raw-body in that it's specialized for file uploads and form submissions, whereas raw-body is more about getting the entire raw request body.
Gets the entire buffer of a stream either as a Buffer
or a string.
Validates the stream's length against an expected length and maximum limit.
Ideal for parsing request bodies.
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install raw-body
This module includes a TypeScript
declaration file to enable auto complete in compatible editors and type
information for TypeScript projects. This module depends on the Node.js
types, so install @types/node
:
$ npm install @types/node
var getRawBody = require('raw-body')
Returns a promise if no callback specified and global Promise
exists.
Options:
length
- The length of the stream.
If the contents of the stream do not add up to this length,
an 400
error code is returned.limit
- The byte limit of the body.
This is the number of bytes or any string format supported by
bytes,
for example 1000
, '500kb'
or '3mb'
.
If the body ends up being larger than this limit,
a 413
error code is returned.encoding
- The encoding to use to decode the body into a string.
By default, a Buffer
instance will be returned when no encoding is specified.
Most likely, you want utf-8
, so setting encoding
to true
will decode as utf-8
.
You can use any type of encoding supported by iconv-lite.You can also pass a string in place of options to just specify the encoding.
If an error occurs, the stream will be paused, everything unpiped,
and you are responsible for correctly disposing the stream.
For HTTP requests, you may need to finish consuming the stream if
you want to keep the socket open for future requests. For streams
that use file descriptors, you should stream.destroy()
or
stream.close()
to prevent leaks.
This module creates errors depending on the error condition during reading. The error may be an error from the underlying Node.js implementation, but is otherwise an error created by this module, which has the following attributes:
limit
- the limit in byteslength
and expected
- the expected length of the streamreceived
- the received bytesencoding
- the invalid encodingstatus
and statusCode
- the corresponding status code for the errortype
- the error typeThe errors from this module have a type
property which allows for the programmatic
determination of the type of error returned.
This error will occur when the encoding
option is specified, but the value does
not map to an encoding supported by the iconv-lite
module.
This error will occur when the limit
option is specified, but the stream has
an entity that is larger.
This error will occur when the request stream is aborted by the client before reading the body has finished.
This error will occur when the length
option is specified, but the stream has
emitted more bytes.
This error will occur when the given stream has an encoding set on it, making it
a decoded stream. The stream should not have an encoding set and is expected to
emit Buffer
objects.
This error will occur when the given stream is not readable.
var contentType = require('content-type')
var express = require('express')
var getRawBody = require('raw-body')
var app = express()
app.use(function (req, res, next) {
getRawBody(req, {
length: req.headers['content-length'],
limit: '1mb',
encoding: contentType.parse(req).parameters.charset
}, function (err, string) {
if (err) return next(err)
req.text = string
next()
})
})
// now access req.text
var contentType = require('content-type')
var getRawBody = require('raw-body')
var koa = require('koa')
var app = koa()
app.use(function * (next) {
this.text = yield getRawBody(this.req, {
length: this.req.headers['content-length'],
limit: '1mb',
encoding: contentType.parse(this.req).parameters.charset
})
yield next
})
// now access this.text
To use this library as a promise, simply omit the callback
and a promise is
returned, provided that a global Promise
is defined.
var getRawBody = require('raw-body')
var http = require('http')
var server = http.createServer(function (req, res) {
getRawBody(req)
.then(function (buf) {
res.statusCode = 200
res.end(buf.length + ' bytes submitted')
})
.catch(function (err) {
res.statusCode = 500
res.end(err.message)
})
})
server.listen(3000)
import * as getRawBody from 'raw-body';
import * as http from 'http';
const server = http.createServer((req, res) => {
getRawBody(req)
.then((buf) => {
res.statusCode = 200;
res.end(buf.length + ' bytes submitted');
})
.catch((err) => {
res.statusCode = err.statusCode;
res.end(err.message);
});
});
server.listen(3000);
FAQs
Get and validate the raw body of a readable stream.
The npm package raw-body receives a total of 40,640,349 weekly downloads. As such, raw-body popularity was classified as popular.
We found that raw-body demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.