Skip to content

Enhance send to stream special files safely#308

Open
godwincod3s wants to merge 6 commits into
pillarjs:masterfrom
godwincod3s:send-transform
Open

Enhance send to stream special files safely#308
godwincod3s wants to merge 6 commits into
pillarjs:masterfrom
godwincod3s:send-transform

Conversation

@godwincod3s
Copy link
Copy Markdown

@godwincod3s godwincod3s commented May 15, 2026
edited
Loading

Add allowSpecialFiles option to support streaming pseudo‑files (e.g. /proc).

Summary
This PR introduces a new opt‑in option, allowSpecialFiles, to the send module. It addresses the issue where attempting to download pseudo‑files (e.g. /proc/meminfo on Linux) results in empty responses because fs.stat reports a size of 0.

Problem

  • send relies on fs.stat.size to set Content-Length.
  • For virtual filesystems like /proc, stat.size = 0, so the response is empty.
  • Developers currently have to bypass res.download() and use fs.createReadStream manually.

Solution

  • Added _allowSpecialFiles flag in SendStream constructor (default: false).
  • In SendStream.prototype.send, detect when stat.size === 0 and _allowSpecialFiles is enabled.
  • Skip setting Content-Length and stream the file directly.
  • Maintains existing behavior unless explicitly enabled.

Usage Example

app.get('/download', (req, res) => {
  res.download('/proc/meminfo', 'meminfo.txt', { allowSpecialFiles: true }, (err) => {
    if (err) console.error('Download error:', err)
  })
})

Security Considerations

  • By default, allowSpecialFiles is disabled.
  • /proc and similar pseudo‑files can expose sensitive system information.
  • Developers must consciously enable this option, ensuring safe defaults for all existing applications.

Tests Added

  • /proc/meminfo with allowSpecialFiles: true → non‑empty response containing "MemTotal".
  • /proc/meminfo without flag → empty response (unchanged behavior).

@godwincod3s
Implement handling for special files with size 0
2fdddc7 
Added an opt‑in flag to send (the module Express uses under the hood). This way, developers can explicitly allow streaming of special files like /proc/*, The option defaults to false and returns zero-size files as before.

Since developers would want a easier way to access the /proc file on linux systems. 

usage: 

app.get('/download', (req, res) => {
  res.download('/proc/meminfo', 'meminfo.txt', {
    allowSpecialFiles: true   // new opt‑in flag
  });
});
@godwincod3s
Add tests for streaming special files in send.js
48f1f26 
Spins up a tiny HTTP server using send.

First test: with { allowSpecialFiles: true }, /proc/meminfo streams correctly and contains "MemTotal".

Second test: without the flag, the response is empty (current behavior).
@godwincod3s
Document allowSpecialFiles in README
9b29335 
Added documentation for allowSpecialFiles configuration.
@godwincod3s
Fix typo and clarify default behavior in README
0cedcb2 
Corrected the spelling of 'default' and clarified its meaning.
@godwincod3s
Reorganize 'allowSpecialFiles' section in README
311e304 
Moved 'allowSpecialFiles' section to a more appropriate location in the README.
@godwincod3s
Add support for special file handling option
ecfc934 
Add support for special file handling option
also added the default value for the allowSpecialFiles option.
@godwincod3s godwincod3s changed the title Send transform Enhance send to stream special files safely May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@godwincod3s