Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
The thrift npm package is a JavaScript implementation of the Apache Thrift framework, which is used for scalable cross-language services development. Thrift allows you to define data types and service interfaces in a simple definition file, and it generates code to be used across multiple languages. This makes it easier to build and maintain services that communicate across different programming languages.
Defining a Thrift Service
This code demonstrates how to define a Thrift service in Node.js. The service is defined in a Thrift IDL file, which is then compiled to generate the necessary JavaScript files. The server listens on port 9090 and implements a method called `myMethod`.
const thrift = require('thrift');
const MyService = require('./gen-nodejs/MyService');
const ttypes = require('./gen-nodejs/my_types');
const server = thrift.createServer(MyService, {
myMethod: function(arg, result) {
console.log('myMethod called with:', arg);
result(null, 'response');
}
});
server.listen(9090);
Creating a Thrift Client
This code demonstrates how to create a Thrift client in Node.js. The client connects to the Thrift server running on localhost at port 9090 and calls the `myMethod` function, passing an argument and handling the response.
const thrift = require('thrift');
const MyService = require('./gen-nodejs/MyService');
const connection = thrift.createConnection('localhost', 9090);
const client = thrift.createClient(MyService, connection);
client.myMethod('argument', (err, response) => {
if (err) {
console.error(err);
} else {
console.log('Response:', response);
}
connection.end();
});
Defining Thrift Data Types
This Thrift IDL file defines a data structure `MyStruct` and a service `MyService` with a method `myMethod` that takes `MyStruct` as an argument. This file is used to generate the necessary code for both the client and server.
namespace js MyService
struct MyStruct {
1: i32 id,
2: string name
}
service MyService {
string myMethod(1: MyStruct myStruct)
}
gRPC is a high-performance, open-source universal RPC framework originally developed by Google. It uses HTTP/2 for transport, Protocol Buffers as the interface description language, and provides features such as authentication, load balancing, and more. Compared to Thrift, gRPC is more modern and has better support for streaming and bi-directional communication.
protobufjs is a pure JavaScript implementation of Protocol Buffers, Google's data interchange format. While it does not provide RPC capabilities out of the box like Thrift, it is often used in conjunction with gRPC to define and serialize structured data. It is more lightweight and focused solely on data serialization.
avro-js is a JavaScript library for working with Apache Avro, a data serialization system. Avro is similar to Thrift in that it provides a compact, fast, binary data format. However, Avro is more focused on data serialization and schema evolution, and does not provide RPC capabilities.
Last Modified: 2014-03-16
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Thrift is a lightweight, language-independent software stack with an associated code generation mechanism for RPC. Thrift provides clean abstractions for data transport, data serialization, and application level processing. The code generation system takes a simple definition language as its input and generates code across programming languages that uses the abstracted stack to build interoperable RPC clients and servers.
Thrift is specifically designed to support non-atomic version changes across client and server code.
For more details on Thrift's design and implementation, take a gander at the Thrift whitepaper included in this distribution or at the README.md files in your particular subdirectory of interest.
thrift/
compiler/
Contains the Thrift compiler, implemented in C++.
lib/
Contains the Thrift software library implementation, subdivided by
language of implementation.
cpp/
go/
java/
php/
py/
rb/
test/
Contains sample Thrift files and test code across the target programming
languages.
tutorial/
Contains a basic tutorial that will teach you how to develop software
using Thrift.
See http://thrift.apache.org/docs/install for an up-to-date list of build requirements.
More information about Thrift can be obtained on the Thrift webpage at:
http://thrift.apache.org
Thrift was inspired by pillar, a lightweight RPC tool written by Adam D'Angelo, and also by Google's protocol buffers.
If you are building from the first time out of the source repository, you will need to generate the configure scripts. (This is not necessary if you downloaded a tarball.) From the top directory, do:
./bootstrap.sh
Once the configure scripts are generated, thrift can be configured. From the top directory, do:
./configure
You may need to specify the location of the boost files explicitly. If you installed boost in /usr/local, you would run configure as follows:
./configure --with-boost=/usr/local
Note that by default the thrift C++ library is typically built with debugging symbols included. If you want to customize these options you should use the CXXFLAGS option in configure, as such:
./configure CXXFLAGS='-g -O2'
./configure CFLAGS='-g -O2'
./configure CPPFLAGS='-DDEBUG_MY_FEATURE'
To enable gcov required options -fprofile-arcs -ftest-coverage enable them:
./configure --enable-coverage
Run ./configure --help to see other configuration options
Please be aware that the Python library will ignore the --prefix option and just install wherever Python's distutils puts it (usually along the lines of /usr/lib/pythonX.Y/site-packages/). If you need to control where the Python modules are installed, set the PY_PREFIX variable. (DESTDIR is respected for Python and C++.)
Make thrift:
make
From the top directory, become superuser and do:
make install
Note that some language packages must be installed manually using build tools better suited to those languages (at the time of this writing, this applies to Java, Ruby, PHP).
Look for the README.md file in the lib// folder for more details on the installation of each language library package.
There are a large number of client library tests that can all be run from the top-level directory.
make -k check
This will make all of the libraries (as necessary), and run through the unit tests defined in each of the client libraries. If a single language fails, the make check will continue on and provide a synopsis at the end.
To run the cross-language test suite, please run:
make cross
This will run a set of tests that use different language clients and servers.
0.9.3
FAQs
node.js bindings for the Apache Thrift RPC system
We found that thrift demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.