Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The raw-body npm package is used to obtain the raw body of an incoming stream and supports decoding, parsing, and handling of different encodings. It is commonly used in the context of HTTP server handling, where it can be used to read and parse request bodies before they are processed by request handlers or middleware.
Getting raw body from a stream
This code creates an HTTP server that uses raw-body to read the request body as a string. It takes into account the content length and encoding specified in the request headers.
const http = require('http');
const getRawBody = require('raw-body');
http.createServer((req, res) => {
getRawBody(req, {
length: req.headers['content-length'],
encoding: 'utf8'
}, function (err, string) {
if (err) return res.end('Error');
res.end('Received: ' + string);
});
}).listen(3000);
Handling different encodings
This code demonstrates how to use raw-body to handle different text encodings by specifying the encoding option. The promise interface is used for asynchronous handling.
const getRawBody = require('raw-body');
function handleRequest(req) {
return getRawBody(req, {
encoding: 'utf8'
}).then(body => {
// body is now a string in utf8 encoding
}).catch(err => {
// handle error
});
}
Limiting body size
This code shows how to limit the size of the request body using raw-body by setting a limit option, which can help prevent denial of service attacks or other resource exhaustion issues.
const getRawBody = require('raw-body');
function handleRequest(req) {
return getRawBody(req, {
limit: '1mb'
}).then(body => {
// body will not be larger than 1mb
}).catch(err => {
// handle error if body is too large
});
}
body-parser is a popular Express middleware that parses incoming request bodies before your handlers, available under the req.body property. It wraps around raw-body and adds additional parsing capabilities for JSON, URL-encoded, and other formats. Unlike raw-body, which provides the raw buffer, body-parser converts the body into more usable formats.
co-body is a body parser for koa and express, built on top of raw-body, designed to work with co for generator-based flow control. It supports json, form and text types of bodies, but is more tailored for use with Koa and generators.
busboy is a streaming parser for HTML form data for node.js. It handles multipart/form-data, which is primarily used for uploading files. It differs from raw-body in that it's specialized for file uploads and form submissions, whereas raw-body is more about getting the entire raw request body.
Gets the entire buffer of a stream either as a Buffer
or a string.
Validates the stream's length against an expected length and maximum limit.
Ideal for parsing request bodies.
var getRawBody = require('raw-body')
var typer = require('media-typer')
app.use(function (req, res, next) {
getRawBody(req, {
length: req.headers['content-length'],
limit: '1mb',
encoding: typer.parse(req.headers['content-type']).parameters.charset
}, function (err, string) {
if (err)
return next(err)
req.text = string
next()
})
})
or in a Koa generator:
app.use(function* (next) {
var string = yield getRawBody(this.req, {
length: this.length,
limit: '1mb',
encoding: this.charset
})
})
Returns a thunk for yielding with generators.
Options:
length
- The length length of the stream.
If the contents of the stream do not add up to this length,
an 400
error code is returned.limit
- The byte limit of the body.
If the body ends up being larger than this limit,
a 413
error code is returned.encoding
- The requested encoding.
By default, a Buffer
instance will be returned.
Most likely, you want utf8
.
You can use any type of encoding supported by iconv-lite.You can also pass a string in place of options to just specify the encoding.
callback(err, res)
:
err
- the following attributes will be defined if applicable:
limit
- the limit in byteslength
and expected
- the expected length of the streamreceived
- the received bytesencoding
- the invalid encodingstatus
and statusCode
- the corresponding status code for the errortype
- either entity.too.large
, request.aborted
, request.size.invalid
, stream.encoding.set
, or encoding.unsupported
res
- the result, either as a String
if an encoding was set or a Buffer
otherwise.
If an error occurs, the stream will be paused, everything unpiped,
and you are responsible for correctly disposing the stream.
For HTTP requests, no handling is required if you send a response.
For streams that use file descriptors, you should stream.destroy()
or stream.close()
to prevent leaks.
FAQs
Get and validate the raw body of a readable stream.
The npm package raw-body receives a total of 31,003,218 weekly downloads. As such, raw-body popularity was classified as popular.
We found that raw-body demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.