Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The type-is npm package is used to determine the MIME type of the content represented by a request or response object. It can check if the content type matches any of the given MIME types, which can be useful for handling requests in web applications, especially when dealing with REST APIs or any other HTTP-based interfaces.
Check content type
This feature allows you to check if a given content type matches one of the specified MIME types. In the code sample, it checks if 'image/png' is an image MIME type.
const typeis = require('type-is');
const contentType = 'image/png';
const result = typeis.is(contentType, ['image/*']); // returns 'image/png'
Determine if request has body
This feature checks if the request object has a body by inspecting the 'Content-Type' header.
const typeis = require('type-is');
const req = { headers: { 'content-type': 'text/html' } };
const hasBody = typeis.hasBody(req); // returns true
Determine the type of request
This feature determines the type of the request by checking if the 'Content-Type' header matches any of the provided MIME types.
const typeis = require('type-is');
const req = { headers: { 'content-type': 'application/json' } };
const result = typeis(req, ['json', 'urlencoded', 'multipart']); // returns 'json'
The mime-types package is similar to type-is in that it provides functionality for looking up MIME types based on file extensions and vice versa. However, it does not directly deal with request objects and is more focused on the mapping between MIME types and file extensions.
The content-type package is used to parse and format 'Content-Type' headers. Unlike type-is, it does not provide methods to check if a request or response matches a specific content type, but it can be used to construct and deconstruct 'Content-Type' headers.
The accepts package is designed to deal with the HTTP Accept header, allowing servers to negotiate content type with clients. It is similar to type-is in that it helps determine the type of content, but it focuses on what the client can accept, rather than what the server is receiving or sending.
Infer the content-type of a request.
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install type-is
var http = require('http')
var typeis = require('type-is')
http.createServer(function (req, res) {
var istext = typeis(req, ['text/*'])
res.end('you ' + (istext ? 'sent' : 'did not send') + ' me text')
})
Checks if the request
is one of the types
. If the request has no body,
even if there is a Content-Type
header, then null
is returned. If the
Content-Type
header is invalid or does not matches any of the types
, then
false
is returned. Otherwise, a string of the type that matched is returned.
The request
argument is expected to be a Node.js HTTP request. The types
argument is an array of type strings.
Each type in the types
array can be one of the following:
json
. This name will be returned if matched.application/json
.*/*
or */json
or application/*
.
The full mime type will be returned if matched.+json
. This can be combined with a wildcard such as
*/vnd+json
or application/*+json
. The full mime type will be returned
if matched.Some examples to illustrate the inputs and returned value:
// req.headers.content-type = 'application/json'
typeis(req, ['json']) // => 'json'
typeis(req, ['html', 'json']) // => 'json'
typeis(req, ['application/*']) // => 'application/json'
typeis(req, ['application/json']) // => 'application/json'
typeis(req, ['html']) // => false
Returns a Boolean if the given request
has a body, regardless of the
Content-Type
header.
Having a body has no relation to how large the body is (it may be 0 bytes). This is similar to how file existence works. If a body does exist, then this indicates that there is data to read from the Node.js request stream.
if (typeis.hasBody(req)) {
// read the body, since there is one
req.on('data', function (chunk) {
// ...
})
}
Checks if the mediaType
is one of the types
. If the mediaType
is invalid
or does not matches any of the types
, then false
is returned. Otherwise, a
string of the type that matched is returned.
The mediaType
argument is expected to be a
media type string. The types
argument
is an array of type strings.
Each type in the types
array can be one of the following:
json
. This name will be returned if matched.application/json
.*/*
or */json
or application/*
.
The full mime type will be returned if matched.+json
. This can be combined with a wildcard such as
*/vnd+json
or application/*+json
. The full mime type will be returned
if matched.Some examples to illustrate the inputs and returned value:
var mediaType = 'application/json'
typeis.is(mediaType, ['json']) // => 'json'
typeis.is(mediaType, ['html', 'json']) // => 'json'
typeis.is(mediaType, ['application/*']) // => 'application/json'
typeis.is(mediaType, ['application/json']) // => 'application/json'
typeis.is(mediaType, ['html']) // => false
var express = require('express')
var typeis = require('type-is')
var app = express()
app.use(function bodyParser (req, res, next) {
if (!typeis.hasBody(req)) {
return next()
}
switch (typeis(req, ['urlencoded', 'json', 'multipart'])) {
case 'urlencoded':
// parse urlencoded body
throw new Error('implement urlencoded body parsing')
case 'json':
// parse json body
throw new Error('implement json body parsing')
case 'multipart':
// parse multipart body
throw new Error('implement multipart body parsing')
default:
// 415 error code
res.statusCode = 415
res.end()
break
}
})
FAQs
Infer the content-type of a request.
The npm package type-is receives a total of 28,059,519 weekly downloads. As such, type-is popularity was classified as popular.
We found that type-is demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.