build: release beta

CONTRIBUTING.md

@@ -24,6 +24,8 @@
 - [Merging](#merging)
   - [Breaking Change](#breaking-change-1)
   - [Reverting](#reverting)
+- [Releasing](#releasing)
+  - [General Considerations](#general-considerations)
   - [Major Release / Long-Term-Support](#major-release--long-term-support)
 - [Versioning](#versioning)
 - [Code of Conduct](#code-of-conduct)
@@ -379,6 +381,12 @@ If the commit reverts a previous commit, use the prefix `revert:`, followed by t
   This reverts commit 1234567890abcdef.
   ```
 
+## Releasing
+
+### General Considerations
+
+- The `package-lock.json` file has to be deleted and recreated by npm from scratch in regular intervals using the `npm i` command. It is not enough to only update the file via automated security pull requests (e.g. dependabot, snyk), that can create inconsistencies between sub-devependencies of a dependency and increase the chances of vulnerabilities. The file should be recreated once every release cycle which is usually monthly.
+
 ### Major Release / Long-Term-Support
 
 Long-Term-Support (LTS) is provided for the previous Parse Server major version. For example, Parse Server 4.x will receive security updates until Parse Server 5.x is superseded by Parse Server 6.x and becomes the new LTS version. While the current major version is published on branch `release`, a LTS version is published on branch `release-#.x.x`, for example `release-4.x.x` for the Parse Server 4.x LTS branch. 

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,17 @@
+# [5.2.0-alpha.3](https://github.com/parse-community/parse-server/compare/5.2.0-alpha.2...5.2.0-alpha.3) (2022-03-24)
+
+
+### Bug Fixes
+
+* security bump minimist from 1.2.5 to 1.2.6 ([#7884](https://github.com/parse-community/parse-server/issues/7884)) ([c5cf282](https://github.com/parse-community/parse-server/commit/c5cf282d11ffdc023764f8e7539a2bd6bc246fe1))
+
+# [5.2.0-alpha.2](https://github.com/parse-community/parse-server/compare/5.2.0-alpha.1...5.2.0-alpha.2) (2022-03-24)
+
+
+### Bug Fixes
+
+* sensitive keyword detection may produce false positives ([#7881](https://github.com/parse-community/parse-server/issues/7881)) ([0d6f9e9](https://github.com/parse-community/parse-server/commit/0d6f9e951d9e186e95e96d8869066ce7022bad02))
+
 # [5.2.0-alpha.1](https://github.com/parse-community/parse-server/compare/5.1.1...5.2.0-alpha.1) (2022-03-23)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "5.2.0-beta.1",
+  "version": "5.2.0-alpha.3",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -10329,9 +10329,9 @@
       }
     },
     "minimist": {
-      "version": "1.2.5",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
+      "version": "1.2.6",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
+      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
       "dev": true
     },
     "minimist-options": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "5.2.0-beta.1",
+  "version": "5.2.0-alpha.3",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

spec/vulnerabilities.spec.js

@@ -280,4 +280,18 @@ describe('Vulnerabilities', () => {
       expect(text.error).toBe('Prohibited keyword in request data: {"value":"aValue[123]*"}.');
     });
   });
+
+  describe('Ignore non-matches', () => {
+    it('ignores write request that contains only fraction of denied keyword', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'abc' }],
+      });
+      // Initially saving an object executes the keyword detection in RestWrite.js
+      const obj = new TestObject({ a: { b: { c: 0 } } });
+      await expectAsync(obj.save()).toBeResolved();
+      // Modifying a nested key executes the keyword detection in DatabaseController.js
+      obj.increment('a.b.c');
+      await expectAsync(obj.save()).toBeResolved();
+    });
+  });
 });

src/Controllers/DatabaseController.js

@@ -11,6 +11,7 @@ import intersect from 'intersect';
 // @flow-disable-next
 import deepcopy from 'deepcopy';
 import logger from '../logger';
+import Utils from '../Utils';
 import * as SchemaController from './SchemaController';
 import { StorageAdapter } from '../Adapters/Storage/StorageAdapter';
 import MongoStorageAdapter from '../Adapters/Storage/Mongo/MongoStorageAdapter';
@@ -1763,8 +1764,8 @@ class DatabaseController {
     if (this.options && this.options.requestKeywordDenylist) {
       // Scan request data for denied keywords
       for (const keyword of this.options.requestKeywordDenylist) {
-        const isMatch = (a, b) => (typeof a === 'string' && new RegExp(a).test(b)) || a === b;
-        if (isMatch(firstKey, keyword.key)) {
+        const match = Utils.objectContainsKeyValue({ firstKey: undefined }, keyword.key, undefined);
+        if (match) {
           throw new Parse.Error(
             Parse.Error.INVALID_KEY_NAME,
             `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`

src/Utils.js

@@ -341,9 +341,9 @@ class Utils {
    * @returns {Boolean} True if a match was found, false otherwise.
    */
   static objectContainsKeyValue(obj, key, value) {
-    const isMatch = (a, b) => (typeof a === 'string' && new RegExp(a).test(b)) || a === b;
-    const isKeyMatch = k => isMatch(key, k);
-    const isValueMatch = v => isMatch(value, v);
+    const isMatch = (a, b) => (typeof a === 'string' && new RegExp(b).test(a)) || a === b;
+    const isKeyMatch = k => isMatch(k, key);
+    const isValueMatch = v => isMatch(v, value);
     for (const [k, v] of Object.entries(obj)) {
       if (key !== undefined && value === undefined && isKeyMatch(k)) {
         return true;