joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6) (#8676)

Browse Source
This commit is contained in:
Manuel
2023-06-28 23:38:14 +02:00
committed by GitHub
parent f8b5a99d54
commit 31805c96ec
6 changed files with 101 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/Routers/FilesRouter.js
View File

@@ -175,22 +175,13 @@ export class FilesRouter {
const base64 = req.body.toString('base64');
const file = new Parse.File(filename, { base64 }, contentType);
const { metadata = {}, tags = {} } = req.fileData || {};
if (req.config && req.config.requestKeywordDenylist) {
try {
// Scan request data for denied keywords
for (const keyword of req.config.requestKeywordDenylist) {
const match =
Utils.objectContainsKeyValue(metadata, keyword.key, keyword.value) ||
Utils.objectContainsKeyValue(tags, keyword.key, keyword.value);
if (match) {
next(
new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
`Prohibited keyword in request data: ${JSON.stringify(keyword)}.`
)
);
return;
}
}
Utils.checkProhibitedKeywords(config, metadata);
Utils.checkProhibitedKeywords(config, tags);
} catch (error) {
next(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
return;
}
file.setTags(tags);
file.setMetadata(metadata);