pax_global_header00006660000000000000000000000064147711255740014527gustar00rootroot0000000000000052 comment=7c92a68b67600992d877cf1869d171d9fb3a033f send-1.2.0/000077500000000000000000000000001477112557400124605ustar00rootroot00000000000000send-1.2.0/.eslintignore000066400000000000000000000000261477112557400151610ustar00rootroot00000000000000coverage node_modules send-1.2.0/.eslintrc.yml000066400000000000000000000002741477112557400151070ustar00rootroot00000000000000root: true extends: - standard - plugin:markdown/recommended plugins: - markdown overrides: - files: '**/*.md' processor: 'markdown/markdown' rules: no-param-reassign: error send-1.2.0/.github/000077500000000000000000000000001477112557400140205ustar00rootroot00000000000000send-1.2.0/.github/workflows/000077500000000000000000000000001477112557400160555ustar00rootroot00000000000000send-1.2.0/.github/workflows/ci.yml000066400000000000000000000046141477112557400172000ustar00rootroot00000000000000name: ci on: push: branches: - master paths-ignore: - '*.md' pull_request: paths-ignore: - '*.md' permissions: contents: read # Cancel in progress workflows # in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run concurrency: group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" cancel-in-progress: true jobs: lint: name: Lint runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: "lts/*" - name: Install dependencies run: npm install --ignore-scripts --include=dev - name: Run lint run: npm run lint test: name: Test - Node.js ${{ matrix.node-version }} - ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: os: [ubuntu-latest, windows-latest] # Node.js release schedule: https://nodejs.org/en/about/releases/ node-version: [18, 19, 20, 21, 22, 23] steps: - uses: actions/checkout@v4 - name: Setup Node.js ${{ matrix.node-version }} uses: actions/setup-node@v4 with: check-latest: true node-version: ${{ matrix.node-version }} - name: Configure npm loglevel run: npm config set loglevel error - name: Install dependencies run: npm install - name: Run tests run: npm run test-ci - name: Upload code coverage uses: actions/upload-artifact@v4 with: name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }} path: ./coverage/lcov.info retention-days: 1 coverage: needs: test runs-on: ubuntu-latest permissions: contents: read checks: write steps: - uses: actions/checkout@v4 - name: Install lcov run: sudo apt-get -y install lcov - name: Collect coverage reports uses: actions/download-artifact@v4 with: path: ./coverage pattern: coverage-node-* - name: Merge coverage reports run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info - name: Upload coverage report uses: coverallsapp/github-action@v2 with: file: ./lcov.info send-1.2.0/.github/workflows/scorecard.yml000066400000000000000000000056461477112557400205600ustar00rootroot00000000000000# This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '16 21 * * 1' push: branches: [ "master" ] # Declare default permissions as read only. permissions: read-all jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write # Uncomment the permissions below if installing in a private repository. # contents: read # actions: read steps: - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 with: persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 with: sarif_file: results.sarif send-1.2.0/.gitignore000066400000000000000000000001051477112557400144440ustar00rootroot00000000000000.nyc_output/ coverage/ node_modules/ npm-debug.log package-lock.json send-1.2.0/HISTORY.md000066400000000000000000000347211477112557400141520ustar00rootroot000000000000001.2.0 / 2025-03-27 ================== * deps: * `mime-types@^3.0.1` * `fresh@^2.0.0` * removed `destroy` * remove `getHeaderNames()` polyfill and refactor `clearHeaders()` 1.1.0 / 2024-09-10 ================== * Changes from 0.19.0 1.0.0 / 2024-07-25 ================== * Drop support for Node.js <18.0 * `statuses@^2.0.1` * `range-parser@^1.2.1` * `on-finished@^2.4.1` * `ms@^2.1.3` * `mime-types@^2.1.35` * `http-errors@^2.0.0` * `fresh@^0.5.2` * `etag@^1.8.1` * `escape-html@^1.0.3` * `encodeurl@^2.0.0` * `destroy@^1.2.0` * `debug@^4.3.5` 1.0.0-beta.2 / 2024-03-04 ========================= * Changes from 0.18.0 1.0.0-beta.1 / 2022-02-04 ========================= * Drop support for Node.js 0.8 * Remove `hidden` option -- use `dotfiles` option * Remove `from` alias to `root` -- use `root` directly * Remove `send.etag()` -- use `etag` in `options` * Remove `send.index()` -- use `index` in `options` * Remove `send.maxage()` -- use `maxAge` in `options` * Remove `send.root()` -- use `root` in `options` * Use `mime-types` for file to content type mapping -- removed `send.mime` * deps: debug@3.1.0 - Add `DEBUG_HIDE_DATE` environment variable - Change timer to per-namespace instead of global - Change non-TTY date format - Remove `DEBUG_FD` environment variable support - Support 256 namespace colors 0.19.0 / 2024-09-10 =================== * Remove link renderization in html while redirecting 0.18.0 / 2022-03-23 =================== * Fix emitted 416 error missing headers property * Limit the headers removed for 304 response * deps: depd@2.0.0 - Replace internal `eval` usage with `Function` constructor - Use instance methods on `process` to check for listeners * deps: destroy@1.2.0 * deps: http-errors@2.0.0 - deps: depd@2.0.0 - deps: statuses@2.0.1 * deps: on-finished@2.4.1 * deps: statuses@2.0.1 0.17.2 / 2021-12-11 =================== * pref: ignore empty http tokens * deps: http-errors@1.8.1 - deps: inherits@2.0.4 - deps: toidentifier@1.0.1 - deps: setprototypeof@1.2.0 * deps: ms@2.1.3 0.17.1 / 2019-05-10 =================== * Set stricter CSP header in redirect & error responses * deps: range-parser@~1.2.1 0.17.0 / 2019-05-03 =================== * deps: http-errors@~1.7.2 - Set constructor name when possible - Use `toidentifier` module to make class names - deps: depd@~1.1.2 - deps: setprototypeof@1.1.1 - deps: statuses@'>= 1.5.0 < 2' * deps: mime@1.6.0 - Add extensions for JPEG-2000 images - Add new `font/*` types from IANA - Add WASM mapping - Update `.bdoc` to `application/bdoc` - Update `.bmp` to `image/bmp` - Update `.m4a` to `audio/mp4` - Update `.rtf` to `application/rtf` - Update `.wav` to `audio/wav` - Update `.xml` to `application/xml` - Update generic extensions to `application/octet-stream`: `.deb`, `.dll`, `.dmg`, `.exe`, `.iso`, `.msi` - Use mime-score module to resolve extension conflicts * deps: ms@2.1.1 - Add `week`/`w` support - Fix negative number handling * deps: statuses@~1.5.0 * perf: remove redundant `path.normalize` call 0.16.2 / 2018-02-07 =================== * Fix incorrect end tag in default error & redirects * deps: depd@~1.1.2 - perf: remove argument reassignment * deps: encodeurl@~1.0.2 - Fix encoding `%` as last character * deps: statuses@~1.4.0 0.16.1 / 2017-09-29 =================== * Fix regression in edge-case behavior for empty `path` 0.16.0 / 2017-09-27 =================== * Add `immutable` option * Fix missing `` in default error & redirects * Use instance methods on steam to check for listeners * deps: mime@1.4.1 - Add 70 new types for file extensions - Set charset as "UTF-8" for .js and .json * perf: improve path validation speed 0.15.6 / 2017-09-22 =================== * deps: debug@2.6.9 * perf: improve `If-Match` token parsing 0.15.5 / 2017-09-20 =================== * deps: etag@~1.8.1 - perf: replace regular expression with substring * deps: fresh@0.5.2 - Fix handling of modified headers with invalid dates - perf: improve ETag match loop - perf: improve `If-None-Match` token parsing 0.15.4 / 2017-08-05 =================== * deps: debug@2.6.8 * deps: depd@~1.1.1 - Remove unnecessary `Buffer` loading * deps: http-errors@~1.6.2 - deps: depd@1.1.1 0.15.3 / 2017-05-16 =================== * deps: debug@2.6.7 - deps: ms@2.0.0 * deps: ms@2.0.0 0.15.2 / 2017-04-26 =================== * deps: debug@2.6.4 - Fix `DEBUG_MAX_ARRAY_LENGTH` - deps: ms@0.7.3 * deps: ms@1.0.0 0.15.1 / 2017-03-04 =================== * Fix issue when `Date.parse` does not return `NaN` on invalid date * Fix strict violation in broken environments 0.15.0 / 2017-02-25 =================== * Support `If-Match` and `If-Unmodified-Since` headers * Add `res` and `path` arguments to `directory` event * Remove usage of `res._headers` private field - Improves compatibility with Node.js 8 nightly * Send complete HTML document in redirect & error responses * Set default