Merge remote-tracking branch 'upstream/alpha' into alpha
This commit is contained in:
Manuel Trezza
@@ -1,3 +1,10 @@
|
|||||||
|
# [7.1.0-alpha.12](https://github.com/parse-community/parse-server/compare/7.1.0-alpha.11...7.1.0-alpha.12) (2024-06-30)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* SQL injection when using Parse Server with PostgreSQL; fixes security vulnerability [GHSA-c2hr-cqg6-8j6r](https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r) ([#9167](https://github.com/parse-community/parse-server/issues/9167)) ([2edf1e4](https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3))
|
||||||
|
|
||||||
# [7.1.0-alpha.11](https://github.com/parse-community/parse-server/compare/7.1.0-alpha.10...7.1.0-alpha.11) (2024-06-29)
|
# [7.1.0-alpha.11](https://github.com/parse-community/parse-server/compare/7.1.0-alpha.10...7.1.0-alpha.11) (2024-06-29)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
4
package-lock.json
generated
4
package-lock.json
generated
@@ -1,12 +1,12 @@
|
|||||||
{
|
{
|
||||||
"name": "parse-server",
|
"name": "parse-server",
|
||||||
"version": "7.1.0-alpha.11",
|
"version": "7.1.0-alpha.12",
|
||||||
"lockfileVersion": 2,
|
"lockfileVersion": 2,
|
||||||
"requires": true,
|
"requires": true,
|
||||||
"packages": {
|
"packages": {
|
||||||
"": {
|
"": {
|
||||||
"name": "parse-server",
|
"name": "parse-server",
|
||||||
"version": "7.1.0-alpha.11",
|
"version": "7.1.0-alpha.12",
|
||||||
"hasInstallScript": true,
|
"hasInstallScript": true,
|
||||||
"license": "Apache-2.0",
|
"license": "Apache-2.0",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "parse-server",
|
"name": "parse-server",
|
||||||
"version": "7.1.0-alpha.11",
|
"version": "7.1.0-alpha.12",
|
||||||
"description": "An express module providing a Parse-compatible API server",
|
"description": "An express module providing a Parse-compatible API server",
|
||||||
"main": "lib/index.js",
|
"main": "lib/index.js",
|
||||||
"repository": {
|
"repository": {
|
||||||
@@ -125,6 +125,7 @@
|
|||||||
"test:mongodb:5.3.2": "npm run test:mongodb --dbversion=5.3.2",
|
"test:mongodb:5.3.2": "npm run test:mongodb --dbversion=5.3.2",
|
||||||
"test:mongodb:6.0.2": "npm run test:mongodb --dbversion=6.0.2",
|
"test:mongodb:6.0.2": "npm run test:mongodb --dbversion=6.0.2",
|
||||||
"test:mongodb:7.0.1": "npm run test:mongodb --dbversion=7.0.1",
|
"test:mongodb:7.0.1": "npm run test:mongodb --dbversion=7.0.1",
|
||||||
|
"test:postgres:testonly": "cross-env PARSE_SERVER_TEST_DB=postgres PARSE_SERVER_TEST_DATABASE_URI=postgres://postgres:password@localhost:5432/parse_server_postgres_adapter_test_database npm run testonly",
|
||||||
"pretest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=5.3.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} mongodb-runner start -t ${MONGODB_TOPOLOGY} --version ${MONGODB_VERSION} -- --port 27017",
|
"pretest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=5.3.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} mongodb-runner start -t ${MONGODB_TOPOLOGY} --version ${MONGODB_VERSION} -- --port 27017",
|
||||||
"testonly": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=5.3.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} TESTING=1 jasmine",
|
"testonly": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=5.3.2} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} TESTING=1 jasmine",
|
||||||
"test": "npm run testonly",
|
"test": "npm run testonly",
|
||||||
|
|||||||
@@ -2614,16 +2614,16 @@ function isAnyValueRegexStartsWith(values) {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
