Merge pull request from GHSA-23r4-5mxp-c7g5
This commit is contained in:
Manuel
11
CHANGELOG.md
11
CHANGELOG.md
@@ -1,7 +1,16 @@
|
|||||||
## Parse Server Changelog
|
## Parse Server Changelog
|
||||||
|
|
||||||
### master
|
### master
|
||||||
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...master)
|
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.2...master)
|
||||||
|
|
||||||
|
### 4.5.2
|
||||||
|
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.1...4.5.2)
|
||||||
|
|
||||||
|
### Security Fixes
|
||||||
|
- SECURITY FIX: Fixes incorrect session property `authProvider: password` of anonymous users. When signing up an anonymous user, the session field `createdWith` indicates incorrectly that the session has been created using username and password with `authProvider: password`, instead of an anonymous sign-up with `authProvider: anonymous`. This fixes the issue by setting the correct `authProvider: anonymous` for future sign-ups of anonymous users. This fix does not fix incorrect `authProvider: password` for existing sessions of anonymous users. Consider this if your app logic depends on the `authProvider` field. (Corey Baker) [GHSA-23r4-5mxp-c7g5](https://github.com/parse-community/parse-server/security/advisories/GHSA-23r4-5mxp-c7g5)
|
||||||
|
|
||||||
|
### 4.5.1
|
||||||
|
*This version was published by mistake and was deprecated.*
|
||||||
|
|
||||||
### 4.5.0
|
### 4.5.0
|
||||||
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)
|
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)
|
||||||
|
|||||||
5445
package-lock.json
generated
5445
package-lock.json
generated
File diff suppressed because it is too large
Load Diff
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "parse-server",
|
"name": "parse-server",
|
||||||
"version": "4.5.0",
|
"version": "4.5.2",
|
||||||
"description": "An express module providing a Parse-compatible API server",
|
"description": "An express module providing a Parse-compatible API server",
|
||||||
"main": "lib/index.js",
|
"main": "lib/index.js",
|
||||||
"repository": {
|
"repository": {
|
||||||
|
|||||||
@@ -2374,59 +2374,63 @@ describe('Parse.User testing', () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('user get session from token on signup', done => {
|
it('user get session from token on signup', async () => {
|
||||||
Promise.resolve()
|
const user = await Parse.User.signUp('finn', 'human', { foo: 'bar' });
|
||||||
.then(() => {
|
const response = await request({
|
||||||
return Parse.User.signUp('finn', 'human', { foo: 'bar' });
|
headers: {
|
||||||
})
|
'X-Parse-Application-Id': 'test',
|
||||||
.then(user => {
|
'X-Parse-Session-Token': user.getSessionToken(),
|
||||||
request({
|
'X-Parse-REST-API-Key': 'rest',
|
||||||
headers: {
|
},
|
||||||
'X-Parse-Application-Id': 'test',
|
url: 'http://localhost:8378/1/sessions/me',
|
||||||
'X-Parse-Session-Token': user.getSessionToken(),
|
});
|
||||||
'X-Parse-REST-API-Key': 'rest',
|
const data = response.data;
|
||||||
},
|
expect(typeof data.sessionToken).toEqual('string');
|
||||||
url: 'http://localhost:8378/1/sessions/me',
|
expect(typeof data.createdWith).toEqual('object');
|
||||||
}).then(response => {
|
expect(data.createdWith.action).toEqual('signup');
|
||||||
const b = response.data;
|
expect(data.createdWith.authProvider).toEqual('password');
|
||||||
expect(typeof b.sessionToken).toEqual('string');
|
expect(typeof data.user).toEqual('object');
|
||||||
expect(typeof b.createdWith).toEqual('object');
|
expect(data.user.objectId).toEqual(user.id);
|
||||||
expect(b.createdWith.action).toEqual('signup');
|
|
||||||
expect(typeof b.user).toEqual('object');
