fix: The client IP address may be determined incorrectly in some cases; this fixes a security vulnerability in which the Parse Server option masterKeyIps may be circumvented, see [GHSA-vm5r-c87r-pf6x](https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x) (#8372)

BREAKING CHANGE: The mechanism to determine the client IP address has been rewritten; to correctly determine the IP address it is now required to set the Parse Server option `trustProxy` accordingly if Parse Server runs behind a proxy server, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting (#8372)
2023-01-05 14:26:54 +01:00
parent b7815ed80a
commit 892040dc2f
7 changed files with 19 additions and 125 deletions
--- a/src/Options/Definitions.js
+++ b/src/Options/Definitions.js
@@ -486,6 +486,13 @@ module.exports.ParseServerOptions = {
    help: 'Starts the liveQuery server',
    action: parsers.booleanParser,
  },
+  trustProxy: {
+    env: 'PARSE_SERVER_TRUST_PROXY',
+    help:
+      'The trust proxy settings. It is important to understand the exact setup of the reverse proxy, since this setting will trust values provided in the Parse Server API request. See the <a href="https://expressjs.com/en/guide/behind-proxies.html">express trust proxy settings</a> documentation. Defaults to `false`.',
+    action: parsers.objectParser,
+    default: [],
+  },
  userSensitiveFields: {
    env: 'PARSE_SERVER_USER_SENSITIVE_FIELDS',
    help: