fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6) (#8674)

2023-06-28 22:57:25 +02:00
parent 150627328f
commit 3dd99dd80e
6 changed files with 101 additions and 34 deletions
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -358,6 +358,18 @@ class Utils {
    }
    return false;
  }
+
+  static checkProhibitedKeywords(config, data) {
+    if (config?.requestKeywordDenylist) {
+      // Scan request data for denied keywords
+      for (const keyword of config.requestKeywordDenylist) {
+        const match = Utils.objectContainsKeyValue(data, keyword.key, keyword.value);
+        if (match) {
+          throw `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`;
+        }
+      }
+    }
+  }
 }

 module.exports = Utils;