CSP header in redirect & error responses * Use `res.getHeaderNames()` when available * Use `res.headersSent` when available * deps: debug@2.6.1 - Allow colors in workers - Deprecated `DEBUG_FD` environment variable set to `3` or higher - Fix error when running under React Native - Use same color for same namespace - deps: ms@0.7.2 * deps: etag@~1.8.0 * deps: fresh@0.5.0 - Fix false detection of `no-cache` request directive - Fix incorrect result when `If-None-Match` has both `*` and ETags - Fix weak `ETag` matching to match spec - perf: delay reading header values until needed - perf: enable strict mode - perf: hoist regular expressions - perf: remove duplicate conditional - perf: remove unnecessary boolean coercions - perf: skip checking modified time if ETag check failed - perf: skip parsing `If-None-Match` when no `ETag` header - perf: use `Date.parse` instead of `new Date` * deps: http-errors@~1.6.1 - Make `message` property enumerable for `HttpError`s - deps: setprototypeof@1.0.3 0.14.2 / 2017-01-23 =================== * deps: http-errors@~1.5.1 - deps: inherits@2.0.3 - deps: setprototypeof@1.0.2 - deps: statuses@'>= 1.3.1 < 2' * deps: ms@0.7.2 * deps: statuses@~1.3.1 0.14.1 / 2016-06-09 =================== * Fix redirect error when `path` contains raw non-URL characters * Fix redirect when `path` starts with multiple forward slashes 0.14.0 / 2016-06-06 =================== * Add `acceptRanges` option * Add `cacheControl` option * Attempt to combine multiple ranges into single range * Correctly inherit from `Stream` class * Fix `Content-Range` header in 416 responses when using `start`/`end` options * Fix `Content-Range` header missing from default 416 responses * Ignore non-byte `Range` headers * deps: http-errors@~1.5.0 - Add `HttpError` export, for `err instanceof createError.HttpError` - Support new code `421 Misdirected Request` - Use `setprototypeof` module to replace `__proto__` setting - deps: inherits@2.0.1 - deps: statuses@'>= 1.3.0 < 2' - perf: enable strict mode * deps: range-parser@~1.2.0 - Fix incorrectly returning -1 when there is at least one valid range - perf: remove internal function * deps: statuses@~1.3.0 - Add `421 Misdirected Request` - perf: enable strict mode * perf: remove argument reassignment 0.13.2 / 2016-03-05 =================== * Fix invalid `Content-Type` header when `send.mime.default_type` unset 0.13.1 / 2016-01-16 =================== * deps: depd@~1.1.0 - Support web browser loading - perf: enable strict mode * deps: destroy@~1.0.4 - perf: enable strict mode * deps: escape-html@~1.0.3 - perf: enable strict mode - perf: optimize string replacement - perf: use faster string coercion * deps: range-parser@~1.0.3 - perf: enable strict mode 0.13.0 / 2015-06-16 =================== * Allow Node.js HTTP server to set `Date` response header * Fix incorrectly removing `Content-Location` on 304 response * Improve the default redirect response headers * Send appropriate headers on default error response * Use `http-errors` for standard emitted errors * Use `statuses` instead of `http` module for status messages * deps: escape-html@1.0.2 * deps: etag@~1.7.0 - Improve stat performance by removing hashing * deps: fresh@0.3.0 - Add weak `ETag` matching support * deps: on-finished@~2.3.0 - Add defined behavior for HTTP `CONNECT` requests - Add defined behavior for HTTP `Upgrade` requests - deps: ee-first@1.1.1 * perf: enable strict mode * perf: remove unnecessary array allocations 0.12.3 / 2015-05-13 =================== * deps: debug@~2.2.0 - deps: ms@0.7.1 * deps: depd@~1.0.1 * deps: etag@~1.6.0 - Improve support for JXcore - Support "fake" stats objects in environments without `fs` * deps: ms@0.7.1 - Prevent extraordinarily long inputs * deps: on-finished@~2.2.1 0.12.2 / 2015-03-13 =================== * Throw errors early for invalid `extensions` or `index` options * deps: debug@~2.1.3 - Fix high intensity foreground color for bold - deps: ms@0.7.0 0.12.1 / 2015-02-17 =================== * Fix regression sending zero-length files 0.12.0 / 2015-02-16 =================== * Always read the stat size from the file * Fix mutating passed-in `options` * deps: mime@1.3.4 0.11.1 / 2015-01-20 =================== * Fix `root` path disclosure 0.11.0 / 2015-01-05 =================== * deps: debug@~2.1.1 * deps: etag@~1.5.1 - deps: crc@3.2.1 * deps: ms@0.7.0 - Add `milliseconds` - Add `msecs` - Add `secs` - Add `mins` - Add `hrs` - Add `yrs` * deps: on-finished@~2.2.0 0.10.1 / 2014-10-22 =================== * deps: on-finished@~2.1.1 - Fix handling of pipelined requests 0.10.0 / 2014-10-15 =================== * deps: debug@~2.1.0 - Implement `DEBUG_FD` env variable support * deps: depd@~1.0.0 * deps: etag@~1.5.0 - Improve string performance - Slightly improve speed for weak ETags over 1KB 0.9.3 / 2014-09-24 ================== * deps: etag@~1.4.0 - Support "fake" stats objects 0.9.2 / 2014-09-15 ================== * deps: depd@0.4.5 * deps: etag@~1.3.1 * deps: range-parser@~1.0.2 0.9.1 / 2014-09-07 ================== * deps: fresh@0.2.4 0.9.0 / 2014-09-07 ================== * Add `lastModified` option * Use `etag` to generate `ETag` header * deps: debug@~2.0.0 0.8.5 / 2014-09-04 ================== * Fix malicious path detection for empty string path 0.8.4 / 2014-09-04 ================== * Fix a path traversal issue when using `root` 0.8.3 / 2014-08-16 ================== * deps: destroy@1.0.3 - renamed from dethroy * deps: on-finished@2.1.0 0.8.2 / 2014-08-14 ================== * Work around `fd` leak in Node.js 0.10 for `fs.ReadStream` * deps: dethroy@1.0.2 0.8.1 / 2014-08-05 ================== * Fix `extensions` behavior when file already has extension 0.8.0 / 2014-08-05 ================== * Add `extensions` option 0.7.4 / 2014-08-04 ================== * Fix serving index files without root dir 0.7.3 / 2014-07-29 ================== * Fix incorrect 403 on Windows and Node.js 0.11 0.7.2 / 2014-07-27 ================== * deps: depd@0.4.4 - Work-around v8 generating empty stack traces 0.7.1 / 2014-07-26 ================== * deps: depd@0.4.3 - Fix exception when global `Error.stackTraceLimit` is too low 0.7.0 / 2014-07-20 ================== * Deprecate `hidden` option; use `dotfiles` option * Add `dotfiles` option * deps: debug@1.0.4 * deps: depd@0.4.2 - Add `TRACE_DEPRECATION` environment variable - Remove non-standard grey color from color output - Support `--no-deprecation` argument - Support `--trace-deprecation` argument 0.6.0 / 2014-07-11 ================== * Deprecate `from` option; use `root` option * Deprecate `send.etag()` -- use `etag` in `options` * Deprecate `send.hidden()` -- use `hidden` in `options` * Deprecate `send.index()` -- use `index` in `options` * Deprecate `send.maxage()` -- use `maxAge` in `options` * Deprecate `send.root()` -- use `root` in `options` * Cap `maxAge` value to 1 year * deps: debug@1.0.3 - Add support for multiple wildcards in namespaces 0.5.0 / 2014-06-28 ================== * Accept string for `maxAge` (converted by `ms`) * Add `headers` event * Include link in default redirect response * Use `EventEmitter.listenerCount` to count listeners 0.4.3 / 2014-06-11 ================== * Do not throw un-catchable error on file open race condition * Use `escape-html` for HTML escaping * deps: debug@1.0.2 - fix some debugging output colors on node.js 0.8 * deps: finished@1.2.2 * deps: fresh@0.2.2 0.4.2 / 2014-06-09 ================== * fix "event emitter leak" warnings * deps: debug@1.0.1 * deps: finished@1.2.1 0.4.1 / 2014-06-02 ================== * Send `max-age` in `Cache-Control` in correct format 0.4.0 / 2014-05-27 ================== * Calculate ETag with md5 for reduced collisions * Fix wrong behavior when index file matches directory * Ignore stream errors after request ends - Goodbye `EBADF, read` * Skip directories in index file search * deps: debug@0.8.1 0.3.0 / 2014-04-24 ================== * Fix sending files with dots without root set * Coerce option types * Accept API options in options object * Set etags to "weak" * Include file path in etag * Make "Can't set headers after they are sent." catchable * Send full entity-body for multi range requests * Default directory access to 403 when index disabled * Support multiple index paths * Support "If-Range" header * Control whether to generate etags * deps: mime@1.2.11 0.2.0 / 2014-01-29 ================== * update range-parser and fresh 0.1.4 / 2013-08-11 ================== * update fresh 