fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) (#8182)
This commit is contained in:
Manuel
GitHub
@@ -135,4 +135,32 @@ describe('Parse.Session', () => {
|
|||||||
fail(err);
|
fail(err);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('cannot edit session with known ID', async () => {
|
||||||
|
const request = require('../lib/request');
|
||||||
|
await setupTestUsers();
|
||||||
|
const [first, second] = await new Parse.Query(Parse.Session).find({ useMasterKey: true });
|
||||||
|
const headers = {
|
||||||
|
'X-Parse-Application-Id': 'test',
|
||||||
|
'X-Parse-Rest-API-Key': 'rest',
|
||||||
|
'X-Parse-Session-Token': second.get('sessionToken'),
|
||||||
|
'Content-Type': 'application/json',
|
||||||
|
};
|
||||||
|
const firstUser = first.get('user').id;
|
||||||
|
const secondUser = second.get('user').id;
|
||||||
|
const e = await request({
|
||||||
|
method: 'PUT',
|
||||||
|
headers,
|
||||||
|
url: `http://localhost:8378/1/sessions/${first.id}`,
|
||||||
|
body: JSON.stringify({
|
||||||
|
foo: 'bar',
|
||||||
|
user: { __type: 'Pointer', className: '_User', objectId: secondUser },
|
||||||
|
}),
|
||||||
|
}).catch(e => e.data);
|
||||||
|
expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
|
||||||
|
expect(e.error).toBe('Object not found.');
|
||||||
|
await Parse.Object.fetchAll([first, second], { useMasterKey: true });
|
||||||
|
expect(first.get('user').id).toBe(firstUser);
|
||||||
|
expect(second.get('user').id).toBe(secondUser);
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -1015,6 +1015,20 @@ RestWrite.prototype.handleSession = function () {
|
|||||||
} else if (this.data.sessionToken) {
|
} else if (this.data.sessionToken) {
|
||||||
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME);
|
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME);
|
||||||
}
|
}
|
||||||
|
if (!this.auth.isMaster) {
|
||||||
|
this.query = {
|
||||||
|
$and: [
|
||||||
|
this.query,
|
||||||
|
{
|
||||||
|
user: {
|
||||||
|
__type: 'Pointer',
|
||||||
|
className: '_User',
|
||||||
|
objectId: this.auth.user.id,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
],
|
||||||
|
};
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!this.query && !this.auth.isMaster) {
|
if (!this.query && !this.auth.isMaster) {
|
||||||
|
|||||||
Reference in New Issue
Block a user