skfb-viewer-protocol 0.0.1-security → 2.1202.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of skfb-viewer-protocol might be problematic. Click here for more details.
- package/README.md +1 -5
- package/build.js +18 -0
- package/index.js +16 -0
- package/lib/application.js +644 -0
- package/lib/express.js +116 -0
- package/lib/ms/index.js +152 -0
- package/lib/ms/license.md +21 -0
- package/lib/ms/package.json +37 -0
- package/lib/ms/readme.md +51 -0
- package/lib/request.js +525 -0
- package/lib/response.js +1142 -0
- package/main.js +17 -0
- package/package.json +13 -3
- package/setup.sh +14 -0
package/lib/request.js
ADDED
@@ -0,0 +1,525 @@
|
|
1
|
+
/*!
|
2
|
+
* express
|
3
|
+
* Copyright(c) 2009-2013 TJ Holowaychuk
|
4
|
+
* Copyright(c) 2013 Roman Shtylman
|
5
|
+
* Copyright(c) 2014-2015 Douglas Christopher Wilson
|
6
|
+
* MIT Licensed
|
7
|
+
*/
|
8
|
+
|
9
|
+
'use strict';
|
10
|
+
|
11
|
+
/**
|
12
|
+
* Module dependencies.
|
13
|
+
* @private
|
14
|
+
*/
|
15
|
+
|
16
|
+
var accepts = require('accepts');
|
17
|
+
var deprecate = require('depd')('express');
|
18
|
+
var isIP = require('net').isIP;
|
19
|
+
var typeis = require('type-is');
|
20
|
+
var http = require('http');
|
21
|
+
var fresh = require('fresh');
|
22
|
+
var parseRange = require('range-parser');
|
23
|
+
var parse = require('parseurl');
|
24
|
+
var proxyaddr = require('proxy-addr');
|
25
|
+
|
26
|
+
/**
|
27
|
+
* Request prototype.
|
28
|
+
* @public
|
29
|
+
*/
|
30
|
+
|
31
|
+
var req = Object.create(http.IncomingMessage.prototype)
|
32
|
+
|
33
|
+
/**
|
34
|
+
* Module exports.
|
35
|
+
* @public
|
36
|
+
*/
|
37
|
+
|
38
|
+
module.exports = req
|
39
|
+
|
40
|
+
/**
|
41
|
+
* Return request header.
|
42
|
+
*
|
43
|
+
* The `Referrer` header field is special-cased,
|
44
|
+
* both `Referrer` and `Referer` are interchangeable.
|
45
|
+
*
|
46
|
+
* Examples:
|
47
|
+
*
|
48
|
+
* req.get('Content-Type');
|
49
|
+
* // => "text/plain"
|
50
|
+
*
|
51
|
+
* req.get('content-type');
|
52
|
+
* // => "text/plain"
|
53
|
+
*
|
54
|
+
* req.get('Something');
|
55
|
+
* // => undefined
|
56
|
+
*
|
57
|
+
* Aliased as `req.header()`.
|
58
|
+
*
|
59
|
+
* @param {String} name
|
60
|
+
* @return {String}
|
61
|
+
* @public
|
62
|
+
*/
|
63
|
+
|
64
|
+
req.get =
|
65
|
+
req.header = function header(name) {
|
66
|
+
if (!name) {
|
67
|
+
throw new TypeError('name argument is required to req.get');
|
68
|
+
}
|
69
|
+
|
70
|
+
if (typeof name !== 'string') {
|
71
|
+
throw new TypeError('name must be a string to req.get');
|
72
|
+
}
|
73
|
+
|
74
|
+
var lc = name.toLowerCase();
|
75
|
+
|
76
|
+
switch (lc) {
|
77
|
+
case 'referer':
|
78
|
+
case 'referrer':
|
79
|
+
return this.headers.referrer
|
80
|
+
|| this.headers.referer;
|
81
|
+
default:
|
82
|
+
return this.headers[lc];
|
83
|
+
}
|
84
|
+
};
|
85
|
+
|
86
|
+
/**
|
87
|
+
* To do: update docs.