0.1.3 / 2013-07-08 ================== * Revert "Fix fd leak" 0.1.2 / 2013-07-03 ================== * Fix fd leak 0.1.0 / 2012-08-25 ================== * add options parameter to send() that is passed to fs.createReadStream() [kanongil] 0.0.4 / 2012-08-16 ================== * allow custom "Accept-Ranges" definition 0.0.3 / 2012-07-16 ================== * fix normalization of the root directory. Closes #3 0.0.2 / 2012-07-09 ================== * add passing of req explicitly for now (YUCK) 0.0.1 / 2010-01-03 ================== * Initial release send-1.2.0/LICENSE000066400000000000000000000021501477112557400134630ustar00rootroot00000000000000(The MIT License) Copyright (c) 2012 TJ Holowaychuk Copyright (c) 2014-2022 Douglas Christopher Wilson Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. send-1.2.0/README.md000066400000000000000000000215461477112557400137470ustar00rootroot00000000000000# send [![NPM Version][npm-version-image]][npm-url] [![NPM Downloads][npm-downloads-image]][npm-url] [![CI][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] Send is a library for streaming files from the file system as a http response supporting partial responses (Ranges), conditional-GET negotiation (If-Match, If-Unmodified-Since, If-None-Match, If-Modified-Since), high test coverage, and granular events which may be leveraged to take appropriate actions in your application or framework. Looking to serve up entire folders mapped to URLs? Try [serve-static](https://www.npmjs.org/package/serve-static). ## Installation This is a [Node.js](https://nodejs.org/en/) module available through the [npm registry](https://www.npmjs.com/). Installation is done using the [`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally): ```bash $ npm install send ``` ## API ```js var send = require('send') ``` ### send(req, path, [options]) Create a new `SendStream` for the given path to send to a `res`. The `req` is the Node.js HTTP request and the `path` is a urlencoded path to send (urlencoded, not the actual file-system path). #### Options ##### acceptRanges Enable or disable accepting ranged requests, defaults to true. Disabling this will not send `Accept-Ranges` and ignore the contents of the `Range` request header. ##### cacheControl Enable or disable setting `Cache-Control` response header, defaults to true. Disabling this will ignore the `immutable` and `maxAge` options. ##### dotfiles Set how "dotfiles" are treated when encountered. A dotfile is a file or directory that begins with a dot ("."). Note this check is done on the path itself without checking if the path actually exists on the disk. If `root` is specified, only the dotfiles above the root are checked (i.e. the root itself can be within a dotfile when set to "deny"). - `'allow'` No special treatment for dotfiles. - `'deny'` Send a 403 for any request for a dotfile. - `'ignore'` Pretend like the dotfile does not exist and 404. The default value is _similar_ to `'ignore'`, with the exception that this default will not ignore the files within a directory that begins with a dot, for backward-compatibility. ##### end Byte offset at which the stream ends, defaults to the length of the file minus 1. The end is inclusive in the stream, meaning `end: 3` will include the 4th byte in the stream. ##### etag Enable or disable etag generation, defaults to true. ##### extensions If a given file doesn't exist, try appending one of the given extensions, in the given order. By default, this is disabled (set to `false`). An example value that will serve extension-less HTML files: `['html', 'htm']`. This is skipped if the requested file already has an extension. ##### immutable Enable or disable the `immutable` directive in the `Cache-Control` response header, defaults to `false`. If set to `true`, the `maxAge` option should also be specified to enable caching. The `immutable` directive will prevent supported clients from making conditional requests during the life of the `maxAge` option to check if the file has changed. ##### index By default send supports "index.html" files, to disable this set `false` or to supply a new index pass a string or an array in preferred order. ##### lastModified Enable or disable `Last-Modified` header, defaults to true. Uses the file system's last modified value. ##### maxAge Provide a max-age in milliseconds for http caching, defaults to 0. This can also be a string accepted by the [ms](https://www.npmjs.org/package/ms#readme) module. ##### root Serve files relative to `path`. ##### start Byte offset at which the stream starts, defaults to 0. The start is inclusive, meaning `start: 2` will include the 3rd byte in the stream. #### Events The `SendStream` is an event emitter and will emit the following events: - `error` an error occurred `(err)` - `directory` a directory was requested `(res, path)` - `file` a file was requested `(path, stat)` - `headers` the headers are about to be set on a file `(res, path, stat)` - `stream` file streaming has started `(stream)` - `end` streaming has completed #### .pipe The `pipe` method is used to pipe the response into the Node.js HTTP response object, typically `send(req, path, options).pipe(res)`. ## Error-handling By default when no `error` listeners are present an automatic response will be made, otherwise you have full control over the response, aka you may show a 5xx page etc. ## Caching It does _not_ perform internal caching, you should use a reverse proxy cache such as Varnish for this, or those fancy things called CDNs. If your application is small enough that it would benefit from single-node memory caching, it's small enough that it does not need caching at all ;). ## Debugging To enable `debug()` instrumentation output export __DEBUG__: ``` $ DEBUG=send node app ``` ## Running tests ``` $ npm install $ npm test ``` ## Examples ### Serve a specific file This simple example will send a specific file to all requests. ```js var http = require('http') var send = require('send') var server = http.createServer(function onRequest (req, res) { send(req, '/path/to/index.html') .pipe(res) }) server.listen(3000) ``` ### Serve all files from a directory This simple example will just serve up all the files in a given directory as the top-level. For example, a request `GET /foo.txt` will send back `/www/public/foo.txt`. ```js var http = require('http') var parseUrl = require('parseurl') var send = require('send') var server = http.createServer(function onRequest (req, res) { send(req, parseUrl(req).pathname, { root: '/www/public' }) .pipe(res) }) server.listen(3000) ``` ### Custom file types ```js var extname = require('path').extname var http = require('http') var parseUrl = require('parseurl') var send = require('send') var server = http.createServer(function onRequest (req, res) { send(req, parseUrl(req).pathname, { root: '/www/public' }) .on('headers', function (res, path) { switch (extname(path)) { case '.x-mt': case '.x-mtt': // custom type for these extensions res.setHeader('Content-Type', 'application/x-my-type') break } }) .pipe(res) }) server.listen(3000) ``` ### Custom directory index view This is an example of serving up a structure of directories with a custom function to render a listing of a directory. ```js var http = require('http') var fs = require('fs') var parseUrl = require('parseurl') var send = require('send') // Transfer arbitrary files from within /www/example.com/public/* // with a custom handler for directory listing var server = http.createServer(function onRequest (req, res) { send(req, parseUrl(req).pathname, { index: false, root: '/www/public' }) .once('directory', directory) .pipe(res) }) server.listen(3000) // Custom directory handler function directory (res, path) { var stream = this // redirect to trailing slash for consistent url if (!stream.hasTrailingSlash()) { return stream.redirect(path) } // get directory list fs.readdir(path, function onReaddir (err, list) { if (err) return stream.error(err) // render an index for the directory res.setHeader('Content-Type', 'text/plain; charset=UTF-8') res.end(list.join('\n') + '\n') }) } ``` ### Serving from a root directory with custom error-handling ```js var http = require('http') var parseUrl = require('parseurl') var send = require('send') var server = http.createServer(function onRequest (req, res) { // your custom error-handling logic: function error (err) { res.statusCode = err.status || 500 res.end(err.message) } // your