fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) [skip release] (#8180)

2022-09-20 02:23:49 +02:00
parent 004faf41e4
commit 37fed3062c
2 changed files with 42 additions and 0 deletions
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -1019,6 +1019,20 @@ RestWrite.prototype.handleSession = function () {
    } else if (this.data.sessionToken) {
      throw new Parse.Error(Parse.Error.INVALID_KEY_NAME);
    }
+    if (!this.auth.isMaster) {
+      this.query = {
+        $and: [
+          this.query,
+          {
+            user: {
+              __type: 'Pointer',
+              className: '_User',
+              objectId: this.auth.user.id,
+            },
+          },
+        ],
+      };
+    }
  }

  if (!this.query && !this.auth.isMaster) {