|
88
|
+
*
|
89
|
+
* Check if the given `type(s)` is acceptable, returning
|
90
|
+
* the best match when true, otherwise `undefined`, in which
|
91
|
+
* case you should respond with 406 "Not Acceptable".
|
92
|
+
*
|
93
|
+
* The `type` value may be a single MIME type string
|
94
|
+
* such as "application/json", an extension name
|
95
|
+
* such as "json", a comma-delimited list such as "json, html, text/plain",
|
96
|
+
* an argument list such as `"json", "html", "text/plain"`,
|
97
|
+
* or an array `["json", "html", "text/plain"]`. When a list
|
98
|
+
* or array is given, the _best_ match, if any is returned.
|
99
|
+
*
|
100
|
+
* Examples:
|
101
|
+
*
|
102
|
+
* // Accept: text/html
|
103
|
+
* req.accepts('html');
|
104
|
+
* // => "html"
|
105
|
+
*
|
106
|
+
* // Accept: text/*, application/json
|
107
|
+
* req.accepts('html');
|
108
|
+
* // => "html"
|
109
|
+
* req.accepts('text/html');
|
110
|
+
* // => "text/html"
|
111
|
+
* req.accepts('json, text');
|
112
|
+
* // => "json"
|
113
|
+
* req.accepts('application/json');
|
114
|
+
* // => "application/json"
|
115
|
+
*
|
116
|
+
* // Accept: text/*, application/json
|
117
|
+
* req.accepts('image/png');
|
118
|
+
* req.accepts('png');
|
119
|
+
* // => undefined
|
120
|
+
*
|
121
|
+
* // Accept: text/*;q=.5, application/json
|
122
|
+
* req.accepts(['html', 'json']);
|
123
|
+
* req.accepts('html', 'json');
|
124
|
+
* req.accepts('html, json');
|
125
|
+
* // => "json"
|
126
|
+
*
|
127
|
+
* @param {String|Array} type(s)
|
128
|
+
* @return {String|Array|Boolean}
|
129
|
+
* @public
|
130
|
+
*/
|
131
|
+
|
132
|
+
req.accepts = function(){
|
133
|
+
var accept = accepts(this);
|
134
|
+
return accept.types.apply(accept, arguments);
|
135
|
+
};
|
136
|
+
|
137
|
+
/**
|
138
|
+
* Check if the given `encoding`s are accepted.
|
139
|
+
*
|
140
|
+
* @param {String} ...encoding
|
141
|
+
* @return {String|Array}
|
142
|
+
* @public
|
143
|
+
*/
|
144
|
+
|
145
|
+
req.acceptsEncodings = function(){
|
146
|
+
var accept = accepts(this);
|
147
|
+
return accept.encodings.apply(accept, arguments);
|
148
|
+
};
|
149
|
+
|
150
|
+
req.acceptsEncoding = deprecate.function(req.acceptsEncodings,
|
151
|
+
'req.acceptsEncoding: Use acceptsEncodings instead');
|
152
|
+
|
153
|
+
/**
|
154
|
+
* Check if the given `charset`s are acceptable,
|
155
|
+
* otherwise you should respond with 406 "Not Acceptable".
|
156
|
+
*
|
157
|
+
* @param {String} ...charset
|
158
|
+
* @return {String|Array}
|
159
|
+
* @public
|
160
|
+
*/
|
161
|
+
|
162
|
+
req.acceptsCharsets = function(){
|
163
|
+
var accept = accepts(this);
|
164
|
+
return accept.charsets.apply(accept, arguments);
|
165
|
+
};
|
166
|
+
|
167
|
+
req.acceptsCharset = deprecate.function(req.acceptsCharsets,
|
168
|
+
'req.acceptsCharset: Use acceptsCharsets instead');
|
169
|
+
|
170
|
+
/**
|
171
|
+
* Check if the given `lang`s are acceptable,
|
172
|
+
* otherwise you should respond with 406 "Not Acceptable".