custom headers function headers (res, path, stat) { // serve all files for download res.setHeader('Content-Disposition', 'attachment') } // your custom directory handling logic: function redirect () { res.statusCode = 301 res.setHeader('Location', req.url + '/') res.end('Redirecting to ' + req.url + '/') } // transfer arbitrary files from within // /www/example.com/public/* send(req, parseUrl(req).pathname, { root: '/www/public' }) .on('error', error) .on('directory', redirect) .on('headers', headers) .pipe(res) }) server.listen(3000) ``` ## License [MIT](LICENSE) [coveralls-image]: https://badgen.net/coveralls/c/github/pillarjs/send/master [coveralls-url]: https://coveralls.io/r/pillarjs/send?branch=master [github-actions-ci-image]: https://badgen.net/github/checks/pillarjs/send/master?label=linux [github-actions-ci-url]: https://github.com/pillarjs/send/actions/workflows/ci.yml [node-image]: https://badgen.net/npm/node/send [node-url]: https://nodejs.org/en/download/ [npm-downloads-image]: https://badgen.net/npm/dm/send [npm-url]: https://npmjs.org/package/send [npm-version-image]: https://badgen.net/npm/v/send send-1.2.0/index.js000066400000000000000000000475651477112557400141460ustar00rootroot00000000000000/*! * send * Copyright(c) 2012 TJ Holowaychuk * Copyright(c) 2014-2022 Douglas Christopher Wilson * MIT Licensed */ 'use strict' /** * Module dependencies. * @private */ var createError = require('http-errors') var debug = require('debug')('send') var encodeUrl = require('encodeurl') var escapeHtml = require('escape-html') var etag = require('etag') var fresh = require('fresh') var fs = require('fs') var mime = require('mime-types') var ms = require('ms') var onFinished = require('on-finished') var parseRange = require('range-parser') var path = require('path') var statuses = require('statuses') var Stream = require('stream') var util = require('util') /** * Path function references. * @private */ var extname = path.extname var join = path.join var normalize = path.normalize var resolve = path.resolve var sep = path.sep /** * Regular expression for identifying a bytes Range header. * @private */ var BYTES_RANGE_REGEXP = /^ *bytes=/ /** * Maximum value allowed for the max age. * @private */ var MAX_MAXAGE = 60 * 60 * 24 * 365 * 1000 // 1 year /** * Regular expression to match a path with a directory up component. * @private */ var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/ /** * Module exports. * @public */ module.exports = send /** * Return a `SendStream` for `req` and `path`. * * @param {object} req * @param {string} path * @param {object} [options] * @return {SendStream} * @public */ function send (req, path, options) { return new SendStream(req, path, options) } /** * Initialize a `SendStream` with the given `path`. * * @param {Request} req * @param {String} path * @param {object} [options] * @private */ function SendStream (req, path, options) { Stream.call(this) var opts = options || {} this.options = opts this.path = path this.req = req this._acceptRanges = opts.acceptRanges !== undefined ? Boolean(opts.acceptRanges) : true this._cacheControl = opts.cacheControl !== undefined ? Boolean(opts.cacheControl) : true this._etag = opts.etag !== undefined ? Boolean(opts.etag) : true this._dotfiles = opts.dotfiles !== undefined ? opts.dotfiles : 'ignore' if (this._dotfiles !== 'ignore' && this._dotfiles !== 'allow' && this._dotfiles !== 'deny') { throw new TypeError('dotfiles option must be "allow", "deny", or "ignore"') } this._extensions = opts.extensions !== undefined ? normalizeList(opts.extensions, 'extensions option') : [] this._immutable = opts.immutable !== undefined ? Boolean(opts.immutable) : false this._index = opts.index !== undefined ? normalizeList(opts.index, 'index option') : ['index.html'] this._lastModified = opts.lastModified !== undefined ? Boolean(opts.lastModified) : true this._maxage = opts.maxAge || opts.maxage this._maxage = typeof this._maxage === 'string' ? ms(this._maxage) : Number(this._maxage) this._maxage = !isNaN(this._maxage) ? Math.min(Math.max(0, this._maxage), MAX_MAXAGE) : 0 this._root = opts.root ? resolve(opts.root) : null } /** * Inherits from `Stream`. */ util.inherits(SendStream, Stream) /** * Emit error with `status`. * * @param {number} status * @param {Error} [err] * @private */ SendStream.prototype.error = function error (status, err) { // emit if listeners instead of responding if (hasListeners(this, 'error')) { return this.emit('error', createHttpError(status, err)) } var res = this.res var msg = statuses.message[status] || String(status) var doc = createHtmlDocument('Error', escapeHtml(msg)) // clear existing headers clearHeaders(res) // add error headers if (err && err.headers) { setHeaders(res, err.headers) } // send basic response res.statusCode = status res.setHeader('Content-Type', 'text/html; charset=UTF-8') res.setHeader('Content-Length', Buffer.byteLength(doc)) res.setHeader('Content-Security-Policy', "default-src 'none'") res.setHeader('X-Content-Type-Options', 'nosniff') res.end(doc) } /** * Check if the pathname ends with "/". * * @return {boolean} * @private */ SendStream.prototype.hasTrailingSlash = function hasTrailingSlash () { return this.path[this.path.length - 1] === '/' } /** * Check if this is a conditional GET request. * * @return {Boolean} * @api private */ SendStream.prototype.isConditionalGET = function isConditionalGET () { return this.req.headers['if-match'] || this.req.headers['if-unmodified-since'] || this.req.headers['if-none-match'] || this.req.headers['if-modified-since'] } /** * Check if the request preconditions failed. * * @return {boolean} * @private */ SendStream.prototype.isPreconditionFailure = function isPreconditionFailure () { var req = this.req var res = this.res // if-match var match = req.headers['if-match'] if (match) { var etag = res.getHeader('ETag') return !etag || (match !== '*' && parseTokenList(match).every(function (match) { return match !== etag && match !== 'W/' + etag && 'W/' + match !== etag })) } // if-unmodified-since var unmodifiedSince = parseHttpDate(req.headers['if-unmodified-since']) if (!isNaN(unmodifiedSince)) { var lastModified = parseHttpDate(res.getHeader('Last-Modified')) return isNaN(lastModified) || lastModified > unmodifiedSince } return false } /** * Strip various content header fields for a change in entity. * * @private */ SendStream.prototype.removeContentHeaderFields = function removeContentHeaderFields () { var res = this.res res.removeHeader('Content-Encoding') res.removeHeader('Content-Language') res.removeHeader('Content-Length') res.removeHeader('Content-Range') res.removeHeader('Content-Type') } /** * Respond with 304 not modified. * * @api private */ SendStream.prototype.notModified = function notModified () { var res = this.res debug('not modified') this.removeContentHeaderFields() res.statusCode = 304 res.end() } /** * Raise error that headers already sent. * * @api private */ SendStream.prototype.headersAlreadySent = function headersAlreadySent () { var err = new Error('Can\'t set headers after they are sent.') debug('headers already sent') this.error(500, err) } /** * Check if the request is cacheable, aka * responded with 2xx or 304 (see RFC 2616 section 14.2{5,6}). * * @return {Boolean} * @api private */ SendStream.prototype.isCachable = function isCachable () { var statusCode = this.res.statusCode return (statusCode >= 200 && statusCode < 300) || statusCode === 304 } /** * Handle stat() error. * * @param {Error} error * @private */ SendStream.prototype.onStatError = function onStatError (error) { switch (error.code) { case 'ENAMETOOLONG': case 'ENOENT': case 'ENOTDIR': this.error(404, error) break default: this.error(500, error) break } } /** * Check if the cache is fresh. * * @return {Boolean} * @api private */ SendStream.prototype.isFresh = function isFresh () { return fresh(this.req.headers, { etag: this.res.getHeader('ETag'), 'last-modified': this.res.getHeader('Last-Modified') }) } /** * Check if the range is fresh. * * @return {Boolean} * @api private */ SendStream.prototype.isRangeFresh = function isRangeFresh () { var ifRange = this.req.headers['if-range'] if (!ifRange) { return true } // if-range as etag if (ifRange.indexOf('"') !== -1) { var etag = this.res.getHeader('ETag') return Boolean(etag && ifRange.indexOf(etag) !