fix: Custom object ID allows to acquire role privileges ([GHSA-8xq9-g7ch-35hg](https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg)) (#9317)

2024-10-03 21:17:14 +02:00
parent b86906f303
commit 13ee52f0d1
3 changed files with 57 additions and 0 deletions
--- a/src/Auth.js
+++ b/src/Auth.js
@@ -180,6 +180,11 @@ const getAuthForSessionToken = async function ({
    throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token is expired.');
  }
  const obj = session.user;
+
+  if (typeof obj['objectId'] === 'string' && obj['objectId'].startsWith('role:')) {
+    throw new Parse.Error(Parse.Error.INTERNAL_SERVER_ERROR, 'Invalid object ID.');
+  }
+
  delete obj.password;
  obj['className'] = '_User';
  obj['sessionToken'] = sessionToken;
--- a/src/Routers/ClassesRouter.js
+++ b/src/Routers/ClassesRouter.js
@@ -106,6 +106,13 @@ export class ClassesRouter extends PromiseRouter {
  }

  handleCreate(req) {
+    if (
+      this.className(req) === '_User' &&
+      typeof req.body?.objectId === 'string' &&
+      req.body.objectId.startsWith('role:')
+    ) {
+      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.');
+    }
    return rest.create(
      req.config,
      req.auth,