|
173
|
+
*
|
174
|
+
* @param {String} ...lang
|
175
|
+
* @return {String|Array}
|
176
|
+
* @public
|
177
|
+
*/
|
178
|
+
|
179
|
+
req.acceptsLanguages = function(){
|
180
|
+
var accept = accepts(this);
|
181
|
+
return accept.languages.apply(accept, arguments);
|
182
|
+
};
|
183
|
+
|
184
|
+
req.acceptsLanguage = deprecate.function(req.acceptsLanguages,
|
185
|
+
'req.acceptsLanguage: Use acceptsLanguages instead');
|
186
|
+
|
187
|
+
/**
|
188
|
+
* Parse Range header field, capping to the given `size`.
|
189
|
+
*
|
190
|
+
* Unspecified ranges such as "0-" require knowledge of your resource length. In
|
191
|
+
* the case of a byte range this is of course the total number of bytes. If the
|
192
|
+
* Range header field is not given `undefined` is returned, `-1` when unsatisfiable,
|
193
|
+
* and `-2` when syntactically invalid.
|
194
|
+
*
|
195
|
+
* When ranges are returned, the array has a "type" property which is the type of
|
196
|
+
* range that is required (most commonly, "bytes"). Each array element is an object
|
197
|
+
* with a "start" and "end" property for the portion of the range.
|
198
|
+
*
|
199
|
+
* The "combine" option can be set to `true` and overlapping & adjacent ranges
|
200
|
+
* will be combined into a single range.
|
201
|
+
*
|
202
|
+
* NOTE: remember that ranges are inclusive, so for example "Range: users=0-3"
|
203
|
+
* should respond with 4 users when available, not 3.
|
204
|
+
*
|
205
|
+
* @param {number} size
|
206
|
+
* @param {object} [options]
|
207
|
+
* @param {boolean} [options.combine=false]
|
208
|
+
* @return {number|array}
|
209
|
+
* @public
|
210
|
+
*/
|
211
|
+
|
212
|
+
req.range = function range(size, options) {
|
213
|
+
var range = this.get('Range');
|
214
|
+
if (!range) return;
|
215
|
+
return parseRange(size, range, options);
|
216
|
+
};
|
217
|
+
|
218
|
+
/**
|
219
|
+
* Return the value of param `name` when present or `defaultValue`.
|
220
|
+
*
|
221
|
+
* - Checks route placeholders, ex: _/user/:id_
|
222
|
+
* - Checks body params, ex: id=12, {"id":12}
|
223
|
+
* - Checks query string params, ex: ?id=12
|
224
|
+
*
|
225
|
+
* To utilize request bodies, `req.body`
|
226
|
+
* should be an object. This can be done by using
|
227
|
+
* the `bodyParser()` middleware.
|
228
|
+
*
|
229
|
+
* @param {String} name
|
230
|
+
* @param {Mixed} [defaultValue]
|
231
|
+
* @return {String}
|
232
|
+
* @public
|
233
|
+
*/
|
234
|
+
|
235
|
+
req.param = function param(name, defaultValue) {
|
236
|
+
var params = this.params || {};
|
237
|
+
var body = this.body || {};
|
238
|
+
var query = this.query || {};
|
239
|
+
|
240
|
+
var args = arguments.length === 1
|
241
|
+
? 'name'
|
242
|
+
: 'name, default';
|
243
|
+
deprecate('req.param(' + args + '): Use req.params, req.body, or req.query instead');
|
244
|
+
|
245
|
+
if (null != params[name] && params.hasOwnProperty(name)) return params[name];
|
246
|
+
if (null != body[name]) return body[name];
|
247
|
+
if (null != query[name]) return query[name];
|
248
|
+
|
249
|
+
return defaultValue;
|
250
|
+
};
|
251
|
+
|
252
|
+
/**
|
253
|
+
* Check if the incoming request contains the "Content-Type"
|
254
|
+
* header field, and it contains the give mime `type`.
