Associated Vulnerability
Title:debug 安全漏洞 (CVE-2017-20165)Description:debug是Debug.js开源的一个以 Node.js 核心调试技术为模型的小型 JavaScript 调试实用程序。 debug 3.1.0之前版本存在安全漏洞,该漏洞源于文件 src/node.js 的函数 useColors, 对参数 str 的操作导致低效的正则表达式复杂性。
Description
Fork of the send module to deal with CVE-2017-20165
Readme
# @fastify/send
[](https://www.npmjs.com/package/@fastify/send)
[](https://standardjs.com/)
Send is a library for streaming files from the file system as an HTTP response
supporting partial responses (Ranges), conditional-GET negotiation (If-Match,
If-Unmodified-Since, If-None-Match, If-Modified-Since), high test coverage,
and granular events which may be leveraged to take appropriate actions in your
application or framework.
## Installation
This is a [Node.js](https://nodejs.org/en/) module available through the
[npm registry](https://www.npmjs.com/). Installation is done using the
[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):
```bash
$ npm install @fastify/send
```
### TypeScript
`@types/mime@3` must be used if wanting to use TypeScript;
`@types/mime@4` removed the `mime` types.
```bash
$ npm install -D @types/mime@3
```
## API
```js
var send = require('@fastify/send')
```
### send(req, path, [options])
Provide `statusCode`, `headers` and `stream` for the given path to send to a
`res`. The `req` is the Node.js HTTP request and the `path `is a urlencoded path
to send (urlencoded, not the actual file-system path).
#### Options
##### acceptRanges
Enable or disable accepting ranged requests, defaults to true.
Disabling this will not send `Accept-Ranges` and ignore the contents
of the `Range` request header.
##### cacheControl
Enable or disable setting `Cache-Control` response header, defaults to
true. Disabling this will ignore the `immutable` and `maxAge` options.
##### dotfiles
Set how "dotfiles" are treated when encountered. A dotfile is a file
or directory that begins with a dot ("."). Note this check is done on
the path itself without checking if the path exists on the
disk. If `root` is specified, only the dotfiles above the root are
checked (i.e. the root itself can be within a dotfile when set
to "deny").
- `'allow'` No special treatment for dotfiles.
- `'deny'` Send a 403 for any request for a dotfile.
- `'ignore'` Pretend like the dotfile does not exist and 404.
The default value is _similar_ to `'ignore'`, with the exception that
this default will not ignore the files within a directory that begins
with a dot, for backward-compatibility.
##### end
Byte offset at which the stream ends, defaults to the length of the file
minus 1. The end is inclusive in the stream, meaning `end: 3` will include
the 4th byte in the stream.
##### etag
Enable or disable etag generation, defaults to true.
##### extensions
If a given file doesn't exist, try appending one of the given extensions,
in the given order. By default, this is disabled (set to `false`). An
example value that will serve extension-less HTML files: `['html', 'htm']`.
This is skipped if the requested file already has an extension.
##### immutable
Enable or disable the `immutable` directive in the `Cache-Control` response
header, defaults to `false`. If set to `true`, the `maxAge` option should
also be specified to enable caching. The `immutable` directive will prevent
supported clients from making conditional requests during the life of the
`maxAge` option to check if the file has changed.
##### index
By default send supports "index.html" files, to disable this
set `false` or to supply a new index pass a string or an array
in preferred order.
##### lastModified
Enable or disable `Last-Modified` header, defaults to true. Uses the file
system's last modified value.
##### maxAge
Provide a max-age in milliseconds for HTTP caching, defaults to 0.
This can also be a string accepted by the
[ms](https://www.npmjs.org/package/ms#readme) module.
##### root
Serve files relative to `path`.
##### start
Byte offset at which the stream starts, defaults to 0. The start is inclusive,
meaning `start: 2` will include the 3rd byte in the stream.
### .mime
The `mime` export is the global instance of the
[`mime` npm module](https://www.npmjs.com/package/mime).
This is used to configure the MIME types that are associated with file extensions
as well as other options for how to resolve the MIME type of a file (like the
default type to use for an unknown file extension).
## Caching
It does _not_ perform internal caching, you should use a reverse proxy cache
such as Varnish for this, or those fancy things called CDNs. If your
application is small enough that it would benefit from single-node memory
caching, it's small enough that it does not need caching at all ;).
## Debugging
To enable `debug()` instrumentation output export __NODE_DEBUG__:
```
$ NODE_DEBUG=send node app
```
## Running tests
```
$ npm install
$ npm test
```
## Examples
### Serve a specific file
This simple example will send a specific file to all requests.
```js
var http = require('node:http')
var send = require('send')
var server = http.createServer(async function onRequest (req, res) {
const { statusCode, headers, stream } = await send(req, '/path/to/index.html')
res.writeHead(statusCode, headers)
stream.pipe(res)
})
server.listen(3000)
```
### Serve all files from a directory
This simple example will just serve up all the files in a
given directory as the top-level. For example, a request
`GET /foo.txt` will send back `/www/public/foo.txt`.
