Send is a Node.js library designed for efficiently streaming static files in web applications, offering robust support for Range requests and conditional-GET enabling optimized content delivery. Comparing version 0.1.1 released in June 2013 with the previous stable version, 0.1.0 released in September 2012, reveals a refinement in dependency management as the key distinction. Specifically, version 0.1.1 updates the mime dependency to ~1.2.9 while the previous version used 1.2.6. This update likely incorporates bug fixes, performance improvements, or new MIME type support within the mime library, enhancing Send's ability to serve a wider range of file types correctly. Other dependencies like debug, fresh, and range-parser remained consistent between the two versions.
For developers, Send offers a powerful and streamlined solution for serving static assets. Its support for Range requests allows clients to request specific portions of a file, enabling features like seeking in video or resuming interrupted downloads. Conditional-GET support leverages browser caching mechanisms, reducing bandwidth consumption and improving website performance by avoiding unnecessary data transfers. The library's small footprint and focused functionality make it an ideal choice for integrating into web applications where efficient static file delivery is paramount. While the core functionality remained consistent between versions 0.1.0 and 0.1.1, the updated mime dependency ensures improved content type handling. Both versions provide a reliable static file server with similar features and functionalities.
All the vulnerabilities related to the version 0.1.1 of the package
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
