fix: Server crashes on invalid Cloud Function or Cloud Job name; fixes security vulnerability [GHSA-6hh7-46r2-vf29](https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29) (#9024)

2024-03-19 17:42:00 +01:00
parent 901aaf8cd3
commit 9f6e3429d3
2 changed files with 40 additions and 1 deletions
--- a/src/triggers.js
+++ b/src/triggers.js
@@ -86,6 +86,12 @@ const Category = {
 };

 function getStore(category, name, applicationId) {
+  const invalidNameRegex = /['"`]/;
+  if (invalidNameRegex.test(name)) {
+    // Prevent a malicious user from injecting properties into the store
+    return {};
+  }
+
  const path = name.split('.');
  path.splice(-1); // remove last component
  applicationId = applicationId || Parse.applicationId;
@@ -94,7 +100,7 @@ function getStore(category, name, applicationId) {
  for (const component of path) {
    store = store[component];
    if (!store) {
-      return undefined;
+      return {};
    }
  }
  return store;