joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request from GHSA-7pr3-p5fm-8r9x

Browse Source 
* fix: strip sessionToken on _User LiveQuery

* delete authData

* add changelog

* Update package.json

* Update CHANGELOG.md

* add changes

* Update ParseLiveQuery.spec.js

Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
This commit is contained in:
dblythy
2021-09-30 12:52:12 +10:00
committed by GitHub
parent bcbc035627
commit 834ae366f9
6 changed files with 120 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGELOG.md
View File

@@ -4,7 +4,8 @@ Jump directly to a version:
| 4.x | | 4.x |
|--------------------------------------| |--------------------------------------|
| [**4.10.3 (latest release)**](#4103) | | [**4.10.4 (latest release)**](#4104) |
| [4.10.3](#4103) |
| [4.10.2](#4102) | | [4.10.2](#4102) |
| [4.10.1](#4101) | | [4.10.1](#4101) |
| [4.10.0](#4100) | | [4.10.0](#4100) |
@@ -94,7 +95,7 @@ Jump directly to a version:
___ ___
## Unreleased (Master Branch) ## Unreleased (Master Branch)
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.3...master) [Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.4...master)
### Breaking Changes ### Breaking Changes
- Improved schema caching through database real-time hooks. Reduces DB queries, decreases Parse Query execution time and fixes a potential schema memory leak. If multiple Parse Server instances connect to the same DB (for example behind a load balancer), set the [Parse Server Option](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) `databaseOptions.enableSchemaHooks: true` to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options `enableSingleSchemaCache` and `schemaCacheTTL` have been removed. To use this feature with MongoDB, a replica set cluster with [change stream](https://docs.mongodb.com/manual/changeStreams/#availability) support is required. (Diamond Lewis, SebC) [#7214](https://github.com/parse-community/parse-server/issues/7214) - Improved schema caching through database real-time hooks. Reduces DB queries, decreases Parse Query execution time and fixes a potential schema memory leak. If multiple Parse Server instances connect to the same DB (for example behind a load balancer), set the [Parse Server Option](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) `databaseOptions.enableSchemaHooks: true` to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options `enableSingleSchemaCache` and `schemaCacheTTL` have been removed. To use this feature with MongoDB, a replica set cluster with [change stream](https://docs.mongodb.com/manual/changeStreams/#availability) support is required. (Diamond Lewis, SebC) [#7214](https://github.com/parse-community/parse-server/issues/7214)
@@ -156,6 +157,12 @@ ___
- Allow cloud string for ES modules (Daniel Blyth) [#7560](https://github.com/parse-community/parse-server/pull/7560) - Allow cloud string for ES modules (Daniel Blyth) [#7560](https://github.com/parse-community/parse-server/pull/7560)
- docs: Introduce deprecation ID for reference in comments and online search (Manuel Trezza) [#7562](https://github.com/parse-community/parse-server/pull/7562) - docs: Introduce deprecation ID for reference in comments and online search (Manuel Trezza) [#7562](https://github.com/parse-community/parse-server/pull/7562)
## 4.10.4
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.3...4.10.4)
### Security Fixes
- Strip out sessionToken when LiveQuery is used on Parse.User (Daniel Blyth) [GHSA-7pr3-p5fm-8r9x](https://github.com/parse-community/parse-server/security/advisories/GHSA-7pr3-p5fm-8r9x)
## 4.10.3 ## 4.10.3
[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.2...4.10.3) [Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.2...4.10.3)

2
package-lock.json generated
View File

@@ -1,6 +1,6 @@
{ {
"name": "parse-server", "name": "parse-server",
"version": "4.10.3", "version": "4.10.4",
"lockfileVersion": 1, "lockfileVersion": 1,
"requires": true, "requires": true,
"dependencies": { "dependencies": {

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "parse-server", "name": "parse-server",
"version": "4.10.3", "version": "4.10.4",
"description": "An express module providing a Parse-compatible API server", "description": "An express module providing a Parse-compatible API server",
"main": "lib/index.js", "main": "lib/index.js",
"repository": { "repository": {

