joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CLP objectId size validation fix (#6332)

Browse Source 
* Relax regex for customId ; allow varying id length

* test

* remove trycatch, fix typo

* de-duplicate test names; test pointer targetclass

* fixed early return; detailed errors for protected
This commit is contained in:
Old Grandpa
2020-01-14 12:01:14 +03:00
committed by Antonio Davi Macedo Coelho de Castro
parent 9842c6ee42
commit 2d257e20a0
4 changed files with 225 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
spec/PointerPermissions.spec.js
View File

@@ -399,7 +399,7 @@ describe('Pointer Permissions', () => {
});
});
it('should prevent creating pointer permission on bad field', done => {
it('should prevent creating pointer permission on bad field (of wrong type)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
@@ -426,7 +426,34 @@ describe('Pointer Permissions', () => {
});
});
it('should prevent creating pointer permission on bad field', done => {
it('should prevent creating pointer permission on bad field (non-user pointer)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
.then(schema => {
return schema.addClassIfNotExists(
'AnObject',
{ owner: { type: 'Pointer', targetClass: '_Session' } },
{
create: {},
writeUserFields: ['owner'],
readUserFields: ['owner'],
}
);
})
.then(() => {
fail('should not succeed');
})
.catch(err => {
expect(err.code).toBe(107);
expect(err.message).toBe(
"'owner' is not a valid column for class level pointer permissions writeUserFields"
);
done();
});
});
it('should prevent creating pointer permission on bad field (non-existing)', done => {
const config = Config.get(Parse.applicationId);
const object = new Parse.Object('AnObject');
object.set('owner', 'value');
@@ -984,7 +1011,7 @@ describe('Pointer Permissions', () => {
);
});
it('should fail with invalid pointer perms', done => {
it('should fail with invalid pointer perms (not array)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
@@ -1002,7 +1029,7 @@ describe('Pointer Permissions', () => {
});
});
it('should fail with invalid pointer perms', done => {
it('should fail with invalid pointer perms (non-existing field)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
@@ -1398,7 +1425,7 @@ describe('Pointer Permissions', () => {
}
});
it('should prevent creating pointer permission on bad field', async done => {
it('should prevent creating pointer permission on bad field (of wrong type)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
@@ -1421,7 +1448,7 @@ describe('Pointer Permissions', () => {
}
});
it('should prevent creating pointer permission on bad field', async done => {
it('should prevent creating pointer permission on bad field (non-existing)', async done => {
const config = Config.get(Parse.applicationId);
const object = new Parse.Object('AnObject');
object.set('owners', 'value');
@@ -1955,7 +1982,7 @@ describe('Pointer Permissions', () => {
}
});
it('should fail with invalid pointer perms', async done => {
it('should fail with invalid pointer perms (not array)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
@@ -1971,7 +1998,7 @@ describe('Pointer Permissions', () => {
}
});
it('should fail with invalid pointer perms', async done => {
it('should fail with invalid pointer perms (non-existing field)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {

16
spec/Schema.spec.js
View File

@@ -1665,7 +1665,7 @@ describe('Class Level Permissions for requiredAuth', () => {
);
});
it('required auth test create/get/update/delete not authenitcated', done => {
it('required auth test get not authenitcated', done => {
config.database
.loadSchema()
.then(schema => {
@@ -1677,12 +1677,6 @@ describe('Class Level Permissions for requiredAuth', () => {
get: {
requiresAuthentication: true,
},
delete: {
requiresAuthentication: true,
},
update: {
requiresAuthentication: true,
},
create: {
'*': true,
},
@@ -1710,7 +1704,7 @@ describe('Class Level Permissions for requiredAuth', () => {
);
});
it('required auth test create/get/update/delete not authenitcated', done => {
it('required auth test find not authenitcated', done => {
config.database
.loadSchema()
.then(schema => {
@@ -1722,12 +1716,6 @@ describe('Class Level Permissions for requiredAuth', () => {
find: {
requiresAuthentication: true,
},
delete: {
requiresAuthentication: true,
},
update: {
requiresAuthentication: true,
},
create: {
'*': true,
},

80
spec/schemas.spec.js
View File

@@ -1835,8 +1835,14 @@ describe('schemas', () => {
});
});
it('should throw with invalid userId (>10 chars)', done => {
request({
it('should aceept class-level permission with userid of any length', async done => {
await global.reconfigureServer({
customIdSize: 11,
});
const id = 'e1evenChars';
const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
@@ -1844,20 +1850,25 @@ describe('schemas', () => {
body: {
classLevelPermissions: {
find: {
'1234567890A': true,
[id]: true,
},
},
},
}).then(fail, response => {
expect(response.data.error).toEqual(
"'1234567890A' is not a valid key for class level permissions"
);
done();
});
expect(data.classLevelPermissions.find[id]).toBe(true);
done();
});
it('should throw with invalid userId (<10 chars)', done => {
request({
it('should allow set class-level permission for custom userid of any length and chars', async done => {
await global.reconfigureServer({
allowCustomObjectId: true,
});
const symbolsId = 'set:ID+symbol$=@llowed';
const shortId = '1';
const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
@@ -1865,16 +1876,53 @@ describe('schemas', () => {
body: {
classLevelPermissions: {
find: {
a12345678: true,
[symbolsId]: true,
[shortId]: true,
},
},
},
}).then(fail, response => {
expect(response.data.error).toEqual(
"'a12345678' is not a valid key for class level permissions"
);
done();
});
expect(data.classLevelPermissions.find[symbolsId]).toBe(true);
expect(data.classLevelPermissions.find[shortId]).toBe(true);
done();
});
it('should allow set ACL for custom userid', async done => {
await global.reconfigureServer({
allowCustomObjectId: true,
});
const symbolsId = 'symbols:id@allowed=';
const shortId = '1';
const normalId = 'tensymbols';
const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/classes/AClass',
headers: masterKeyHeaders,
json: true,
body: {
ACL: {
[symbolsId]: { read: true, write: true },
[shortId]: { read: true, write: true },
[normalId]: { read: true, write: true },
},
},
});
const { data: created } = await request({
method: 'GET',
url: `http://localhost:8378/1/classes/AClass/${data.objectId}`,
headers: masterKeyHeaders,
json: true,
});
expect(created.ACL[normalId].write).toBe(true);
expect(created.ACL[symbolsId].write).toBe(true);
expect(created.ACL[shortId].write).toBe(true);
done();
});
it('should throw with invalid userId (invalid char)', done => {