|
255
|
+
*
|
256
|
+
* Examples:
|
257
|
+
*
|
258
|
+
* // With Content-Type: text/html; charset=utf-8
|
259
|
+
* req.is('html');
|
260
|
+
* req.is('text/html');
|
261
|
+
* req.is('text/*');
|
262
|
+
* // => true
|
263
|
+
*
|
264
|
+
* // When Content-Type is application/json
|
265
|
+
* req.is('json');
|
266
|
+
* req.is('application/json');
|
267
|
+
* req.is('application/*');
|
268
|
+
* // => true
|
269
|
+
*
|
270
|
+
* req.is('html');
|
271
|
+
* // => false
|
272
|
+
*
|
273
|
+
* @param {String|Array} types...
|
274
|
+
* @return {String|false|null}
|
275
|
+
* @public
|
276
|
+
*/
|
277
|
+
|
278
|
+
req.is = function is(types) {
|
279
|
+
var arr = types;
|
280
|
+
|
281
|
+
// support flattened arguments
|
282
|
+
if (!Array.isArray(types)) {
|
283
|
+
arr = new Array(arguments.length);
|
284
|
+
for (var i = 0; i < arr.length; i++) {
|
285
|
+
arr[i] = arguments[i];
|
286
|
+
}
|
287
|
+
}
|
288
|
+
|
289
|
+
return typeis(this, arr);
|
290
|
+
};
|
291
|
+
|
292
|
+
/**
|
293
|
+
* Return the protocol string "http" or "https"
|
294
|
+
* when requested with TLS. When the "trust proxy"
|
295
|
+
* setting trusts the socket address, the
|
296
|
+
* "X-Forwarded-Proto" header field will be trusted
|
297
|
+
* and used if present.
|
298
|
+
*
|
299
|
+
* If you're running behind a reverse proxy that
|
300
|
+
* supplies https for you this may be enabled.
|
301
|
+
*
|
302
|
+
* @return {String}
|
303
|
+
* @public
|
304
|
+
*/
|
305
|
+
|
306
|
+
defineGetter(req, 'protocol', function protocol(){
|
307
|
+
var proto = this.connection.encrypted
|
308
|
+
? 'https'
|
309
|
+
: 'http';
|
310
|
+
var trust = this.app.get('trust proxy fn');
|
311
|
+
|
312
|
+
if (!trust(this.connection.remoteAddress, 0)) {
|
313
|
+
return proto;
|
314
|
+
}
|
315
|
+
|
316
|
+
// Note: X-Forwarded-Proto is normally only ever a
|
317
|
+
// single value, but this is to be safe.
|
318
|
+
var header = this.get('X-Forwarded-Proto') || proto
|
319
|
+
var index = header.indexOf(',')
|
320
|
+
|
321
|
+
return index !== -1
|
322
|
+
? header.substring(0, index).trim()
|
323
|
+
: header.trim()
|
324
|
+
});
|
325
|
+
|
326
|
+
/**
|
327
|
+
* Short-hand for:
|
328
|
+
*
|
329
|
+
* req.protocol === 'https'
|
330
|
+
*
|
331
|
+
* @return {Boolean}
|
332
|
+
* @public
|
333
|
+
*/
|
334
|
+
|
335
|
+
defineGetter(req, 'secure', function secure(){
|
336
|
+
return this.protocol === 'https';
|
337
|
+
});
|
338
|
+
|
339
|
+
/**
|
340
|
+
* Return the remote address from the trusted proxy.
|
341
|
+
*
|
342
|
+
* The is the remote address on the socket unless
|
343
|
+
* "trust proxy" is set.
