joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8180)

Browse Source
This commit is contained in:
Manuel
2022-09-20 02:23:49 +02:00
committed by GitHub
parent 004faf41e4
commit 37fed3062c
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
spec/ParseSession.spec.js
View File

@@ -3,6 +3,7 @@
//
'use strict';
const request = require('../lib/request');
function setupTestUsers() {
const user1 = new Parse.User();
@@ -135,4 +136,31 @@ describe('Parse.Session', () => {
fail(err);
});
});
it('cannot edit session with known ID', async () => {
await setupTestUsers();
const [first, second] = await new Parse.Query(Parse.Session).find({ useMasterKey: true });
const headers = {
'X-Parse-Application-Id': 'test',
'X-Parse-Rest-API-Key': 'rest',
'X-Parse-Session-Token': second.get('sessionToken'),
'Content-Type': 'application/json',
};
const firstUser = first.get('user').id;
const secondUser = second.get('user').id;
const e = await request({
method: 'PUT',
headers,
url: `http://localhost:8378/1/sessions/${first.id}`,
body: JSON.stringify({
foo: 'bar',
user: { __type: 'Pointer', className: '_User', objectId: secondUser },
}),
}).catch(e => e.data);
expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
expect(e.error).toBe('Object not found.');
await Parse.Object.fetchAll([first, second], { useMasterKey: true });
expect(first.get('user').id).toBe(firstUser);
expect(second.get('user').id).toBe(secondUser);
});
});

14
src/RestWrite.js
View File

@@ -1019,6 +1019,20 @@ RestWrite.prototype.handleSession = function () {
} else if (this.data.sessionToken) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME);
}
if (!this.auth.isMaster) {
this.query = {
$and: [
this.query,
{
user: {
__type: 'Pointer',
className: '_User',
objectId: this.auth.user.id,
},
},
],
};
}
}
if (!this.query && !this.auth.isMaster) {