joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request from GHSA-xqp8-w826-hh6x

Browse Source 
* Backport the advisory fix

* Added a 4.10.3 section to CHANGELOG
This commit is contained in:
Kartal Kaan Bozdoğan
2021-09-02 12:46:48 +02:00
committed by GitHub
parent 0bfa6b7cc1
commit 6ae5835b19
4 changed files with 73 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -1,5 +1,10 @@
# Parse Server Changelog # Parse Server Changelog
# 4.10.3
## Security Fixes
- Validate `explain` query parameter to avoid a server crash due to MongoDB bug [NODE-3463](https://jira.mongodb.org/browse/NODE-3463) (Kartal Kaan Bozdogan) [GHSA-xqp8-w826-hh6x](https://github.com/parse-community/parse-server/security/advisories/GHSA-xqp8-w826-hh6x)
# 4.10.2 # 4.10.2
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.1...4.10.2) [Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.1...4.10.2)

48
spec/ParseQuery.spec.js
View File

@@ -33,6 +33,54 @@ describe('Parse.Query testing', () => {
}); });
}); });
it_only_db('mongo')('gracefully handles invalid explain values', async () => {
// Note that anything that is not truthy (like 0) does not cause an exception, as they get swallowed up by ClassesRouter::optionsFromBody
const values = [1, 'yolo', { a: 1 }, [1, 2, 3]];
for (const value of values) {
try {
await request({
method: 'GET',
url: `http://localhost:8378/1/classes/_User?explain=${value}`,
json: true,
headers: masterKeyHeaders,
});
fail('request did not throw');
} catch (e) {
// Expect that Parse Server did not crash
expect(e.code).not.toEqual('ECONNRESET');
// Expect that Parse Server validates the explain value and does not crash;
// see https://jira.mongodb.org/browse/NODE-3463
equal(e.data.code, Parse.Error.INVALID_QUERY);
equal(e.data.error, 'Invalid value for explain');
}
// get queries (of the form '/classes/:className/:objectId' cannot have the explain key, see ClassesRouter.js)
// so it is enough that we test find queries
}
});
it_only_db('mongo')('supports valid explain values', async () => {
const values = [
false,
true,
'queryPlanner',
'executionStats',
'allPlansExecution',
// 'queryPlannerExtended' is excluded as it only applies to MongoDB Data Lake which is currently not available in our CI environment
];
for (const value of values) {
const response = await request({
method: 'GET',
url: `http://localhost:8378/1/classes/_User?explain=${value}`,
json: true,
headers: masterKeyHeaders,
});
expect(response.status).toBe(200);
if (value) {
expect(response.data.results.ok).toBe(1);
}
}
});
it('searching for null', function (done) { it('searching for null', function (done) {
const baz = new TestObject({ foo: null }); const baz = new TestObject({ foo: null });
const qux = new TestObject({ foo: 'qux' }); const qux = new TestObject({ foo: 'qux' });

19
src/Adapters/Storage/Mongo/MongoStorageAdapter.js
View File

@@ -108,6 +108,23 @@ const mongoSchemaFromFieldsAndClassNameAndCLP = (
return mongoObject; return mongoObject;
}; };
function validateExplainValue(explain) {
if (explain) {
// The list of allowed explain values is from node-mongodb-native/lib/explain.js
const explainAllowedValues = [
'queryPlanner',
'queryPlannerExtended',
'executionStats',
'allPlansExecution',
false,
true,
];
if (!explainAllowedValues.includes(explain)) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Invalid value for explain');
}
}
}
export class MongoStorageAdapter implements StorageAdapter { export class MongoStorageAdapter implements StorageAdapter {
// Private // Private
_uri: string; _uri: string;
@@ -562,6 +579,7 @@ export class MongoStorageAdapter implements StorageAdapter {
query: QueryType, query: QueryType,
{ skip, limit, sort, keys, readPreference, hint, caseInsensitive, explain }: QueryOptions { skip, limit, sort, keys, readPreference, hint, caseInsensitive, explain }: QueryOptions
): Promise<any> { ): Promise<any> {
validateExplainValue(explain);
schema = convertParseSchemaToMongoSchema(schema); schema = convertParseSchemaToMongoSchema(schema);
const mongoWhere = transformWhere(className, query, schema); const mongoWhere = transformWhere(className, query, schema);
const mongoSort = _.mapKeys(sort, (value, fieldName) => const mongoSort = _.mapKeys(sort, (value, fieldName) =>
@@ -740,6 +758,7 @@ export class MongoStorageAdapter implements StorageAdapter {
hint: ?mixed, hint: ?mixed,
explain?: boolean explain?: boolean
) { ) {
validateExplainValue(explain);
let isPointerField = false; let isPointerField = false;
pipeline = pipeline.map(stage => { pipeline = pipeline.map(stage => {
if (stage.$group) { if (stage.$group) {

2
src/RestQuery.js
View File

@@ -633,7 +633,7 @@ RestQuery.prototype.runFind = function (options = {}) {
return this.config.database return this.config.database
.find(this.className, this.restWhere, findOptions, this.auth) .find(this.className, this.restWhere, findOptions, this.auth)
.then(results => { .then(results => {
if (this.className === '_User' && findOptions.explain !== true) { if (this.className === '_User' && !findOptions.explain) {
for (var result of results) { for (var result of results) {
cleanResultAuthData(result); cleanResultAuthData(result);
} }