joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6) (#8676)

Browse Source
This commit is contained in:
Manuel
2023-06-28 23:38:14 +02:00
committed by GitHub
parent f8b5a99d54
commit 31805c96ec
6 changed files with 101 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/Controllers/DatabaseController.js
View File

@@ -475,6 +475,11 @@ class DatabaseController {
validateOnly: boolean = false,
validSchemaController: SchemaController.SchemaController
): Promise<any> {
try {
Utils.checkProhibitedKeywords(this.options, update);
} catch (error) {
return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
}
const originalQuery = query;
const originalUpdate = update;
// Make a copy of the object, so we don't mutate the incoming data.
@@ -805,6 +810,11 @@ class DatabaseController {
validateOnly: boolean = false,
validSchemaController: SchemaController.SchemaController
): Promise<any> {
try {
Utils.checkProhibitedKeywords(this.options, object);
} catch (error) {
return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
}
// Make a copy of the object, so we don't mutate the incoming data.
const originalObject = object;
object = transformObjectACL(object);

23
src/RestWrite.js
View File

@@ -64,8 +64,6 @@ function RestWrite(config, auth, className, query, data, originalData, clientSDK
}
}
this.checkProhibitedKeywords(data);
// When the operation is complete, this.response may have several
// fields.
// response: the actual data to be returned
@@ -304,7 +302,11 @@ RestWrite.prototype.runBeforeSaveTrigger = function () {
delete this.data.objectId;
}
}
this.checkProhibitedKeywords(this.data);
try {
Utils.checkProhibitedKeywords(this.config, this.data);
} catch (error) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, error);
}
});
};
@@ -1798,20 +1800,5 @@ RestWrite.prototype._updateResponseWithData = function (response, data) {
return response;
};
RestWrite.prototype.checkProhibitedKeywords = function (data) {
if (this.config.requestKeywordDenylist) {
// Scan request data for denied keywords
for (const keyword of this.config.requestKeywordDenylist) {
const match = Utils.objectContainsKeyValue(data, keyword.key, keyword.value);
if (match) {
throw new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
`Prohibited keyword in request data: ${JSON.stringify(keyword)}.`
);
}
}
}
};
export default RestWrite;
module.exports = RestWrite;

21
src/Routers/FilesRouter.js
View File

@@ -175,22 +175,13 @@ export class FilesRouter {
const base64 = req.body.toString('base64');
const file = new Parse.File(filename, { base64 }, contentType);
const { metadata = {}, tags = {} } = req.fileData || {};
if (req.config && req.config.requestKeywordDenylist) {
try {
// Scan request data for denied keywords
for (const keyword of req.config.requestKeywordDenylist) {
const match =
Utils.objectContainsKeyValue(metadata, keyword.key, keyword.value) ||
Utils.objectContainsKeyValue(tags, keyword.key, keyword.value);
if (match) {
next(
new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
`Prohibited keyword in request data: ${JSON.stringify(keyword)}.`
)
);
return;
}
}
Utils.checkProhibitedKeywords(config, metadata);
Utils.checkProhibitedKeywords(config, tags);
} catch (error) {
next(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
return;
}
file.setTags(tags);
file.setMetadata(metadata);

12
src/Utils.js
View File

@@ -358,6 +358,18 @@ class Utils {
}
return false;
}
static checkProhibitedKeywords(config, data) {
if (config?.requestKeywordDenylist) {
// Scan request data for denied keywords
for (const keyword of config.requestKeywordDenylist) {
const match = Utils.objectContainsKeyValue(data, keyword.key, keyword.value);
if (match) {
throw `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`;
}
}
}
}
}
module.exports = Utils;