Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Better streaming static file server with Range and conditional-GET support
The 'send' npm package is a library for streaming files from the file system as an HTTP response. It handles range requests, redirects, and errors, and is built with security in mind. It is often used to serve static files in web applications.
Serving static files
This code creates an HTTP server that serves a static file using the send package. When a request is made to the server, it streams the specified file as the response.
const send = require('send');
const http = require('http');
http.createServer(function(req, res){
send(req, '/path/to/public/index.html').pipe(res);
}).listen(3000);
Handling range requests
This code demonstrates how to handle HTTP range requests for partial content delivery, such as serving video files that can be streamed.
const send = require('send');
const http = require('http');
http.createServer(function(req, res){
send(req, '/path/to/public/video.mp4')
.on('headers', function (res, path, stat) {
res.setHeader('Accept-Ranges', 'bytes');
})
.pipe(res);
}).listen(3000);
Custom error handling
This code shows how to handle errors when a file is not found or another error occurs while trying to stream a file.
const send = require('send');
const http = require('http');
http.createServer(function(req, res){
send(req, '/path/to/public/non-existent-file.html')
.on('error', function(err) {
res.statusCode = err.status || 500;
res.end(err.message);
})
.pipe(res);
}).listen(3000);
Express is a web application framework for Node.js that includes functionality for serving static files. It is more feature-rich than 'send' and is designed for building web applications and APIs.
koa-send is similar to 'send' but is tailored for Koa, a web framework for Node.js created by the same team that built Express. It is used to serve static files in Koa applications.
serve-static is a middleware for serving static files for Express and Connect. It is built on top of 'send' and provides a higher-level API for integrating with these frameworks.
Send is a library for streaming files from the file system as a http response supporting partial responses (Ranges), conditional-GET negotiation (If-Match, If-Unmodified-Since, If-None-Match, If-Modified-Since), high test coverage, and granular events which may be leveraged to take appropriate actions in your application or framework.
Looking to serve up entire folders mapped to URLs? Try serve-static.
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install send
var send = require('send')
Create a new SendStream
for the given path to send to a res
. The req
is
the Node.js HTTP request and the path
is a urlencoded path to send (urlencoded,
not the actual file-system path).
Enable or disable accepting ranged requests, defaults to true.
Disabling this will not send Accept-Ranges
and ignore the contents
of the Range
request header.
Enable or disable setting Cache-Control
response header, defaults to
true. Disabling this will ignore the immutable
and maxAge
options.
Set how "dotfiles" are treated when encountered. A dotfile is a file
or directory that begins with a dot ("."). Note this check is done on
the path itself without checking if the path actually exists on the
disk. If root
is specified, only the dotfiles above the root are
checked (i.e. the root itself can be within a dotfile when set
to "deny").
'allow'
No special treatment for dotfiles.'deny'
Send a 403 for any request for a dotfile.'ignore'
Pretend like the dotfile does not exist and 404.The default value is similar to 'ignore'
, with the exception that
this default will not ignore the files within a directory that begins
with a dot, for backward-compatibility.
Byte offset at which the stream ends, defaults to the length of the file
minus 1. The end is inclusive in the stream, meaning end: 3
will include
the 4th byte in the stream.
Enable or disable etag generation, defaults to true.
If a given file doesn't exist, try appending one of the given extensions,
in the given order. By default, this is disabled (set to false
). An
example value that will serve extension-less HTML files: ['html', 'htm']
.
This is skipped if the requested file already has an extension.
Enable or disable the immutable
directive in the Cache-Control
response
header, defaults to false
. If set to true
, the maxAge
option should
also be specified to enable caching. The immutable
directive will prevent
supported clients from making conditional requests during the life of the
maxAge
option to check if the file has changed.
By default send supports "index.html" files, to disable this
set false
or to supply a new index pass a string or an array
in preferred order.
Enable or disable Last-Modified
header, defaults to true. Uses the file
system's last modified value.
Provide a max-age in milliseconds for http caching, defaults to 0. This can also be a string accepted by the ms module.