== -1) } // if-range as modified date var lastModified = this.res.getHeader('Last-Modified') return parseHttpDate(lastModified) <= parseHttpDate(ifRange) } /** * Redirect to path. * * @param {string} path * @private */ SendStream.prototype.redirect = function redirect (path) { var res = this.res if (hasListeners(this, 'directory')) { this.emit('directory', res, path) return } if (this.hasTrailingSlash()) { this.error(403) return } var loc = encodeUrl(collapseLeadingSlashes(this.path + '/')) var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc)) // redirect res.statusCode = 301 res.setHeader('Content-Type', 'text/html; charset=UTF-8') res.setHeader('Content-Length', Buffer.byteLength(doc)) res.setHeader('Content-Security-Policy', "default-src 'none'") res.setHeader('X-Content-Type-Options', 'nosniff') res.setHeader('Location', loc) res.end(doc) } /** * Pipe to `res. * * @param {Stream} res * @return {Stream} res * @api public */ SendStream.prototype.pipe = function pipe (res) { // root path var root = this._root // references this.res = res // decode the path var path = decode(this.path) if (path === -1) { this.error(400) return res } // null byte(s) if (~path.indexOf('\0')) { this.error(400) return res } var parts if (root !== null) { // normalize if (path) { path = normalize('.' + sep + path) } // malicious path if (UP_PATH_REGEXP.test(path)) { debug('malicious path "%s"', path) this.error(403) return res } // explode path parts parts = path.split(sep) // join / normalize from optional root dir path = normalize(join(root, path)) } else { // ".." is malicious without "root" if (UP_PATH_REGEXP.test(path)) { debug('malicious path "%s"', path) this.error(403) return res } // explode path parts parts = normalize(path).split(sep) // resolve the path path = resolve(path) } // dotfile handling if (containsDotFile(parts)) { debug('%s dotfile "%s"', this._dotfiles, path) switch (this._dotfiles) { case 'allow': break case 'deny': this.error(403) return res case 'ignore': default: this.error(404) return res } } // index file support if (this._index.length && this.hasTrailingSlash()) { this.sendIndex(path) return res } this.sendFile(path) return res } /** * Transfer `path`. * * @param {String} path * @api public */ SendStream.prototype.send = function send (path, stat) { var len = stat.size var options = this.options var opts = {} var res = this.res var req = this.req var ranges = req.headers.range var offset = options.start || 0 if (res.headersSent) { // impossible to send now this.headersAlreadySent() return } debug('pipe "%s"', path) // set header fields this.setHeader(path, stat) // set content-type this.type(path) // conditional GET support if (this.isConditionalGET()) { if (this.isPreconditionFailure()) { this.error(412) return } if (this.isCachable() && this.isFresh()) { this.notModified() return } } // adjust len to start/end options len = Math.max(0, len - offset) if (options.end !== undefined) { var bytes = options.end - offset + 1 if (len > bytes) len = bytes } // Range support if (this._acceptRanges && BYTES_RANGE_REGEXP.test(ranges)) { // parse ranges = parseRange(len, ranges, { combine: true }) // If-Range support if (!this.isRangeFresh()) { debug('range stale') ranges = -2 } // unsatisfiable if (ranges === -1) { debug('range unsatisfiable') // Content-Range res.setHeader('Content-Range', contentRange('bytes', len)) // 416 Requested Range Not Satisfiable return this.error(416, { headers: { 'Content-Range': res.getHeader('Content-Range') } }) } // valid (syntactically invalid/multiple ranges are treated as a regular response) if (ranges !== -2 && ranges.length === 1) { debug('range %j', ranges) // Content-Range res.statusCode = 206 res.setHeader('Content-Range', contentRange('bytes', len, ranges[0])) // adjust for requested range offset += ranges[0].start len = ranges[0].end - ranges[0].start + 1 } } // clone options for (var prop in options) { opts[prop] = options[prop] } // set read options opts.start = offset opts.end = Math.max(offset, offset + len - 1) // content-length res.setHeader('Content-Length', len) // HEAD support if (req.method === 'HEAD') { res.end() return } this.stream(path, opts) } /** * Transfer file for `path`. * * @param {String} path * @api private */ SendStream.prototype.sendFile = function sendFile (path) { var i = 0 var self = this debug('stat "%s"', path) fs.stat(path, function onstat (err, stat) { var pathEndsWithSep = path[path.length - 1] === sep if (err && err.code === 'ENOENT' && !extname(path) && !pathEndsWithSep) { // not found, check extensions return next(err) } if (err) return self.onStatError(err) if (stat.isDirectory()) return self.redirect(path) if (pathEndsWithSep) return self.error(404) self.emit('file', path, stat) self.send(path, stat) }) function next (err) { if (self._extensions.length <= i) { return err ? self.onStatError(err) : self.error(404) } var p = path + '.' + self._extensions[i++] debug('stat "%s"', p) fs.stat(p, function (err, stat) { if (err) return next(err) if (stat.isDirectory()) return next() self.emit('file', p, stat) self.send(p, stat) }) } } /** * Transfer index for `path`. * * @param {String} path * @api private */ SendStream.prototype.sendIndex = function sendIndex (path) { var i = -1 var self = this function next (err) { if (++i >= self._index.length) { if (err) return self.onStatError(err) return self.error(404) } var p = join(path, self._index[i]) debug('stat "%s"', p) fs.stat(p, function (err, stat) { if (err) return next(err) if (stat.isDirectory()) return next() self.emit('file', p, stat) self.send(p, stat) }) } next() } /** * Stream `path` to the response. * * @param {String} path * @param {Object} options * @api private */ SendStream.prototype.stream = function stream (path, options) { var self = this var res = this.res // pipe var stream = fs.createReadStream(path, options) this.emit('stream', stream) stream.pipe(res) // cleanup function cleanup () { stream.destroy() } // response finished, cleanup onFinished(res, cleanup) // error handling stream.on('error', function onerror (err) { // clean up stream early cleanup() // error self.onStatError(err) }) // end stream.on('end', function onend () { self.emit('end') }) } /** * Set content-type based on `path` * if it hasn't been explicitly set. * * @param {String} path * @api private */ SendStream.prototype.type = function type (path) { var res = this.res if (res.getHeader('Content-Type')) return var ext = extname(path) var type = mime.contentType(ext) || 'application/octet-stream' debug('content-type %s', type) res.setHeader('Content-Type', type) } /** * Set response header fields, most * fields may be pre-defined. * * @param {String} path * @param {Object} stat * @api private */ SendStream.prototype.setHeader = function setHeader (path, stat) { var res = this.res this.emit('headers', res, path, stat) if (this._acceptRanges && !res.getHeader('Accept-Ranges')) { debug('accept ranges') res.setHeader('Accept-Ranges', 'bytes') } if (this._cacheControl && !res.getHeader('Cache-Control')) { var cacheControl = 'public, max-age=' + Math.floor(this._maxage / 1000) if (this._immutable) { cacheControl += ', immutable' } debug('cache-control %s', cacheControl) res.setHeader('Cache-Control', cacheControl) } if (this._lastModified && !res.getHeader('Last-Modified')) { var modified = stat.mtime.toUTCString() debug('modified %s', modified) res.setHeader('Last-Modified', modified) } if (this._etag && !res.getHeader('ETag')) { var val = etag(stat) debug('etag %s', val) res.setHeader('ETag', val) } } /** * Clear all headers from a response. * * @param {object} res * @private */ function clearHeaders (res) { for (const header of res.getHeaderNames()) { res.removeHeader(header) } } /** * Collapse all leading slashes into a single slash * * @param {string} str * @private */ function collapseLeadingSlashes (str) { for (var i = 0; i < str.length; i++) { if (str[i] !== '/') { break } } return i > 1 ? '/' + str.substr(i) : str } /** * Determine if path parts contain a dotfile. * * @api private */ function containsDotFile (parts) { for (var i = 0; i < parts.length; i++) { var part = parts[i] if (part.length > 1 && part[0] === '.') { return true } } return false } /** * Create a Content-Range header. * * @param {string} type * @param {number} size * @param {array} [range] */ function contentRange (type, size, range) { return type + ' ' + (range ? range.start + '-' + range.end : '*') + '/' + size } /** * Create a minimal HTML document. * * @param {string} title * @param {string} body * @private */ function createHtmlDocument (title, body) { return '\n' + '\n' + '\n' + '\n' + '' + title + '\n' + '\n' + '\n' + '