46
spec/ParseLiveQuery.spec.js
View File

@@ -840,6 +840,52 @@ describe('ParseLiveQuery', function () {
done(); done();
}); });
it('should strip out session token in LiveQuery', async () => {
await reconfigureServer({
liveQuery: { classNames: ['_User'] },
startLiveQueryServer: true,
verbose: false,
silent: true,
});
const user = new Parse.User();
user.setUsername('username');
user.setPassword('password');
user.set('foo', 'bar');
const query = new Parse.Query(Parse.User);
query.equalTo('foo', 'bar');
const subscription = await query.subscribe();
const events = ['create', 'update', 'enter', 'leave', 'delete'];
const response = (obj, prev) => {
expect(obj.get('sessionToken')).toBeUndefined();
expect(obj.sessionToken).toBeUndefined();
expect(prev?.sessionToken).toBeUndefined();
if (prev && prev.get) {
expect(prev.get('sessionToken')).toBeUndefined();
}
};
const calls = {};
for (const key of events) {
calls[key] = response;
spyOn(calls, key).and.callThrough();
subscription.on(key, calls[key]);
}
await user.signUp();
user.unset('foo');
await user.save();
user.set('foo', 'bar');
await user.save();
user.set('yolo', 'bar');
await user.save();
await user.destroy();
await new Promise(resolve => process.nextTick(resolve));
for (const key of events) {
expect(calls[key]).toHaveBeenCalled();
}
});
afterEach(async function (done) { afterEach(async function (done) {
const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient(); const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient();
client.close(); client.close();

45
spec/ParseUser.spec.js
View File

@@ -3966,6 +3966,51 @@ describe('Parse.User testing', () => {
ok(model._isLinked('facebook'), 'User should be linked to facebook'); ok(model._isLinked('facebook'), 'User should be linked to facebook');
}); });
}); });
it('should strip out authdata in LiveQuery', async () => {
const provider = getMockFacebookProvider();
Parse.User._registerAuthenticationProvider(provider);
await reconfigureServer({
liveQuery: { classNames: ['_User'] },
startLiveQueryServer: true,
verbose: false,
silent: true,
});
const query = new Parse.Query(Parse.User);
query.doesNotExist('foo');
const subscription = await query.subscribe();
const events = ['create', 'update', 'enter', 'leave', 'delete'];
const response = (obj, prev) => {
expect(obj.get('authData')).toBeUndefined();
expect(obj.authData).toBeUndefined();
expect(prev?.authData).toBeUndefined();
if (prev && prev.get) {
expect(prev.get('authData')).toBeUndefined();
}
};
const calls = {};
for (const key of events) {
calls[key] = response;
spyOn(calls, key).and.callThrough();
subscription.on(key, calls[key]);
}
const user = await Parse.User._logInWith('facebook');
user.set('foo', 'bar');
await user.save();
user.unset('foo');
await user.save();
user.set('yolo', 'bar');
await user.save();
await user.destroy();
await new Promise(resolve => process.nextTick(resolve));
for (const key of events) {
expect(calls[key]).toHaveBeenCalled();
}
});
}); });
describe('Security Advisory GHSA-8w3j-g983-8jh5', function () { describe('Security Advisory GHSA-8w3j-g983-8jh5', function () {

18
src/LiveQuery/ParseLiveQueryServer.js
View File

@@ -186,6 +186,14 @@ class ParseLiveQueryServer {
deletedParseObject = res.object.toJSON(); deletedParseObject = res.object.toJSON();
deletedParseObject.className = className; deletedParseObject.className = className;
} }
if (
(deletedParseObject.className === '_User' ||
deletedParseObject.className === '_Session') &&
!client.hasMasterKey
) {
delete deletedParseObject.sessionToken;
delete deletedParseObject.authData;
}
client.pushDelete(requestId, deletedParseObject); client.pushDelete(requestId, deletedParseObject);
} catch (error) { } catch (error) {
Client.pushError( Client.pushError(
@@ -337,6 +345,16 @@ class ParseLiveQueryServer {
originalParseObject = res.original.toJSON(); originalParseObject = res.original.toJSON();
originalParseObject.className = res.original.className || className; originalParseObject.className = res.original.className || className;
} }
if (
(currentParseObject.className === '_User' ||
currentParseObject.className === '_Session') &&
!client.hasMasterKey
) {
delete currentParseObject.sessionToken;
delete originalParseObject?.sessionToken;
delete currentParseObject.authData;
delete originalParseObject?.authData;
}
const functionName = 'push' + res.event.charAt(0).toUpperCase() + res.event.slice(1); const functionName = 'push' + res.event.charAt(0).toUpperCase() + res.event.slice(1);
if (client[functionName]) { if (client[functionName]) {
client[functionName](requestId, currentParseObject, originalParseObject); client[functionName](requestId, currentParseObject, originalParseObject);