Add security check (#7247)

* added Parse Server security option * added SecurityRouter * added Check class * added CheckGroup class * moved parameter validation to Utils * added CheckRunner class * added auto-run on server start * added custom security checks as Parse Server option * renamed script to check * reformat log output * added server config check * improved contributing guideline * improved contribution guide * added check security log * improved log format * added checks * fixed log fomat typo * added database checks * fixed database check * removed database auth check in initial version * improved contribution guide * added security check tests * fixed typo * improved wording guidelines * improved wording guidelines
2021-03-10 20:19:28 +01:00
parent 36c2608400
commit bee889a329
17 changed files with 1096 additions and 2 deletions
--- a/src/Security/CheckGroups/CheckGroupServerConfig.js
+++ b/src/Security/CheckGroups/CheckGroupServerConfig.js
@@ -0,0 +1,65 @@
+/**
+ * @module SecurityCheck
+ */
+
+import { Check } from '../Check';
+import CheckGroup from '../CheckGroup';
+import Config from '../../Config';
+import Parse from 'parse/node';
+
+/**
+* The security checks group for Parse Server configuration.
+* Checks common Parse Server parameters such as access keys.
+*/
+class CheckGroupServerConfig extends CheckGroup {
+  setName() {
+    return 'Parse Server Configuration';
+  }
+  setChecks() {
+    const config = Config.get(Parse.applicationId);
+    return [
+      new Check({
+        title: 'Secure master key',
+        warning: 'The Parse Server master key is insecure and vulnerable to brute force attacks.',
+        solution: 'Choose a longer and/or more complex master key with a combination of upper- and lowercase characters, numbers and special characters.',
+        check: () => {
+          const masterKey = config.masterKey;
+          const hasUpperCase = /[A-Z]/.test(masterKey);
+          const hasLowerCase = /[a-z]/.test(masterKey);
+          const hasNumbers = /\d/.test(masterKey);
+          const hasNonAlphasNumerics = /\W/.test(masterKey);
+          // Ensure length
+          if (masterKey.length < 14) {
+            throw 1;
+          }
+          // Ensure at least 3 out of 4 requirements passed
+          if (hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphasNumerics < 3) {
+            throw 1;
+          }
+        },
+      }),
+      new Check({
+        title: 'Security log disabled',
+        warning: 'Security checks in logs may expose vulnerabilities to anyone access to logs.',
+        solution: 'Change Parse Server configuration to \'security.enableCheckLog: false\'.',
+        check: () => {
+          if (config.security && config.security.enableCheckLog) {
+            throw 1;
+          }
+        },
+      }),
+      new Check({
+        title: 'Client class creation disabled',
+        warning: 'Attackers are allowed to create new classes without restriction and flood the database.',
+        solution: 'Change Parse Server configuration to \'allowClientClassCreation: false\'.',
+        check: () => {
+          if (config.allowClientClassCreation || config.allowClientClassCreation == null) {
+            throw 1;
+          }
+        },
+      }),
+    ];
+  }
+}
+
+module.exports = CheckGroupServerConfig;