joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Custom object ID allows to acquire role privileges ([GHSA-8xq9-g7ch-35hg](https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg)) (#9317)

Browse Source
This commit is contained in:
Manuel
2024-10-03 21:17:14 +02:00
committed by GitHub
parent b86906f303
commit 13ee52f0d1
3 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
spec/vulnerabilities.spec.js
View File

@@ -1,6 +1,51 @@
const request = require('../lib/request'); const request = require('../lib/request');
describe('Vulnerabilities', () => { describe('Vulnerabilities', () => {
describe('(GHSA-8xq9-g7ch-35hg) Custom object ID allows to acquire role privilege', () => {
beforeAll(async () => {
await reconfigureServer({ allowCustomObjectId: true });
Parse.allowCustomObjectId = true;
});
afterAll(async () => {
await reconfigureServer({ allowCustomObjectId: false });
Parse.allowCustomObjectId = false;
});
it('denies user creation with poisoned object ID', async () => {
await expectAsync(
new Parse.User({ id: 'role:a', username: 'a', password: '123' }).save()
).toBeRejectedWith(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.'));
});
describe('existing sessions for users with poisoned object ID', () => {
/** @type {Parse.User} */
let poisonedUser;
/** @type {Parse.User} */
let innocentUser;
beforeAll(async () => {
const parseServer = await global.reconfigureServer();
const databaseController = parseServer.config.databaseController;
[poisonedUser, innocentUser] = await Promise.all(
['role:abc', 'abc'].map(async id => {
// Create the users directly on the db to bypass the user creation check
await databaseController.create('_User', { objectId: id });
// Use the master key to create a session for them to bypass the session check
return Parse.User.loginAs(id);
})
);
});
it('refuses session token of user with poisoned object ID', async () => {
await expectAsync(
new Parse.Query(Parse.User).find({ sessionToken: poisonedUser.getSessionToken() })
).toBeRejectedWith(new Parse.Error(Parse.Error.INTERNAL_SERVER_ERROR, 'Invalid object ID.'));
await new Parse.Query(Parse.User).find({ sessionToken: innocentUser.getSessionToken() });
});
});
});
describe('Object prototype pollution', () => { describe('Object prototype pollution', () => {
it('denies object prototype to be polluted with keyword "constructor"', async () => { it('denies object prototype to be polluted with keyword "constructor"', async () => {
const headers = { const headers = {

5
src/Auth.js
View File

@@ -180,6 +180,11 @@ const getAuthForSessionToken = async function ({
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token is expired.'); throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token is expired.');
} }
const obj = session.user; const obj = session.user;
if (typeof obj['objectId'] === 'string' && obj['objectId'].startsWith('role:')) {
throw new Parse.Error(Parse.Error.INTERNAL_SERVER_ERROR, 'Invalid object ID.');
}
delete obj.password; delete obj.password;
obj['className'] = '_User'; obj['className'] = '_User';
obj['sessionToken'] = sessionToken; obj['sessionToken'] = sessionToken;

7
src/Routers/ClassesRouter.js
View File

@@ -106,6 +106,13 @@ export class ClassesRouter extends PromiseRouter {
} }
handleCreate(req) { handleCreate(req) {
if (
this.className(req) === '_User' &&
typeof req.body?.objectId === 'string' &&
req.body.objectId.startsWith('role:')
) {
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.');
}
return rest.create( return rest.create(
req.config, req.config,
req.auth, req.auth,