' + body + '
\n' + '\n' + '\n' } /** * Create a HttpError object from simple arguments. * * @param {number} status * @param {Error|object} err * @private */ function createHttpError (status, err) { if (!err) { return createError(status) } return err instanceof Error ? createError(status, err, { expose: false }) : createError(status, err) } /** * decodeURIComponent. * * Allows V8 to only deoptimize this fn instead of all * of send(). * * @param {String} path * @api private */ function decode (path) { try { return decodeURIComponent(path) } catch (err) { return -1 } } /** * Determine if emitter has listeners of a given type. * * The way to do this check is done three different ways in Node.js >= 0.10 * so this consolidates them into a minimal set using instance methods. * * @param {EventEmitter} emitter * @param {string} type * @returns {boolean} * @private */ function hasListeners (emitter, type) { var count = typeof emitter.listenerCount !== 'function' ? emitter.listeners(type).length : emitter.listenerCount(type) return count > 0 } /** * Normalize the index option into an array. * * @param {boolean|string|array} val * @param {string} name * @private */ function normalizeList (val, name) { var list = [].concat(val || []) for (var i = 0; i < list.length; i++) { if (typeof list[i] !== 'string') { throw new TypeError(name + ' must be array of strings or false') } } return list } /** * Parse an HTTP Date into a number. * * @param {string} date * @private */ function parseHttpDate (date) { var timestamp = date && Date.parse(date) return typeof timestamp === 'number' ? timestamp : NaN } /** * Parse a HTTP token list. * * @param {string} str * @private */ function parseTokenList (str) { var end = 0 var list = [] var start = 0 // gather tokens for (var i = 0, len = str.length; i < len; i++) { switch (str.charCodeAt(i)) { case 0x20: /* */ if (start === end) { start = end = i + 1 } break case 0x2c: /* , */ if (start !== end) { list.push(str.substring(start, end)) } start = end = i + 1 break default: end = i + 1 break } } // final token if (start !== end) { list.push(str.substring(start, end)) } return list } /** * Set an object of headers on a response. * * @param {object} res * @param {object} headers * @private */ function setHeaders (res, headers) { var keys = Object.keys(headers) for (var i = 0; i < keys.length; i++) { var key = keys[i] res.setHeader(key, headers[key]) } } send-1.2.0/package.json000066400000000000000000000030651477112557400147520ustar00rootroot00000000000000{ "name": "send", "description": "Better streaming static file server with Range and conditional-GET support", "version": "1.2.0", "author": "TJ Holowaychuk ", "contributors": [ "Douglas Christopher Wilson ", "James Wyatt Cready ", "Jesús Leganés Combarro " ], "license": "MIT", "repository": "pillarjs/send", "keywords": [ "static", "file", "server" ], "dependencies": { "debug": "^4.3.5", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", "http-errors": "^2.0.0", "mime-types": "^3.0.1", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", "statuses": "^2.0.1" }, "devDependencies": { "after": "^0.8.2", "eslint": "7.32.0", "eslint-config-standard": "14.1.1", "eslint-plugin-import": "2.25.4", "eslint-plugin-markdown": "2.2.1", "eslint-plugin-node": "11.1.0", "eslint-plugin-promise": "5.2.0", "eslint-plugin-standard": "4.1.0", "mocha": "^10.7.0", "nyc": "^17.0.0", "supertest": "6.2.2" }, "files": [ "HISTORY.md", "LICENSE", "README.md", "index.js" ], "engines": { "node": ">= 18" }, "scripts": { "lint": "eslint .", "test": "mocha --check-leaks --reporter spec", "test-ci": "nyc --reporter=lcovonly --reporter=text npm test", "test-cov": "nyc --reporter=html --reporter=text npm test", "version": "node scripts/version-history.js && git add HISTORY.md" } } send-1.2.0/scripts/000077500000000000000000000000001477112557400141475ustar00rootroot00000000000000send-1.2.0/scripts/version-history.js000066400000000000000000000027771477112557400177060ustar00rootroot00000000000000'use strict' var fs = require('fs') var path = require('path') var HISTORY_FILE_PATH = path.join(__dirname, '..', 'HISTORY.md') var MD_HEADER_REGEXP = /^====*$/ var VERSION = process.env.npm_package_version var VERSION_PLACEHOLDER_REGEXP = /^(?:unreleased|(\d+\.)+x)$/ var historyFileLines = fs.readFileSync(HISTORY_FILE_PATH, 'utf-8').split('\n') if (!MD_HEADER_REGEXP.test(historyFileLines[1])) { console.error('Missing header in HISTORY.md') process.exit(1) } if (!VERSION_PLACEHOLDER_REGEXP.test(historyFileLines[0])) { console.error('Missing placeholder version in HISTORY.md') process.exit(1) } if (historyFileLines[0].indexOf('x') !== -1) { var versionCheckRegExp = new RegExp('^' + historyFileLines[0].replace('x', '.+') + '$') if (!versionCheckRegExp.test(VERSION)) { console.error('Version %s does not match placeholder %s', VERSION, historyFileLines[0]) process.exit(1) } } historyFileLines[0] = VERSION + ' / ' + getLocaleDate() historyFileLines[1] = repeat('=', historyFileLines[0].length) fs.writeFileSync(HISTORY_FILE_PATH, historyFileLines.join('\n')) function getLocaleDate () { var now = new Date() return zeroPad(now.getFullYear(), 4) + '-' + zeroPad(now.getMonth() + 1, 2) + '-' + zeroPad(now.getDate(), 2) } function repeat (str, length) { var out = '' for (var i = 0; i < length; i++) { out += str } return out } function zeroPad (number, length) { var num = number.toString() while (num.length < length) { num = '0' + num } return num } send-1.2.0/test/000077500000000000000000000000001477112557400134375ustar00rootroot00000000000000send-1.2.0/test/.eslintrc.yml000066400000000000000000000000231477112557400160560ustar00rootroot00000000000000env: mocha: true send-1.2.0/test/fixtures/000077500000000000000000000000001477112557400153105ustar00rootroot00000000000000send-1.2.0/test/fixtures/.hidden.txt000066400000000000000000000000061477112557400173560ustar00rootroot00000000000000secretsend-1.2.0/test/fixtures/.mine/000077500000000000000000000000001477112557400163165ustar00rootroot00000000000000send-1.2.0/test/fixtures/.mine/.hidden000066400000000000000000000000071477112557400175470ustar00rootroot00000000000000secret send-1.2.0/test/fixtures/.mine/name.txt000066400000000000000000000000041477112557400177710ustar00rootroot00000000000000tobisend-1.2.0/test/fixtures/do..ts.txt000066400000000000000000000000031477112557400171470ustar00rootroot00000000000000...send-1.2.0/test/fixtures/empty.txt000066400000000000000000000000001477112557400171750ustar00rootroot00000000000000send-1.2.0/test/fixtures/name.d/000077500000000000000000000000001477112557400164525ustar00rootroot00000000000000send-1.2.0/test/fixtures/name.d/name.txt000066400000000000000000000000041477112557400201250ustar00rootroot00000000000000lokisend-1.2.0/test/fixtures/name.dir/000077500000000000000000000000001477112557400170055ustar00rootroot00000000000000send-1.2.0/test/fixtures/name.dir/name.txt000066400000000000000000000000041477112557400204600ustar00rootroot00000000000000tobisend-1.2.0/test/fixtures/name.html000066400000000000000000000000131477112557400171100ustar00rootroot00000000000000

tobi

send-1.2.0/test/fixtures/name.txt000066400000000000000000000000041477112557400167630ustar00rootroot00000000000000tobisend-1.2.0/test/fixtures/no_ext000066400000000000000000000000061477112557400165230ustar00rootroot00000000000000foobarsend-1.2.0/test/fixtures/nums.txt000066400000000000000000000000111477112557400170230ustar00rootroot00000000000000123456789send-1.2.0/test/fixtures/pets/000077500000000000000000000000001477112557400162635ustar00rootroot00000000000000send-1.2.0/test/fixtures/pets/.hidden000066400000000000000000000000071477112557400175140ustar00rootroot00000000000000secret send-1.2.0/test/fixtures/pets/index.html000066400000000000000000000000161477112557400202550ustar00rootroot00000000000000tobi loki janesend-1.2.0/test/fixtures/snow ☃/000077500000000000000000000000001477112557400173335ustar00rootroot00000000000000send-1.2.0/test/fixtures/snow ☃/index.html000066400000000000000000000000001477112557400213160ustar00rootroot00000000000000send-1.2.0/test/fixtures/some thing.txt000066400000000000000000000000031477112557400200770ustar00rootroot00000000000000heysend-1.2.0/test/fixtures/thing.html.html000066400000000000000000000000141477112557400202450ustar00rootroot00000000000000

trap!

