joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Security upgrade to parse 7.0.1 (#9877)

Browse Source
This commit is contained in:
Antoine Cormouls
2025-10-15 18:39:37 +02:00
committed by GitHub
parent 84cebd439e
commit abfa94cd6d
10 changed files with 230 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
spec/vulnerabilities.spec.js
View File

@@ -175,12 +175,10 @@ describe('Vulnerabilities', () => {
},
});
});
await expectAsync(new Parse.Object('TestObject').save()).toBeRejectedWith(
new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
'Prohibited keyword in request data: {"key":"constructor"}.'
)
);
// The new Parse SDK handles prototype pollution prevention in .set()
// so no error is thrown, but the object prototype should not be polluted
await new Parse.Object('TestObject').save();
expect(Object.prototype.dummy).toBeUndefined();
});
it('denies creating global config with polluted data', async () => {
@@ -270,12 +268,10 @@ describe('Vulnerabilities', () => {
res.json({ success: object });
});
await Parse.Hooks.createTrigger('TestObject', 'beforeSave', hookServerURL + '/BeforeSave');
await expectAsync(new Parse.Object('TestObject').save()).toBeRejectedWith(
new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
'Prohibited keyword in request data: {"key":"constructor"}.'
)
);
// The new Parse SDK handles prototype pollution prevention in .set()
// so no error is thrown, but the object prototype should not be polluted
await new Parse.Object('TestObject').save();
expect(Object.prototype.dummy).toBeUndefined();
await new Promise(resolve => server.close(resolve));
});