Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The thrift npm package is a JavaScript implementation of the Apache Thrift framework, which is used for scalable cross-language services development. Thrift allows you to define data types and service interfaces in a simple definition file, and it generates code to be used across multiple languages. This makes it easier to build and maintain services that communicate across different programming languages.
Defining a Thrift Service
This code demonstrates how to define a Thrift service in Node.js. The service is defined in a Thrift IDL file, which is then compiled to generate the necessary JavaScript files. The server listens on port 9090 and implements a method called `myMethod`.
const thrift = require('thrift');
const MyService = require('./gen-nodejs/MyService');
const ttypes = require('./gen-nodejs/my_types');
const server = thrift.createServer(MyService, {
myMethod: function(arg, result) {
console.log('myMethod called with:', arg);
result(null, 'response');
}
});
server.listen(9090);
Creating a Thrift Client
This code demonstrates how to create a Thrift client in Node.js. The client connects to the Thrift server running on localhost at port 9090 and calls the `myMethod` function, passing an argument and handling the response.
const thrift = require('thrift');
const MyService = require('./gen-nodejs/MyService');
const connection = thrift.createConnection('localhost', 9090);
const client = thrift.createClient(MyService, connection);
client.myMethod('argument', (err, response) => {
if (err) {
console.error(err);
} else {
console.log('Response:', response);
}
connection.end();
});
Defining Thrift Data Types
This Thrift IDL file defines a data structure `MyStruct` and a service `MyService` with a method `myMethod` that takes `MyStruct` as an argument. This file is used to generate the necessary code for both the client and server.
namespace js MyService
struct MyStruct {
1: i32 id,
2: string name
}
service MyService {
string myMethod(1: MyStruct myStruct)
}
gRPC is a high-performance, open-source universal RPC framework originally developed by Google. It uses HTTP/2 for transport, Protocol Buffers as the interface description language, and provides features such as authentication, load balancing, and more. Compared to Thrift, gRPC is more modern and has better support for streaming and bi-directional communication.
protobufjs is a pure JavaScript implementation of Protocol Buffers, Google's data interchange format. While it does not provide RPC capabilities out of the box like Thrift, it is often used in conjunction with gRPC to define and serialize structured data. It is more lightweight and focused solely on data serialization.
avro-js is a JavaScript library for working with Apache Avro, a data serialization system. Avro is similar to Thrift in that it provides a compact, fast, binary data format. However, Avro is more focused on data serialization and schema evolution, and does not provide RPC capabilities.
Thrift protocol implementation for nodejs. As of version 0.0.1, the basic protocol has been implemented. A Thrift compiler that will generate the .js files from a Thrift specification is being implemented as well, see the Thrift Compiler section below.
NOTE: you must use the framed thrift transport, TFramedTransport in most implementations, on the server side. Using a popular example, this is enabled by default in Cassandra 0.7 (but configuration must be changed in Cassandra 0.6.x and earlier).
A Thrift compiler is being built in a forked version of the upstream thrift library. You can check it out here: https://github.com/wadey/thrift
Once you build this patched version of Thrift, you can compile nodejs sources by running the following:
thrift --gen js:node thrift_file
Here is a Cassandra example:
var thrift = require('thrift'),
Cassandra = require('./gen-nodejs/Cassandra')
ttypes = require('./gen-nodejs/cassandra_types');
var connection = thrift.createConnection("localhost", 9160),
client = thrift.createClient(Cassandra, connection);
connection.on('error', function(err) {
console.error(err);
});
client.get_slice("Keyspace", "key", new ttypes.ColumnParent({column_family: "ExampleCF"}), new ttypes.SlicePredicate({slice_range: new ttypes.SliceRange({start: '', finish: ''})}), ttypes.ConsistencyLevel.ONE, function(err, data) {
if (err) {
// handle err
} else {
// data == [ttypes.ColumnOrSuperColumn, ...]
}
connection.end();
});
An example based on the one shown on the Thrift front page is included in the examples folder.
FAQs
node.js bindings for the Apache Thrift RPC system
We found that thrift demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.