Serve files relative to path
.
Byte offset at which the stream starts, defaults to 0. The start is inclusive,
meaning start: 2
will include the 3rd byte in the stream.
The SendStream
is an event emitter and will emit the following events:
error
an error occurred (err)
directory
a directory was requested (res, path)
file
a file was requested (path, stat)
headers
the headers are about to be set on a file (res, path, stat)
stream
file streaming has started (stream)
end
streaming has completedThe pipe
method is used to pipe the response into the Node.js HTTP response
object, typically send(req, path, options).pipe(res)
.
By default when no error
listeners are present an automatic response will be
made, otherwise you have full control over the response, aka you may show a 5xx
page etc.
It does not perform internal caching, you should use a reverse proxy cache such as Varnish for this, or those fancy things called CDNs. If your application is small enough that it would benefit from single-node memory caching, it's small enough that it does not need caching at all ;).
To enable debug()
instrumentation output export DEBUG:
$ DEBUG=send node app
$ npm install
$ npm test
This simple example will send a specific file to all requests.
var http = require('http')
var send = require('send')
var server = http.createServer(function onRequest (req, res) {
send(req, '/path/to/index.html')
.pipe(res)
})
server.listen(3000)
This simple example will just serve up all the files in a
given directory as the top-level. For example, a request
GET /foo.txt
will send back /www/public/foo.txt
.
var http = require('http')
var parseUrl = require('parseurl')
var send = require('send')
var server = http.createServer(function onRequest (req, res) {
send(req, parseUrl(req).pathname, { root: '/www/public' })
.pipe(res)
})
server.listen(3000)
var extname = require('path').extname
var http = require('http')
var parseUrl = require('parseurl')
var send = require('send')
var server = http.createServer(function onRequest (req, res) {
send(req, parseUrl(req).pathname, { root: '/www/public' })
.on('headers', function (res, path) {
switch (extname(path)) {
case '.x-mt':
case '.x-mtt':
// custom type for these extensions
res.setHeader('Content-Type', 'application/x-my-type')
break
}
})
.pipe(res)
})
server.listen(3000)
This is an example of serving up a structure of directories with a custom function to render a listing of a directory.
var http = require('http')
var fs = require('fs')
var parseUrl = require('parseurl')
var send = require('send')
// Transfer arbitrary files from within /www/example.com/public/*
// with a custom handler for directory listing
var server = http.createServer(function onRequest (req, res) {
send(req, parseUrl(req).pathname, { index: false, root: '/www/public' })
.once('directory', directory)
.pipe(res)
})
server.listen(3000)
// Custom directory handler
function directory (res, path) {
var stream = this
// redirect to trailing slash for consistent url
if (!stream.hasTrailingSlash()) {
return stream.redirect(path)
}
// get directory list
fs.readdir(path, function onReaddir (err, list) {
if (err) return stream.error(err)
// render an index for the directory
res.setHeader('Content-Type', 'text/plain; charset=UTF-8')
res.end(list.join('\n') + '\n')
})
}
var http = require('http')
var parseUrl = require('parseurl')
var send = require('send')
var server = http.createServer(function onRequest (req, res) {
// your custom error-handling logic:
function error (err) {
res.statusCode = err.status || 500
res.end(err.message)
}
// your custom headers
function headers (res, path, stat) {
// serve all files for download
res.setHeader('Content-Disposition', 'attachment')
}
// your custom directory handling logic:
function redirect () {
res.statusCode = 301
res.setHeader('Location', req.url + '/')
res.end('Redirecting to ' + req.url + '/')
}
// transfer arbitrary files from within
// /www/example.com/public/*
send(req, parseUrl(req).pathname, { root: '/www/public' })
.on('error', error)
.on('directory', redirect)
.on('headers', headers)
.pipe(res)
})
server.listen(3000)
FAQs
Better streaming static file server with Range and conditional-GET support
The npm package send receives a total of 23,904,877 weekly downloads. As such, send popularity was classified as popular.
We found that send demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.