```js
var http = require('node:http')
var parseUrl = require('parseurl')
var send = require('@fastify/send')
var server = http.createServer(async function onRequest (req, res) {
const { statusCode, headers, stream } = await send(req, parseUrl(req).pathname, { root: '/www/public' })
res.writeHead(statusCode, headers)
stream.pipe(res)
})
server.listen(3000)
```
### Custom file types
```js
var http = require('node:http')
var parseUrl = require('parseurl')
var send = require('@fastify/send')
// Default unknown types to text/plain
send.mime.default_type = 'text/plain'
// Add a custom type
send.mime.define({
'application/x-my-type': ['x-mt', 'x-mtt']
})
var server = http.createServer(function onRequest (req, res) {
const { statusCode, headers, stream } = await send(req, parseUrl(req).pathname, { root: '/www/public' })
res.writeHead(statusCode, headers)
stream.pipe(res)
})
server.listen(3000)
```
### Custom directory index view
This is an example of serving up a structure of directories with a
custom function to render a listing of a directory.
```js
var http = require('node:http')
var fs = require('node:fs')
var parseUrl = require('parseurl')
var send = require('@fastify/send')
// Transfer arbitrary files from within /www/example.com/public/*
// with a custom handler for directory listing
var server = http.createServer(async function onRequest (req, res) {
const { statusCode, headers, stream, type, metadata } = await send(req, parseUrl(req).pathname, { index: false, root: '/www/public' })
if(type === 'directory') {
// get directory list
const list = await readdir(metadata.path)
// render an index for the directory
res.writeHead(200, { 'Content-Type': 'text/plain; charset=UTF-8' })
res.end(list.join('\n') + '\n')
} else {
res.writeHead(statusCode, headers)
stream.pipe(res)
}
})
server.listen(3000)
```
### Serving from a root directory with custom error-handling
```js
var http = require('node:http')
var parseUrl = require('parseurl')
var send = require('@fastify/send')
var server = http.createServer(async function onRequest (req, res) {
// transfer arbitrary files from within
// /www/example.com/public/*
const { statusCode, headers, stream, type, metadata } = await send(req, parseUrl(req).pathname, { root: '/www/public' })
switch (type) {
case 'directory': {
// your custom directory handling logic:
res.writeHead(301, {
'Location': metadata.requestPath + '/'
})
res.end('Redirecting to ' + metadata.requestPath + '/')
break
}
case 'error': {
// your custom error-handling logic:
res.writeHead(metadata.error.status ?? 500, {})
res.end(metadata.error.message)
break
}
default: {
// your custom headers
// serve all files for download
res.setHeader('Content-Disposition', 'attachment')
res.writeHead(statusCode, headers)
stream.pipe(res)
}
}
})
server.listen(3000)
```
## License
[MIT](LICENSE)
File Snapshot
[4.0K] /data/pocs/9dd49c5b768bdac47501d79a1b619cc7fd2c3b3b
├── [4.0K] benchmarks
│ ├── [ 521] collapseLeadingSlashes.js
│ ├── [ 670] containsDotFile.js
│ ├── [ 743] isUtf8MimeType.js
│ ├── [ 547] normalizeList.js
│ └── [ 604] parseBytesRange.js
├── [4.0K] examples
│ ├── [ 20] index.html
│ └── [ 384] simple.js
├── [ 13K] HISTORY.md
├── [ 513] index.js
├── [4.0K] lib
│ ├── [ 431] collapseLeadingSlashes.js
│ ├── [ 446] containsDotFile.js
│ ├── [ 416] contentRange.js
│ ├── [ 633] createHtmlDocument.js
│ ├── [ 443] createHttpError.js
│ ├── [ 314] isUtf8MimeType.js
│ ├── [ 636] normalizeList.js
│ ├── [2.7K] parseBytesRange.js
│ ├── [ 849] parseTokenList.js
│ └── [ 17K] send.js
├── [1.1K] LICENSE
├── [1.3K] package.json
├── [8.3K] README.md
├── [4.0K] test
│ ├── [ 629] collapseLeadingSlashes.test.js
│ ├── [ 454] containsDotFile.test.js
│ ├── [4.0K] fixtures
│ │ ├── [ 3] do..ts.txt
│ │ ├── [ 0] empty.txt
│ │ ├── [4.0K] images
│ │ │ └── [ 522] node-js.png
│ │ ├── [4.0K] name.d
│ │ │ └── [ 4] name.txt
│ │ ├── [4.0K] name.dir
│ │ │ └── [ 4] name.txt
│ │ ├── [ 11] name.html
│ │ ├── [ 4] name.txt
│ │ ├── [ 6] no_ext
│ │ ├── [ 9] nums.txt
│ │ ├── [4.0K] pets
│ │ │ └── [ 14] index.html
│ │ ├── [4.0K] snow ☃
│ │ │ └── [ 0] index.html
│ │ ├── [ 3] some thing.txt
│ │ ├── [ 12] thing.html.html
│ │ └── [ 11] tobi.html
│ ├── [ 563] isUtf8MimeType.test.js
│ ├── [1.5K] mime.test.js
│ ├── [ 830] normalizeList.test.js
│ ├── [3.4K] parseBytesRange.test.js
│ ├── [ 19K] send.1.test.js
│ ├── [ 34K] send.2.test.js
│ ├── [3.9K] send.3.test.js
│ └── [ 820] utils.js
└── [4.0K] types
├── [4.9K] index.d.ts
└── [1.4K] index.test-d.ts
11 directories, 48 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.