Send is a Node.js module designed to efficiently serve static files with advanced features like Range support for partial content delivery and conditional-GET handling for optimized caching. Examining versions 0.2.0 and 0.1.4 reveals subtle but potentially impactful changes for developers. Both versions share the same core functionality and author, aiming to provide a better streaming static file server. They both rely on mime for content type detection, debug for logging, and support connect for integration within web applications. Crucially, the dependency on fresh for conditional-GET processing is updated from version 0.2.0 to ~0.2.1. range-parser also sees a shift from 0.0.4 to ~1.0.0, suggesting a potential update in how the module handles Range requests. These dependency updates alone signify improvements in underlying functionality. Version 0.2.0 also has a later release date of 2014-01-29 in contrast to 2013-08-10 on the 0.1.4 version. For developers, Send provides a robust solution for serving static assets, optimizing bandwidth usage through features like Range requests, and improving performance via conditional-GET support. When choosing a version, developers should consider the dependency updates' potential impact on their application, particularly concerning fresh and range-parser. Although not explicitly detailed, these updates may include bug fixes, performance enhancements, or new features related to cache validation and range handling.
All the vulnerabilities related to the version 0.2.0 of the package
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
