Add security check (#7247)

* added Parse Server security option * added SecurityRouter * added Check class * added CheckGroup class * moved parameter validation to Utils * added CheckRunner class * added auto-run on server start * added custom security checks as Parse Server option * renamed script to check * reformat log output * added server config check * improved contributing guideline * improved contribution guide * added check security log * improved log format * added checks * fixed log fomat typo * added database checks * fixed database check * removed database auth check in initial version * improved contribution guide * added security check tests * fixed typo * improved wording guidelines * improved wording guidelines
2021-03-10 20:19:28 +01:00
parent 36c2608400
commit bee889a329
17 changed files with 1096 additions and 2 deletions
--- a/src/Security/CheckGroups/CheckGroupDatabase.js
+++ b/src/Security/CheckGroups/CheckGroupDatabase.js
@@ -0,0 +1,47 @@
+/**
+ * @module SecurityCheck
+ */
+
+import { Check } from '../Check';
+import CheckGroup from '../CheckGroup';
+import Config from '../../Config';
+import Parse from 'parse/node';
+
+/**
+* The security checks group for Parse Server configuration.
+* Checks common Parse Server parameters such as access keys.
+*/
+class CheckGroupDatabase extends CheckGroup {
+  setName() {
+    return 'Database';
+  }
+  setChecks() {
+    const config = Config.get(Parse.applicationId);
+    const databaseAdapter = config.database.adapter;
+    const databaseUrl = databaseAdapter._uri;
+    return [
+      new Check({
+        title: 'Secure database password',
+        warning: 'The database password is insecure and vulnerable to brute force attacks.',
+        solution: 'Choose a longer and/or more complex password with a combination of upper- and lowercase characters, numbers and special characters.',
+        check: () => {
+          const password = databaseUrl.match(/\/\/\S+:(\S+)@/)[1];
+          const hasUpperCase = /[A-Z]/.test(password);
+          const hasLowerCase = /[a-z]/.test(password);
+          const hasNumbers = /\d/.test(password);
+          const hasNonAlphasNumerics = /\W/.test(password);
+          // Ensure length
+          if (password.length < 14) {
+            throw 1;
+          }
+          // Ensure at least 3 out of 4 requirements passed
+          if (hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphasNumerics < 3) {
+            throw 1;
+          }
+        },
+      }),
+    ];
+  }
+}
+
+module.exports = CheckGroupDatabase;
--- a/src/Security/CheckGroups/CheckGroupServerConfig.js
+++ b/src/Security/CheckGroups/CheckGroupServerConfig.js
@@ -0,0 +1,65 @@
+/**
+ * @module SecurityCheck
+ */
+
+import { Check } from '../Check';
+import CheckGroup from '../CheckGroup';
+import Config from '../../Config';
+import Parse from 'parse/node';
+
+/**
+* The security checks group for Parse Server configuration.
+* Checks common Parse Server parameters such as access keys.
+*/
+class CheckGroupServerConfig extends CheckGroup {
+  setName() {
+    return 'Parse Server Configuration';
+  }
+  setChecks() {
+    const config = Config.get(Parse.applicationId);
+    return [
+      new Check({
+        title: 'Secure master key',
+        warning: 'The Parse Server master key is insecure and vulnerable to brute force attacks.',
+        solution: 'Choose a longer and/or more complex master key with a combination of upper- and lowercase characters, numbers and special characters.',
+        check: () => {
+          const masterKey = config.masterKey;
+          const hasUpperCase = /[A-Z]/.test(masterKey);
+          const hasLowerCase = /[a-z]/.test(masterKey);
+          const hasNumbers = /\d/.test(masterKey);
+          const hasNonAlphasNumerics = /\W/.test(masterKey);
+          // Ensure length
+          if (masterKey.length < 14) {
+            throw 1;
+          }
+          // Ensure at least 3 out of 4 requirements passed
+          if (hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphasNumerics < 3) {
+            throw 1;
+          }
+        },
+      }),
+      new Check({
+        title: 'Security log disabled',
+        warning: 'Security checks in logs may expose vulnerabilities to anyone access to logs.',
+        solution: 'Change Parse Server configuration to \'security.enableCheckLog: false\'.',
+        check: () => {
+          if (config.security && config.security.enableCheckLog) {
+            throw 1;
+          }
+        },
+      }),
+      new Check({
+        title: 'Client class creation disabled',
+        warning: 'Attackers are allowed to create new classes without restriction and flood the database.',
+        solution: 'Change Parse Server configuration to \'allowClientClassCreation: false\'.',
+        check: () => {
+          if (config.allowClientClassCreation || config.allowClientClassCreation == null) {
+            throw 1;
+          }
+        },
+      }),
+    ];
+  }
+}
+
+module.exports = CheckGroupServerConfig;
--- a/src/Security/CheckGroups/CheckGroups.js
+++ b/src/Security/CheckGroups/CheckGroups.js
@@ -0,0 +1,9 @@
+/**
+ * @module SecurityCheck
+ */
+
+/**
+ * The list of security check groups.
+ */
+export { default as CheckGroupDatabase } from './CheckGroupDatabase';
+export { default as CheckGroupServerConfig } from './CheckGroupServerConfig';