send-1.2.0/test/fixtures/tobi.html000066400000000000000000000000131477112557400171250ustar00rootroot00000000000000

tobi

send-1.2.0/test/send.js000066400000000000000000001200121477112557400147220ustar00rootroot00000000000000 process.env.NO_DEPRECATION = 'send' var after = require('after') var assert = require('assert') var fs = require('fs') var http = require('http') var path = require('path') var request = require('supertest') var send = require('..') // test server var dateRegExp = /^\w{3}, \d+ \w+ \d+ \d+:\d+:\d+ \w+$/ var fixtures = path.join(__dirname, 'fixtures') var app = http.createServer(function (req, res) { function error (err) { res.statusCode = err.status res.end(http.STATUS_CODES[err.status]) } send(req, req.url, { root: fixtures }) .on('error', error) .pipe(res) }) describe('send(file).pipe(res)', function () { it('should stream the file contents', function (done) { request(app) .get('/name.txt') .expect('Content-Length', '4') .expect(200, 'tobi', done) }) it('should stream a zero-length file', function (done) { request(app) .get('/empty.txt') .expect('Content-Length', '0') .expect(200, '', done) }) it('should decode the given path as a URI', function (done) { request(app) .get('/some%20thing.txt') .expect(200, 'hey', done) }) it('should serve files with dots in name', function (done) { request(app) .get('/do..ts.txt') .expect(200, '...', done) }) it('should treat a malformed URI as a bad request', function (done) { request(app) .get('/some%99thing.txt') .expect(400, 'Bad Request', done) }) it('should 400 on NULL bytes', function (done) { request(app) .get('/some%00thing.txt') .expect(400, 'Bad Request', done) }) it('should treat an ENAMETOOLONG as a 404', function (done) { var path = Array(100).join('foobar') request(app) .get('/' + path) .expect(404, done) }) it('should handle headers already sent error', function (done) { var app = http.createServer(function (req, res) { res.write('0') send(req, req.url, { root: fixtures }) .on('error', function (err) { res.end(' - ' + err.message) }) .pipe(res) }) request(app) .get('/name.txt') .expect(200, '0 - Can\'t set headers after they are sent.', done) }) it('should support HEAD', function (done) { request(app) .head('/name.txt') .expect(200) .expect('Content-Length', '4') .expect(shouldNotHaveBody()) .end(done) }) it('should add an ETag header field', function (done) { request(app) .get('/name.txt') .expect('etag', /^W\/"[^"]+"$/) .end(done) }) it('should add a Date header field', function (done) { request(app) .get('/name.txt') .expect('date', dateRegExp, done) }) it('should add a Last-Modified header field', function (done) { request(app) .get('/name.txt') .expect('last-modified', dateRegExp, done) }) it('should add a Accept-Ranges header field', function (done) { request(app) .get('/name.txt') .expect('Accept-Ranges', 'bytes', done) }) it('should 404 if the file does not exist', function (done) { request(app) .get('/meow') .expect(404, 'Not Found', done) }) it('should emit ENOENT if the file does not exist', function (done) { var app = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('error', function (err) { res.end(err.statusCode + ' ' + err.code) }) .pipe(res) }) request(app) .get('/meow') .expect(200, '404 ENOENT', done) }) it('should not override content-type', function (done) { var app = http.createServer(function (req, res) { res.setHeader('Content-Type', 'application/x-custom') send(req, req.url, { root: fixtures }).pipe(res) }) request(app) .get('/name.txt') .expect('Content-Type', 'application/x-custom', done) }) it('should set Content-Type via mime map', function (done) { request(app) .get('/name.txt') .expect('Content-Type', 'text/plain; charset=utf-8') .expect(200, function (err) { if (err) return done(err) request(app) .get('/tobi.html') .expect('Content-Type', 'text/html; charset=utf-8') .expect(200, done) }) }) it('should default Content-Type to octet-stream', function (done) { request(app) .get('/no_ext') .expect('Content-Type', 'application/octet-stream') .expect(200, done) }) it('should 404 if file disappears after stat, before open', function (done) { var app = http.createServer(function (req, res) { send(req, req.url, { root: 'test/fixtures' }) .on('file', function () { // simulate file ENOENT after on open, after stat var fn = this.send this.send = function (path, stat) { fn.call(this, (path + '__xxx_no_exist'), stat) } }) .pipe(res) }) request(app) .get('/name.txt') .expect(404, done) }) it('should 500 on file stream error', function (done) { var app = http.createServer(function (req, res) { send(req, req.url, { root: 'test/fixtures' }) .on('stream', function (stream) { // simulate file error stream.on('open', function () { stream.emit('error', new Error('boom!')) }) }) .pipe(res) }) request(app) .get('/name.txt') .expect(500, done) }) describe('"headers" event', function () { it('should fire when sending file', function (done) { var cb = after(2, done) var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('headers', function () { cb() }) .pipe(res) }) request(server) .get('/name.txt') .expect(200, 'tobi', cb) }) it('should not fire on 404', function (done) { var cb = after(1, done) var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('headers', function () { cb() }) .pipe(res) }) request(server) .get('/bogus') .expect(404, cb) }) it('should fire on index', function (done) { var cb = after(2, done) var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('headers', function () { cb() }) .pipe(res) }) request(server) .get('/pets/') .expect(200, /tobi/, cb) }) it('should not fire on redirect', function (done) { var cb = after(1, done) var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('headers', function () { cb() }) .pipe(res) }) request(server) .get('/pets') .expect(301, cb) }) it('should provide path', function (done) { var cb = after(2, done) var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('headers', onHeaders) .pipe(res) }) function onHeaders (res, filePath) { assert.ok(filePath) assert.strictEqual(path.normalize(filePath), path.normalize(path.join(fixtures, 'name.txt'))) cb() } request(server) .get('/name.txt') .expect(200, 'tobi', cb) }) it('should provide stat', function (done) { var cb = after(2, done) var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('headers', onHeaders) .pipe(res) }) function onHeaders (res, path, stat) { assert.ok(stat) assert.ok('ctime' in stat) assert.ok('mtime' in stat) cb() } request(server) .get('/name.txt') .expect(200, 'tobi', cb) }) it('should allow altering headers', function (done) { var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('headers', onHeaders) .pipe(res) }) function onHeaders (res, path, stat) { res.setHeader('Cache-Control', 'no-cache') res.setHeader('Content-Type', 'text/x-custom') res.setHeader('ETag', 'W/"everything"') res.setHeader('X-Created', stat.ctime.toUTCString()) } request(server) .get('/name.txt') .expect(200) .expect('Cache-Control', 'no-cache') .expect('Content-Type', 'text/x-custom') .expect('ETag', 'W/"everything"') .expect('X-Created', dateRegExp) .expect('tobi') .end(done) }) }) describe('when "directory" listeners are present', function () { it('should be called when sending directory', function (done) { var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('directory', onDirectory) .pipe(res) }) function onDirectory (res) { res.statusCode = 400 res.end('No directory for you') } request(server) .get('/pets') .expect(400, 'No directory for you', done) }) it('should be called with path', function (done) { var server = http.createServer(function (req, res) { send(req, req.url, { root: fixtures }) .on('directory', onDirectory) .pipe(res) }) function onDirectory (res, dirPath) { res.end(path.normalize(dirPath)) } request(server) .get('/pets') .expect(200, path.normalize(path.join(fixtures, 'pets')), done) }) }) describe('when no "directory" listeners are present', function () { it('should redirect directories to trailing slash', function (done) { request(createServer({ root: fixtures })) .get('/pets') .expect('Location', '/pets/') .expect(301, done) }) it('should respond with an HTML redirect', function (done) { request(createServer({ root: fixtures })) .get('/pets') .expect('Location', '/pets/') .expect('Content-Type', /html/) .expect(301, />Redirecting to \/pets\/Redirecting to \/snow%20%E2%98%83\/Not Foundtobi