function createLiteralRegex(remaining) {
|
function createLiteralRegex(remaining: string) {
|
||||||
return remaining
|
return remaining
|
||||||
.split('')
|
.split('')
|
||||||
.map(c => {
|
.map(c => {
|
||||||
const regex = RegExp('[0-9 ]|\\p{L}', 'u'); // Support all unicode letter chars
|
const regex = RegExp('[0-9 ]|\\p{L}', 'u'); // Support all Unicode letter chars
|
||||||
if (c.match(regex) !== null) {
|
if (c.match(regex) !== null) {
|
||||||
// don't escape alphanumeric characters
|
// Don't escape alphanumeric characters
|
||||||
return c;
|
return c;
|
||||||
}
|
}
|
||||||
// escape everything else (single quotes with single quotes, everything else with a backslash)
|
// Escape everything else (single quotes with single quotes, everything else with a backslash)
|
||||||
return c === `'` ? `''` : `\\${c}`;
|
return c === `'` ? `''` : `\\${c}`;
|
||||||
})
|
})
|
||||||
.join('');
|
.join('');
|
||||||
@@ -2633,14 +2633,14 @@ function literalizeRegexPart(s: string) {
|
|||||||
const matcher1 = /\\Q((?!\\E).*)\\E$/;
|
const matcher1 = /\\Q((?!\\E).*)\\E$/;
|
||||||
const result1: any = s.match(matcher1);
|
const result1: any = s.match(matcher1);
|
||||||
if (result1 && result1.length > 1 && result1.index > -1) {
|
if (result1 && result1.length > 1 && result1.index > -1) {
|
||||||
// process regex that has a beginning and an end specified for the literal text
|
// Process Regex that has a beginning and an end specified for the literal text
|
||||||
const prefix = s.substring(0, result1.index);
|
const prefix = s.substring(0, result1.index);
|
||||||
const remaining = result1[1];
|
const remaining = result1[1];
|
||||||
|
|
||||||
return literalizeRegexPart(prefix) + createLiteralRegex(remaining);
|
return literalizeRegexPart(prefix) + createLiteralRegex(remaining);
|
||||||
}
|
}
|
||||||
|
|
||||||
// process regex that has a beginning specified for the literal text
|
// Process Regex that has a beginning specified for the literal text
|
||||||
const matcher2 = /\\Q((?!\\E).*)$/;
|
const matcher2 = /\\Q((?!\\E).*)$/;
|
||||||
const result2: any = s.match(matcher2);
|
const result2: any = s.match(matcher2);
|
||||||
if (result2 && result2.length > 1 && result2.index > -1) {
|
if (result2 && result2.length > 1 && result2.index > -1) {
|
||||||
@@ -2650,14 +2650,18 @@ function literalizeRegexPart(s: string) {
|
|||||||
return literalizeRegexPart(prefix) + createLiteralRegex(remaining);
|
return literalizeRegexPart(prefix) + createLiteralRegex(remaining);
|
||||||
}
|
}
|
||||||
|
|
||||||
// remove all instances of \Q and \E from the remaining text & escape single quotes
|
// Remove problematic chars from remaining text
|
||||||
return s
|
return s
|
||||||
|
// Remove all instances of \Q and \E
|
||||||
.replace(/([^\\])(\\E)/, '$1')
|
.replace(/([^\\])(\\E)/, '$1')
|
||||||
.replace(/([^\\])(\\Q)/, '$1')
|
.replace(/([^\\])(\\Q)/, '$1')
|
||||||
.replace(/^\\E/, '')
|
.replace(/^\\E/, '')
|
||||||
.replace(/^\\Q/, '')
|
.replace(/^\\Q/, '')
|
||||||
.replace(/([^'])'/g, `$1''`)
|
// Ensure even number of single quote sequences by adding an extra single quote if needed;
|
||||||
.replace(/^'([^'])/, `''$1`);
|
// this ensures that every single quote is escaped
|
||||||
|
.replace(/'+/g, match => {
|
||||||
|
return match.length % 2 === 0 ? match : match + "'";
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
var GeoPointCoder = {
|
var GeoPointCoder = {
|
||||||
|
|||||||
Reference in New Issue
Block a user