joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8143)

Browse Source
This commit is contained in:
Manuel
2022-09-02 21:15:09 +02:00
committed by GitHub
parent 4748e9bbd3
commit 634c44acd1
5 changed files with 140 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/RedisCacheAdapter.spec.js
View File

@@ -378,7 +378,7 @@ describe_only(() => {
const query = new Parse.Query(TestObject);
await query.get(object.id);
expect(getSpy.calls.count()).toBe(3);
expect(getSpy.calls.count()).toBe(4);
expect(putSpy.calls.count()).toBe(1);
expect(delSpy.calls.count()).toBe(2);
@@ -397,7 +397,7 @@ describe_only(() => {
const query = new Parse.Query(TestObject);
await query.get(object.id);
expect(getSpy.calls.count()).toBe(2);
expect(getSpy.calls.count()).toBe(3);
expect(putSpy.calls.count()).toBe(1);
expect(delSpy.calls.count()).toBe(1);
@@ -420,7 +420,7 @@ describe_only(() => {
query.include('child');
await query.get(object.id);
expect(getSpy.calls.count()).toBe(4);
expect(getSpy.calls.count()).toBe(6);
expect(putSpy.calls.count()).toBe(1);
expect(delSpy.calls.count()).toBe(3);
@@ -444,7 +444,7 @@ describe_only(() => {
expect(objects.length).toBe(1);
expect(objects[0].id).toBe(child.id);
expect(getSpy.calls.count()).toBe(2);
expect(getSpy.calls.count()).toBe(3);
expect(putSpy.calls.count()).toBe(1);
expect(delSpy.calls.count()).toBe(3);