joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Parse Pointer allows to access internal Parse Server classes and circumvent beforeFind query trigger; fixes security vulnerability [GHSA-fcv6-fg5r-jm9q](https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q)

Browse Source
This commit is contained in:
Manuel
2023-09-04 14:19:48 +02:00
committed by GitHub
parent 328918178f
commit be4c7e23c6
12 changed files with 414 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/Controllers/UserController.js
View File

@@ -48,7 +48,7 @@ export class UserController extends AdaptableController {
}
}
verifyEmail(username, token) {
async verifyEmail(username, token) {
if (!this.shouldVerifyEmails) {
// Trying to verify email when not enabled
// TODO: Better error here.
@@ -70,8 +70,14 @@ export class UserController extends AdaptableController {
updateFields._email_verify_token_expires_at = { __op: 'Delete' };
}
const maintenanceAuth = Auth.maintenance(this.config);
var findUserForEmailVerification = new RestQuery(this.config, maintenanceAuth, '_User', {
username,
var findUserForEmailVerification = await RestQuery({
method: RestQuery.Method.get,
config: this.config,
auth: maintenanceAuth,
className: '_User',
restWhere: {
username,
},
});
return findUserForEmailVerification.execute().then(result => {
if (result.results.length && result.results[0].emailVerified) {
@@ -110,7 +116,7 @@ export class UserController extends AdaptableController {
});
}
getUserIfNeeded(user) {
async getUserIfNeeded(user) {
if (user.username && user.email) {
return Promise.resolve(user);
}
@@ -122,7 +128,14 @@ export class UserController extends AdaptableController {
where.email = user.email;
}
var query = new RestQuery(this.config, Auth.master(this.config), '_User', where);
var query = await RestQuery({
method: RestQuery.Method.get,
config: this.config,
runBeforeFind: false,
auth: Auth.master(this.config),
className: '_User',
restWhere: where,
});
return query.execute().then(function (result) {
if (result.results.length != 1) {
throw undefined;