|
|
||||||
expect(b.user.objectId).toEqual(user.id);
|
|
||||||
done();
|
|
||||||
});
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
it('user get session from token on login', done => {
|
it('user get session from token on username/password login', async () => {
|
||||||
Promise.resolve()
|
await Parse.User.signUp('finn', 'human', { foo: 'bar' });
|
||||||
.then(() => {
|
await Parse.User.logOut();
|
||||||
return Parse.User.signUp('finn', 'human', { foo: 'bar' });
|
const user = await Parse.User.logIn('finn', 'human');
|
||||||
})
|
const response = await request({
|
||||||
.then(() => {
|
headers: {
|
||||||
return Parse.User.logOut().then(() => {
|
'X-Parse-Application-Id': 'test',
|
||||||
return Parse.User.logIn('finn', 'human');
|
'X-Parse-Session-Token': user.getSessionToken(),
|
||||||
});
|
'X-Parse-REST-API-Key': 'rest',
|
||||||
})
|
},
|
||||||
.then(user => {
|
url: 'http://localhost:8378/1/sessions/me',
|
||||||
request({
|
});
|
||||||
headers: {
|
const data = response.data;
|
||||||
'X-Parse-Application-Id': 'test',
|
expect(typeof data.sessionToken).toEqual('string');
|
||||||
'X-Parse-Session-Token': user.getSessionToken(),
|
expect(typeof data.createdWith).toEqual('object');
|
||||||
'X-Parse-REST-API-Key': 'rest',
|
expect(data.createdWith.action).toEqual('login');
|
||||||
},
|
expect(data.createdWith.authProvider).toEqual('password');
|
||||||
url: 'http://localhost:8378/1/sessions/me',
|
expect(typeof data.user).toEqual('object');
|
||||||
}).then(response => {
|
expect(data.user.objectId).toEqual(user.id);
|
||||||
const b = response.data;
|
});
|
||||||
expect(typeof b.sessionToken).toEqual('string');
|
|
||||||
expect(typeof b.createdWith).toEqual('object');
|
it('user get session from token on anonymous login', async () => {
|
||||||
expect(b.createdWith.action).toEqual('login');
|
const user = await Parse.AnonymousUtils.logIn();
|
||||||
expect(typeof b.user).toEqual('object');
|
const response = await request({
|
||||||
expect(b.user.objectId).toEqual(user.id);
|
headers: {
|
||||||
done();
|
'X-Parse-Application-Id': 'test',
|
||||||
});
|
'X-Parse-Session-Token': user.getSessionToken(),
|
||||||
});
|
'X-Parse-REST-API-Key': 'rest',
|
||||||
|
},
|
||||||
|
url: 'http://localhost:8378/1/sessions/me',
|
||||||
|
});
|
||||||
|
const data = response.data;
|
||||||
|
expect(typeof data.sessionToken).toEqual('string');
|
||||||
|
expect(typeof data.createdWith).toEqual('object');
|
||||||
|
expect(data.createdWith.action).toEqual('login');
|
||||||
|
expect(data.createdWith.authProvider).toEqual('anonymous');
|
||||||
|
expect(typeof data.user).toEqual('object');
|
||||||
|
expect(data.user.objectId).toEqual(user.id);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('user update session with other field', done => {
|
it('user update session with other field', done => {
|
||||||
|
|||||||
@@ -857,7 +857,11 @@ RestWrite.prototype.createSessionToken = async function () {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const { sessionData, createSession } = Auth.createSession(this.config, {
|
if (this.storage['authProvider'] == null && this.data.authData) {
|
||||||
|
this.storage['authProvider'] = Object.keys(this.data.authData).join(',');
|
||||||
|
}
|
||||||
|
|
||||||
|
const { sessionData, createSession } = RestWrite.createSession(this.config, {
|
||||||
userId: this.objectId(),
|
userId: this.objectId(),
|
||||||
createdWith: {
|
createdWith: {
|
||||||
action: this.storage['authProvider'] ? 'login' : 'signup',
|
action: this.storage['authProvider'] ? 'login' : 'signup',
|
||||||
|
|||||||
Reference in New Issue
Block a user