fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8180)

spec/ParseSession.spec.js

@@ -3,6 +3,7 @@
 //
 
 'use strict';
+const request = require('../lib/request');
 
 function setupTestUsers() {
   const user1 = new Parse.User();
@@ -135,4 +136,31 @@ describe('Parse.Session', () => {
         fail(err);
       });
   });
+
+  it('cannot edit session with known ID', async () => {
+    await setupTestUsers();
+    const [first, second] = await new Parse.Query(Parse.Session).find({ useMasterKey: true });
+    const headers = {
+      'X-Parse-Application-Id': 'test',
+      'X-Parse-Rest-API-Key': 'rest',
+      'X-Parse-Session-Token': second.get('sessionToken'),
+      'Content-Type': 'application/json',
+    };
+    const firstUser = first.get('user').id;
+    const secondUser = second.get('user').id;
+    const e = await request({
+      method: 'PUT',
+      headers,
+      url: `http://localhost:8378/1/sessions/${first.id}`,
+      body: JSON.stringify({
+        foo: 'bar',
+        user: { __type: 'Pointer', className: '_User', objectId: secondUser },
+      }),
+    }).catch(e => e.data);
+    expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    expect(e.error).toBe('Object not found.');
+    await Parse.Object.fetchAll([first, second], { useMasterKey: true });
+    expect(first.get('user').id).toBe(firstUser);
+    expect(second.get('user').id).toBe(secondUser);
+  });
 });