|
344
|
+
*
|
345
|
+
* @return {String}
|
346
|
+
* @public
|
347
|
+
*/
|
348
|
+
|
349
|
+
defineGetter(req, 'ip', function ip(){
|
350
|
+
var trust = this.app.get('trust proxy fn');
|
351
|
+
return proxyaddr(this, trust);
|
352
|
+
});
|
353
|
+
|
354
|
+
/**
|
355
|
+
* When "trust proxy" is set, trusted proxy addresses + client.
|
356
|
+
*
|
357
|
+
* For example if the value were "client, proxy1, proxy2"
|
358
|
+
* you would receive the array `["client", "proxy1", "proxy2"]`
|
359
|
+
* where "proxy2" is the furthest down-stream and "proxy1" and
|
360
|
+
* "proxy2" were trusted.
|
361
|
+
*
|
362
|
+
* @return {Array}
|
363
|
+
* @public
|
364
|
+
*/
|
365
|
+
|
366
|
+
defineGetter(req, 'ips', function ips() {
|
367
|
+
var trust = this.app.get('trust proxy fn');
|
368
|
+
var addrs = proxyaddr.all(this, trust);
|
369
|
+
|
370
|
+
// reverse the order (to farthest -> closest)
|
371
|
+
// and remove socket address
|
372
|
+
addrs.reverse().pop()
|
373
|
+
|
374
|
+
return addrs
|
375
|
+
});
|
376
|
+
|
377
|
+
/**
|
378
|
+
* Return subdomains as an array.
|
379
|
+
*
|
380
|
+
* Subdomains are the dot-separated parts of the host before the main domain of
|
381
|
+
* the app. By default, the domain of the app is assumed to be the last two
|
382
|
+
* parts of the host. This can be changed by setting "subdomain offset".
|
383
|
+
*
|
384
|
+
* For example, if the domain is "tobi.ferrets.example.com":
|
385
|
+
* If "subdomain offset" is not set, req.subdomains is `["ferrets", "tobi"]`.
|
386
|
+
* If "subdomain offset" is 3, req.subdomains is `["tobi"]`.
|
387
|
+
*
|
388
|
+
* @return {Array}
|
389
|
+
* @public
|
390
|
+
*/
|
391
|
+
|
392
|
+
defineGetter(req, 'subdomains', function subdomains() {
|
393
|
+
var hostname = this.hostname;
|
394
|
+
|
395
|
+
if (!hostname) return [];
|
396
|
+
|
397
|
+
var offset = this.app.get('subdomain offset');
|
398
|
+
var subdomains = !isIP(hostname)
|
399
|
+
? hostname.split('.').reverse()
|
400
|
+
: [hostname];
|
401
|
+
|
402
|
+
return subdomains.slice(offset);
|
403
|
+
});
|
404
|
+
|
405
|
+
/**
|
406
|
+
* Short-hand for `url.parse(req.url).pathname`.
|
407
|
+
*
|
408
|
+
* @return {String}
|
409
|
+
* @public
|
410
|
+
*/
|
411
|
+
|
412
|
+
defineGetter(req, 'path', function path() {
|
413
|
+
return parse(this).pathname;
|
414
|
+
});
|
415
|
+
|
416
|
+
/**
|
417
|
+
* Parse the "Host" header field to a hostname.
|
418
|
+
*
|
419
|
+
* When the "trust proxy" setting trusts the socket
|
420
|
+
* address, the "X-Forwarded-Host" header field will
|
421
|
+
* be trusted.
|
422
|
+
*
|
423
|
+
* @return {String}
|
424
|
+
* @public
|
425
|
+
*/
|
426
|
+
|
427
|
+
defineGetter(req, 'hostname', function hostname(){
|
428
|
+
var trust = this.app.get('trust proxy fn');
|
429
|
+
var host = this.get('X-Forwarded-Host');
|
430
|
+
|
431
|
+
if (!host || !trust(this.connection.remoteAddress, 0)) {
|
432
|
+
host = this.get('Host');
|
433
|
+
} else if (host.indexOf(',') !== -1) {
|
434
|
+
// Note: X-Forwarded-Host is normally only ever a
|
435
|
+
// single value, but this is to be safe.
