Merge pull request from GHSA-7pr3-p5fm-8r9x

* fix: strip sessionToken on _User LiveQuery * delete authData * add changelog * Update package.json * Update CHANGELOG.md * add changes * Update ParseLiveQuery.spec.js Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
2021-09-30 12:52:12 +10:00
parent bcbc035627
commit 834ae366f9
6 changed files with 120 additions and 4 deletions
--- a/src/LiveQuery/ParseLiveQueryServer.js
+++ b/src/LiveQuery/ParseLiveQueryServer.js
@@ -186,6 +186,14 @@ class ParseLiveQueryServer {
              deletedParseObject = res.object.toJSON();
              deletedParseObject.className = className;
            }
+            if (
+              (deletedParseObject.className === '_User' ||
+                deletedParseObject.className === '_Session') &&
+              !client.hasMasterKey
+            ) {
+              delete deletedParseObject.sessionToken;
+              delete deletedParseObject.authData;
+            }
            client.pushDelete(requestId, deletedParseObject);
          } catch (error) {
            Client.pushError(
@@ -337,6 +345,16 @@ class ParseLiveQueryServer {
              originalParseObject = res.original.toJSON();
              originalParseObject.className = res.original.className || className;
            }
+            if (
+              (currentParseObject.className === '_User' ||
+                currentParseObject.className === '_Session') &&
+              !client.hasMasterKey
+            ) {
+              delete currentParseObject.sessionToken;
+              delete originalParseObject?.sessionToken;
+              delete currentParseObject.authData;
+              delete originalParseObject?.authData;
+            }
            const functionName = 'push' + res.event.charAt(0).toUpperCase() + res.event.slice(1);
            if (client[functionName]) {
              client[functionName](requestId, currentParseObject, originalParseObject);