joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request from GHSA-23r4-5mxp-c7g5

Browse Source
This commit is contained in:
Manuel
2021-08-18 22:24:29 +02:00
parent 3c00bcd791
commit 1306da7454
5 changed files with 2059 additions and 3511 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGELOG.md
View File

@@ -1,7 +1,16 @@
## Parse Server Changelog
### master
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...master)
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.2...master)
### 4.5.2
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.1...4.5.2)
### Security Fixes
- SECURITY FIX: Fixes incorrect session property `authProvider: password` of anonymous users. When signing up an anonymous user, the session field `createdWith` indicates incorrectly that the session has been created using username and password with `authProvider: password`, instead of an anonymous sign-up with `authProvider: anonymous`. This fixes the issue by setting the correct `authProvider: anonymous` for future sign-ups of anonymous users. This fix does not fix incorrect `authProvider: password` for existing sessions of anonymous users. Consider this if your app logic depends on the `authProvider` field. (Corey Baker) [GHSA-23r4-5mxp-c7g5](https://github.com/parse-community/parse-server/security/advisories/GHSA-23r4-5mxp-c7g5)
### 4.5.1
*This version was published by mistake and was deprecated.*
### 4.5.0
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)

5419
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

2
package.json
View File

@@ -1,6 +1,6 @@
{
"name": "parse-server",
"version": "4.5.0",
"version": "4.5.2",
"description": "An express module providing a Parse-compatible API server",
"main": "lib/index.js",
"repository": {

76
spec/ParseUser.spec.js
View File

@@ -2374,59 +2374,63 @@ describe('Parse.User testing', () => {
});
});
it('user get session from token on signup', done => {
Promise.resolve()
.then(() => {
return Parse.User.signUp('finn', 'human', { foo: 'bar' });
})
.then(user => {
request({
it('user get session from token on signup', async () => {
const user = await Parse.User.signUp('finn', 'human', { foo: 'bar' });
const response = await request({
headers: {
'X-Parse-Application-Id': 'test',
'X-Parse-Session-Token': user.getSessionToken(),
'X-Parse-REST-API-Key': 'rest',
},
url: 'http://localhost:8378/1/sessions/me',
}).then(response => {
const b = response.data;
expect(typeof b.sessionToken).toEqual('string');
expect(typeof b.createdWith).toEqual('object');
expect(b.createdWith.action).toEqual('signup');
expect(typeof b.user).toEqual('object');
expect(b.user.objectId).toEqual(user.id);
done();
});
});
const data = response.data;
expect(typeof data.sessionToken).toEqual('string');
expect(typeof data.createdWith).toEqual('object');
expect(data.createdWith.action).toEqual('signup');
expect(data.createdWith.authProvider).toEqual('password');
expect(typeof data.user).toEqual('object');
expect(data.user.objectId).toEqual(user.id);
});
it('user get session from token on login', done => {
Promise.resolve()
.then(() => {
return Parse.User.signUp('finn', 'human', { foo: 'bar' });
})
.then(() => {
return Parse.User.logOut().then(() => {
return Parse.User.logIn('finn', 'human');
});
})
.then(user => {
request({
it('user get session from token on username/password login', async () => {
await Parse.User.signUp('finn', 'human', { foo: 'bar' });
await Parse.User.logOut();
const user = await Parse.User.logIn('finn', 'human');
const response = await request({
headers: {
'X-Parse-Application-Id': 'test',
'X-Parse-Session-Token': user.getSessionToken(),
'X-Parse-REST-API-Key': 'rest',
},
url: 'http://localhost:8378/1/sessions/me',
}).then(response => {
const b = response.data;
expect(typeof b.sessionToken).toEqual('string');
expect(typeof b.createdWith).toEqual('object');
expect(b.createdWith.action).toEqual('login');
expect(typeof b.user).toEqual('object');
expect(b.user.objectId).toEqual(user.id);
done();
});
const data = response.data;
expect(typeof data.sessionToken).toEqual('string');
expect(typeof data.createdWith).toEqual('object');
expect(data.createdWith.action).toEqual('login');
expect(data.createdWith.authProvider).toEqual('password');
expect(typeof data.user).toEqual('object');
expect(data.user.objectId).toEqual(user.id);
});
it('user get session from token on anonymous login', async () => {
const user = await Parse.AnonymousUtils.logIn();
const response = await request({
headers: {
'X-Parse-Application-Id': 'test',
'X-Parse-Session-Token': user.getSessionToken(),
'X-Parse-REST-API-Key': 'rest',
},
url: 'http://localhost:8378/1/sessions/me',
});
const data = response.data;
expect(typeof data.sessionToken).toEqual('string');
expect(typeof data.createdWith).toEqual('object');
expect(data.createdWith.action).toEqual('login');
expect(data.createdWith.authProvider).toEqual('anonymous');
expect(typeof data.user).toEqual('object');
expect(data.user.objectId).toEqual(user.id);
});
it('user update session with other field', done => {

6
src/RestWrite.js
View File

@@ -857,7 +857,11 @@ RestWrite.prototype.createSessionToken = async function () {
return;
}
const { sessionData, createSession } = Auth.createSession(this.config, {
if (this.storage['authProvider'] == null && this.data.authData) {
this.storage['authProvider'] = Object.keys(this.data.authData).join(',');
}
const { sessionData, createSession } = RestWrite.createSession(this.config, {
userId: this.objectId(),
createdWith: {
action: this.storage['authProvider'] ? 'login' : 'signup',