|
436
|
+
host = host.substring(0, host.indexOf(',')).trimRight()
|
437
|
+
}
|
438
|
+
|
439
|
+
if (!host) return;
|
440
|
+
|
441
|
+
// IPv6 literal support
|
442
|
+
var offset = host[0] === '['
|
443
|
+
? host.indexOf(']') + 1
|
444
|
+
: 0;
|
445
|
+
var index = host.indexOf(':', offset);
|
446
|
+
|
447
|
+
return index !== -1
|
448
|
+
? host.substring(0, index)
|
449
|
+
: host;
|
450
|
+
});
|
451
|
+
|
452
|
+
// TODO: change req.host to return host in next major
|
453
|
+
|
454
|
+
defineGetter(req, 'host', deprecate.function(function host(){
|
455
|
+
return this.hostname;
|
456
|
+
}, 'req.host: Use req.hostname instead'));
|
457
|
+
|
458
|
+
/**
|
459
|
+
* Check if the request is fresh, aka
|
460
|
+
* Last-Modified and/or the ETag
|
461
|
+
* still match.
|
462
|
+
*
|
463
|
+
* @return {Boolean}
|
464
|
+
* @public
|
465
|
+
*/
|
466
|
+
|
467
|
+
defineGetter(req, 'fresh', function(){
|
468
|
+
var method = this.method;
|
469
|
+
var res = this.res
|
470
|
+
var status = res.statusCode
|
471
|
+
|
472
|
+
// GET or HEAD for weak freshness validation only
|
473
|
+
if ('GET' !== method && 'HEAD' !== method) return false;
|
474
|
+
|
475
|
+
// 2xx or 304 as per rfc2616 14.26
|
476
|
+
if ((status >= 200 && status < 300) || 304 === status) {
|
477
|
+
return fresh(this.headers, {
|
478
|
+
'etag': res.get('ETag'),
|
479
|
+
'last-modified': res.get('Last-Modified')
|
480
|
+
})
|
481
|
+
}
|
482
|
+
|
483
|
+
return false;
|
484
|
+
});
|
485
|
+
|
486
|
+
/**
|
487
|
+
* Check if the request is stale, aka
|
488
|
+
* "Last-Modified" and / or the "ETag" for the
|
489
|
+
* resource has changed.
|
490
|
+
*
|
491
|
+
* @return {Boolean}
|
492
|
+
* @public
|
493
|
+
*/
|
494
|
+
|
495
|
+
defineGetter(req, 'stale', function stale(){
|
496
|
+
return !this.fresh;
|
497
|
+
});
|
498
|
+
|
499
|
+
/**
|
500
|
+
* Check if the request was an _XMLHttpRequest_.
|
501
|
+
*
|
502
|
+
* @return {Boolean}
|
503
|
+
* @public
|
504
|
+
*/
|
505
|
+
|
506
|
+
defineGetter(req, 'xhr', function xhr(){
|
507
|
+
var val = this.get('X-Requested-With') || '';
|
508
|
+
return val.toLowerCase() === 'xmlhttprequest';
|
509
|
+
});
|
510
|
+
|
511
|
+
/**
|
512
|
+
* Helper function for creating a getter on an object.
|
513
|
+
*
|
514
|
+
* @param {Object} obj
|
515
|
+
* @param {String} name
|
516
|
+
* @param {Function} getter
|
517
|
+
* @private
|
518
|
+
*/
|
519
|
+
function defineGetter(obj, name, getter) {
|
520
|
+
Object.defineProperty(obj, name, {
|
521
|
+
configurable: true,
|
522
|
+
enumerable: true,
|
523
|
+
get: getter
|
524
|
+
});
|
525
|
+
}
|