', done) }) it('should 404 if nothing found', function (done) { request(createServer({ extensions: ['htm', 'html', 'txt'], root: fixtures })) .get('/bob') .expect(404, done) }) it('should skip directories', function (done) { request(createServer({ extensions: ['file', 'dir'], root: fixtures })) .get('/name') .expect(404, done) }) it('should not search if file has extension', function (done) { request(createServer({ extensions: 'html', root: fixtures })) .get('/thing.html') .expect(404, done) }) }) describe('lastModified', function () { it('should support disabling last-modified', function (done) { request(createServer({ lastModified: false, root: fixtures })) .get('/name.txt') .expect(shouldNotHaveHeader('Last-Modified')) .expect(200, done) }) }) describe('dotfiles', function () { it('should default to "ignore"', function (done) { request(createServer({ root: fixtures })) .get('/.hidden.txt') .expect(404, done) }) it('should ignore file within dotfile directory', function (done) { request(createServer({ root: fixtures })) .get('/.mine/name.txt') .expect(404, done) }) it('should reject bad value', function (done) { request(createServer({ dotfiles: 'bogus' })) .get('/name.txt') .expect(500, /dotfiles/, done) }) describe('when "allow"', function (done) { it('should send dotfile', function (done) { request(createServer({ dotfiles: 'allow', root: fixtures })) .get('/.hidden.txt') .expect(200, 'secret', done) }) it('should send within dotfile directory', function (done) { request(createServer({ dotfiles: 'allow', root: fixtures })) .get('/.mine/name.txt') .expect(200, /tobi/, done) }) it('should 404 for non-existent dotfile', function (done) { request(createServer({ dotfiles: 'allow', root: fixtures })) .get('/.nothere') .expect(404, done) }) }) describe('when "deny"', function (done) { it('should 403 for dotfile', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/.hidden.txt') .expect(403, done) }) it('should 403 for dotfile directory', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/.mine') .expect(403, done) }) it('should 403 for dotfile directory with trailing slash', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/.mine/') .expect(403, done) }) it('should 403 for file within dotfile directory', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/.mine/name.txt') .expect(403, done) }) it('should 403 for non-existent dotfile', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/.nothere') .expect(403, done) }) it('should 403 for non-existent dotfile directory', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/.what/name.txt') .expect(403, done) }) it('should 403 for dotfile in directory', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/pets/.hidden') .expect(403, done) }) it('should 403 for dotfile in dotfile directory', function (done) { request(createServer({ dotfiles: 'deny', root: fixtures })) .get('/.mine/.hidden') .expect(403, done) }) it('should send files in root dotfile directory', function (done) { request(createServer({ dotfiles: 'deny', root: path.join(fixtures, '.mine') })) .get('/name.txt') .expect(200, /tobi/, done) }) it('should 403 for dotfile without root', function (done) { var server = http.createServer(function onRequest (req, res) { send(req, fixtures + '/.mine' + req.url, { dotfiles: 'deny' }).pipe(res) }) request(server) .get('/name.txt') .expect(403, done) }) }) describe('when "ignore"', function (done) { it('should 404 for dotfile', function (done) { request(createServer({ dotfiles: 'ignore', root: fixtures })) .get('/.hidden.txt') .expect(404, done) }) it('should 404 for dotfile directory', function (done) { request(createServer({ dotfiles: 'ignore', root: fixtures })) .get('/.mine') .expect(404, done) }) it('should 404 for dotfile directory with trailing slash', function (done) { request(createServer({ dotfiles: 'ignore', root: fixtures })) .get('/.mine/') .expect(404, done) }) it('should 404 for file within dotfile directory', function (done) { request(createServer({ dotfiles: 'ignore', root: fixtures })) .get('/.mine/name.txt') .expect(404, done) }) it('should 404 for non-existent dotfile', function (done) { request(createServer({ dotfiles: 'ignore', root: fixtures })) .get('/.nothere') .expect(404, done) }) it('should 404 for non-existent dotfile directory', function (done) { request(createServer({ dotfiles: 'ignore', root: fixtures })) .get('/.what/name.txt') .expect(404, done) }) it('should send files in root dotfile directory', function (done) { request(createServer({ dotfiles: 'ignore', root: path.join(fixtures, '.mine') })) .get('/name.txt') .expect(200, /tobi/, done) }) it('should 404 for dotfile without root', function (done) { var server = http.createServer(function onRequest (req, res) { send(req, fixtures + '/.mine' + req.url, { dotfiles: 'ignore' }).pipe(res) }) request(server) .get('/name.txt') .expect(404, done) }) }) }) describe('immutable', function () { it('should default to false', function (done) { request(createServer({ root: fixtures })) .get('/name.txt') .expect('Cache-Control', 'public, max-age=0', done) }) it('should set immutable directive in Cache-Control', function (done) { request(createServer({ immutable: true, maxAge: '1h', root: fixtures })) .get('/name.txt') .expect('Cache-Control', 'public, max-age=3600, immutable', done) }) }) describe('maxAge', function () { it('should default to 0', function (done) { request(createServer({ root: fixtures })) .get('/name.txt') .expect('Cache-Control', 'public, max-age=0', done) }) it('should floor to integer', function (done) { request(createServer({ maxAge: 123956, root: fixtures })) .get('/name.txt') .expect('Cache-Control', 'public, max-age=123', done) }) it('should accept string', function (done) { request(createServer({ maxAge: '30d', root: fixtures })) .get('/name.txt') .expect('Cache-Control', 'public, max-age=2592000', done) }) it('should max at 1 year', function (done) { request(createServer({ maxAge: '2y', root: fixtures })) .get('/name.txt') .expect('Cache-Control', 'public, max-age=31536000', done) }) }) describe('index', function () { it('should reject numbers', function (done) { request(createServer({ root: fixtures, index: 42 })) .get('/pets/') .expect(500, /TypeError: index option/, done) }) it('should reject true', function (done) { request(createServer({ root: fixtures, index: true })) .get('/pets/') .expect(500, /TypeError: index option/, done) }) it('should default to index.html', function (done) { request(createServer({ root: fixtures })) .get('/pets/') .expect(fs.readFileSync(path.join(fixtures, 'pets', 'index.html'), 'utf8'), done) }) it('should be configurable', function (done) { request(createServer({ root: fixtures, index: 'tobi.html' })) .get('/') .expect(200, '

tobi

', done) }) it('should support disabling', function (done) { request(createServer({ root: fixtures, index: false })) .get('/pets/') .expect(403, done) }) it('should support fallbacks', function (done) { request(createServer({ root: fixtures, index: ['default.htm', 'index.html'] })) .get('/pets/') .expect(200, fs.readFileSync(path.join(fixtures, 'pets', 'index.html'), 'utf8'), done) }) it('should 404 if no index file found (file)', function (done) { request(createServer({ root: fixtures, index: 'default.htm' })) .get('/pets/') .expect(404, done) }) it('should 404 if no index file found (dir)', function (done) { request(createServer({ root: fixtures, index: 'pets' })) .get('/') .expect(404, done) }) it('should not follow directories', function (done) { request(createServer({ root: fixtures, index: ['pets', 'name.txt'] })) .get('/') .expect(200, 'tobi', done) }) it('should work without root', function (done) { var server = http.createServer(function (req, res) { var p = path.join(fixtures, 'pets').replace(/\\/g, '/') + '/' send(req, p, { index: ['index.html'] }) .pipe(res) }) request(server) .get('/') .expect(200, /tobi/, done) }) it('should 404 if file path contains trailing slash (windows)', function (done) { request(createServer({ root: fixtures, index: false })) .get('/tobi.html/') .expect(404, done) }) }) describe('root', function () { describe('when given', function () { it('should join root', function (done) { request(createServer({ root: fixtures })) .get('/pets/../name.txt') .expect(200, 'tobi', done) }) it('should work with trailing slash', function (done) { var app = http.createServer(function (req, res) { send(req, req.url, { root: fixtures + '/' }) .pipe(res) }) request(app) .get('/name.txt') .expect(200, 'tobi', done) }) it('should work with empty path', function (done) { var app = http.createServer(function (req, res) { send(req, '', { root: fixtures }) .pipe(res) }) request(app) .get('/name.txt') .expect(301, /Redirecting to/, done) }) // // NOTE: This is not a real part of the API, but // over time this has become something users // are doing, so this will prevent unseen // regressions around this use-case. // it('should try as file with empty path', function (done) { var app = http.createServer(function (req, res) { send(req, '', { root: path.join(fixtures, 'name.txt') }) .pipe(res) }) request(app) .get('/') .expect(200, 'tobi', done) }) it('should restrict paths to within root', function (done) { request(createServer({ root: fixtures })) .get('/pets/../../send.js') .expect(403, done) }) it('should allow .. in root', function (done) { var app = http.createServer(function (req, res) { send(req, req.url, { root: fixtures + '/../fixtures' }) .pipe(res) }) request(app) .get('/pets/../../send.js') .expect(403, done) }) it('should not allow root transversal', function (done) { request(createServer({ root: path.join(fixtures, 'name.d') })) .get('/../name.dir/name.txt') .expect(403, done) }) it('should not allow root path disclosure', function (done) { request(createServer({ root: fixtures })) .get('/pets/../../fixtures/name.txt') .expect(403, done) }) }) describe('when missing', function () { it('should consider .. malicious', function (done) { var app = http.createServer(function (req, res) { send(req, fixtures + req.url) .pipe(res) }) request(app) .get('/../send.js') .expect(403, done) }) it('should still serve files with dots in name', function (done) { var app = http.createServer(function (req, res) { send(req, fixtures + req.url) .pipe(res) }) request(app) .get('/do..ts.txt') .expect(200, '...', done) }) }) }) }) function createServer (opts, fn) { return http.createServer(function onRequest (req, res) { try { fn && fn(req, res) send(req, req.url, opts).pipe(res) } catch (err) { res.statusCode = 500 res.end(String(err)) } }) } function shouldNotHaveBody () { return function (res) { assert.ok(res.text === '' || res.text === undefined) } } function shouldNotHaveHeader (header) { return function (res) { assert.ok(!(header.toLowerCase() in res.headers), 'should not have header ' + header) } }