refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6) (#8676)

2023-06-28 23:38:14 +02:00
parent f8b5a99d54
commit 31805c96ec
6 changed files with 101 additions and 33 deletions
--- a/.eslintrc.json
+++ b/.eslintrc.json
@@ -25,5 +25,8 @@
        "space-infix-ops": "error",
        "no-useless-escape": "off",
        "require-atomic-updates": "off"
+    },
+    "globals": {
+        "Parse": true
    }
 }
--- a/spec/vulnerabilities.spec.js
+++ b/spec/vulnerabilities.spec.js
@@ -138,6 +138,71 @@ describe('Vulnerabilities', () => {
      );
    });

+    it('denies creating global config with polluted data', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-Master-Key': 'test',
+      };
+      const params = {
+        method: 'PUT',
+        url: 'http://localhost:8378/1/config',
+        json: true,
+        body: {
+          params: {
+            welcomeMesssage: 'Welcome to Parse',
+            foo: { _bsontype: 'Code', code: 'shell' },
+          },
+        },
+        headers,
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
+      );
+    });
+
+    it('denies direct database write wih prohibited keys', async () => {
+      const Config = require('../lib/Config');
+      const config = Config.get(Parse.applicationId);
+      const user = {
+        objectId: '1234567890',
+        username: 'hello',
+        password: 'pass',
+        _session_token: 'abc',
+        foo: { _bsontype: 'Code', code: 'shell' },
+      };
+      await expectAsync(config.database.create('_User', user)).toBeRejectedWith(
+        new Parse.Error(
+          Parse.Error.INVALID_KEY_NAME,
+          'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
+        )
+      );
+    });
+
+    it('denies direct database update wih prohibited keys', async () => {
+      const Config = require('../lib/Config');
+      const config = Config.get(Parse.applicationId);
+      const user = {
+        objectId: '1234567890',
+        username: 'hello',
+        password: 'pass',
+        _session_token: 'abc',
+        foo: { _bsontype: 'Code', code: 'shell' },
+      };
+      await expectAsync(
+        config.database.update('_User', { _id: user.objectId }, user)
+      ).toBeRejectedWith(
+        new Parse.Error(
+          Parse.Error.INVALID_KEY_NAME,
+          'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
+        )
+      );
+    });
+
    it('denies creating a hook with polluted data', async () => {
      const express = require('express');
      const bodyParser = require('body-parser');
--- a/src/Controllers/DatabaseController.js
+++ b/src/Controllers/DatabaseController.js
@@ -475,6 +475,11 @@ class DatabaseController {
    validateOnly: boolean = false,
    validSchemaController: SchemaController.SchemaController
  ): Promise<any> {
+    try {
+      Utils.checkProhibitedKeywords(this.options, update);
+    } catch (error) {
+      return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
+    }
    const originalQuery = query;
    const originalUpdate = update;
    // Make a copy of the object, so we don't mutate the incoming data.
@@ -805,6 +810,11 @@ class DatabaseController {
    validateOnly: boolean = false,
    validSchemaController: SchemaController.SchemaController
  ): Promise<any> {
+    try {
+      Utils.checkProhibitedKeywords(this.options, object);
+    } catch (error) {
+      return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
+    }
    // Make a copy of the object, so we don't mutate the incoming data.
    const originalObject = object;
    object = transformObjectACL(object);
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -64,8 +64,6 @@ function RestWrite(config, auth, className, query, data, originalData, clientSDK
    }
  }

-  this.checkProhibitedKeywords(data);
-
  // When the operation is complete, this.response may have several
  // fields.
  // response: the actual data to be returned
@@ -304,7 +302,11 @@ RestWrite.prototype.runBeforeSaveTrigger = function () {
          delete this.data.objectId;
        }
      }
-      this.checkProhibitedKeywords(this.data);
+      try {
+        Utils.checkProhibitedKeywords(this.config, this.data);
+      } catch (error) {
+        throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, error);
+      }
    });
 };

@@ -1798,20 +1800,5 @@ RestWrite.prototype._updateResponseWithData = function (response, data) {
  return response;
 };

-RestWrite.prototype.checkProhibitedKeywords = function (data) {
-  if (this.config.requestKeywordDenylist) {
-    // Scan request data for denied keywords
-    for (const keyword of this.config.requestKeywordDenylist) {
-      const match = Utils.objectContainsKeyValue(data, keyword.key, keyword.value);
-      if (match) {
-        throw new Parse.Error(
-          Parse.Error.INVALID_KEY_NAME,
-          `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`
-        );
-      }
-    }
-  }
-};
-
 export default RestWrite;
 module.exports = RestWrite;
--- a/src/Routers/FilesRouter.js
+++ b/src/Routers/FilesRouter.js
@@ -175,22 +175,13 @@ export class FilesRouter {
    const base64 = req.body.toString('base64');
    const file = new Parse.File(filename, { base64 }, contentType);
    const { metadata = {}, tags = {} } = req.fileData || {};
-    if (req.config && req.config.requestKeywordDenylist) {
+    try {
      // Scan request data for denied keywords
-      for (const keyword of req.config.requestKeywordDenylist) {
-        const match =
-          Utils.objectContainsKeyValue(metadata, keyword.key, keyword.value) ||
-          Utils.objectContainsKeyValue(tags, keyword.key, keyword.value);
-        if (match) {
-          next(
-            new Parse.Error(
-              Parse.Error.INVALID_KEY_NAME,
-              `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`
-            )
-          );
-          return;
-        }
-      }
+      Utils.checkProhibitedKeywords(config, metadata);
+      Utils.checkProhibitedKeywords(config, tags);
+    } catch (error) {
+      next(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
+      return;
    }
    file.setTags(tags);
    file.setMetadata(metadata);
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -358,6 +358,18 @@ class Utils {
    }
    return false;
  }
+
+  static checkProhibitedKeywords(config, data) {
+    if (config?.requestKeywordDenylist) {
+      // Scan request data for denied keywords
+      for (const keyword of config.requestKeywordDenylist) {
+        const match = Utils.objectContainsKeyValue(data, keyword.key, keyword.value);
+        if (match) {
+          throw `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`;
+        }
+      }
+    }
+  }
 }

 module.exports = Utils;