joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,418 Commits 2 Branches 18 Tags
0a2d412e265992d53a670011afd9d2578562adc3
Commit Graph

151 Commits

Author SHA1 Message Date
semantic-release-bot
35346525e8 chore(release): 4.10.18 [skip ci] 
## [4.10.18](https://github.com/parse-community/parse-server/compare/4.10.17...4.10.18) (2022-11-07)

### Bug Fixes

* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg) ([#8296](https://github.com/parse-community/parse-server/issues/8296)) ([47cfeee](47cfeee0ce))
 2022-11-07 22:24:24 +00:00
semantic-release-bot
041e60487c chore(release): 4.10.17 [skip ci] 
## [4.10.17](https://github.com/parse-community/parse-server/compare/4.10.16...4.10.17) (2022-10-15)

### Bug Fixes

* server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) ([#8236](https://github.com/parse-community/parse-server/issues/8236)) ([3d7a61e](3d7a61ecd5))
 2022-10-15 00:25:57 +00:00
semantic-release-bot
f03bf00e5f chore(release): 4.10.16 [skip ci] 
## [4.10.16](https://github.com/parse-community/parse-server/compare/4.10.15...4.10.16) (2022-09-20)

### Bug Fixes

* authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) ([#8186](https://github.com/parse-community/parse-server/issues/8186)) ([b3e7939](b3e7939f6b))
 2022-09-20 20:56:54 +00:00
semantic-release-bot
9d502269c5 chore(release): 4.10.15 [skip ci] 
## [4.10.15](https://github.com/parse-community/parse-server/compare/4.10.14...4.10.15) (2022-09-20)

### Bug Fixes

* session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) ([#8183](https://github.com/parse-community/parse-server/issues/8183)) ([7ca9ed0](7ca9ed0142))
 2022-09-20 00:33:55 +00:00
semantic-release-bot
e29f7c0431 chore(release): 4.10.14 [skip ci] 
## [4.10.14](https://github.com/parse-community/parse-server/compare/4.10.13...4.10.14) (2022-09-02)

### Bug Fixes

* brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) ([#8143](https://github.com/parse-community/parse-server/issues/8143)) ([634c44a](634c44acd1))
 2022-09-02 19:28:55 +00:00
semantic-release-bot
4748e9bbd3 chore(release): 4.10.13 [skip ci] 
## [4.10.13](https://github.com/parse-community/parse-server/compare/4.10.12...4.10.13) (2022-06-30)

### Bug Fixes

* protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields ([GHSA-crrq-vr9j-fxxh](https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh)) ([#8074](https://github.com/parse-community/parse-server/issues/8074)) ([054f3e6](054f3e6ab0))
 2022-06-30 10:38:27 +00:00
semantic-release-bot
6286d2e34f chore(release): 4.10.12 [skip ci] 
## [4.10.12](https://github.com/parse-community/parse-server/compare/4.10.11...4.10.12) (2022-06-17)

### Bug Fixes

* invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) ([#8059](https://github.com/parse-community/parse-server/issues/8059)) ([5f42322](5f423224bd))
 2022-06-17 23:43:36 +00:00
semantic-release-bot
ad680bd312 chore(release): 4.10.11 [skip ci] 
## [4.10.11](https://github.com/parse-community/parse-server/compare/4.10.10...4.10.11) (2022-06-17)

### Bug Fixes

* certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory ([GHSA-rh9j-f5f8-rvgc](https://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc)) ([145838d](145838d2d9))
 2022-06-17 16:38:16 +00:00
semantic-release-bot
b00b0410e6 chore(release): 4.10.10 [skip ci] 
## [4.10.10](https://github.com/parse-community/parse-server/compare/4.10.9...4.10.10) (2022-05-01)

### Bug Fixes

* authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) ([#7963](https://github.com/parse-community/parse-server/issues/7963)) ([1930a64](1930a64e9c))
 2022-05-01 00:48:05 +00:00
semantic-release-bot
cd354b77a6 chore(release): 4.10.9 [skip ci] 
## [4.10.9](https://github.com/parse-community/parse-server/compare/4.10.8...4.10.9) (2022-03-28)

### Bug Fixes

* security upgrade @parse/push-adapter from 3.4.1 to 4.1.2 ([#7897](https://github.com/parse-community/parse-server/issues/7897)) ([3d80ee5](3d80ee5ec3))
 2022-03-28 02:57:17 +00:00
semantic-release-bot
bf88869578 chore(release): 4.10.8 [skip ci] 
## [4.10.8](https://github.com/parse-community/parse-server/compare/4.10.7...4.10.8) (2022-03-24)

### Bug Fixes

* sensitive keyword detection may produce false positives ([#7883](https://github.com/parse-community/parse-server/issues/7883)) ([d347613](d34761369e))
 2022-03-24 01:50:33 +00:00
Manuel
02f88f433e docs: add details to changelog (#7842) 2022-03-12 00:39:01 +01:00
semantic-release-bot
7c844772ea chore(release): 4.10.7 [skip ci] 
## [4.10.7](https://github.com/parse-community/parse-server/compare/4.10.6...4.10.7) (2022-03-11)

### Bug Fixes

* security vulnerability that allows remote code execution (ghsa p6h4 93qp jhcm) ([#7841](https://github.com/parse-community/parse-server/issues/7841)) ([886bfd7](886bfd7cac))
 2022-03-11 23:20:36 +00:00
Manuel
318c20319a ci: fix changelog file path (#7835) 2022-03-08 02:49:18 +01:00
Manuel
4bd13088e1 docs: fix changelog typo 2022-02-12 16:37:58 +01:00
Manuel
adf7d928de ci: add release automation (#7807) 2022-02-12 16:14:28 +01:00
dblythy
4ac4b7f710 Merge pull request from GHSA-7pr3-p5fm-8r9x
Some checks failed
docker / build (push) Has been cancelled
Details 
* fix: LQ deletes session token

* add 4.10.4

* add changes
 2021-09-30 04:52:12 +02:00
Kartal Kaan Bozdoğan
6ae5835b19 Merge pull request from GHSA-xqp8-w826-hh6x 
* Backport the advisory fix

* Added a 4.10.3 section to CHANGELOG
 2021-09-02 12:46:48 +02:00
Manuel
0bfa6b7cc1 Release 4.10.2 (#7513) 
* move graphql-tag from devDependencies to dependencies (#7183)

* bump version

* Update CHANGELOG.md
 2021-08-24 00:46:39 +02:00
Manuel
f3133acf21 Release 4.10.1 (#7508) 
* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR #7464)

* fix Twitter API oauth Error (PR #7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83dd15eee379d9b258f02ac14e4950415835.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR #7457)

* Update CHANGELOG.md
 2021-08-23 13:53:33 +02:00
Manuel
7e1da90bb2 added changelog 2021-08-20 19:56:37 +02:00
Manuel
a3483d82c8 fix changelog skip 4.5.1 2021-08-18 23:03:09 +02:00
Manuel
1306da7454 Merge pull request from GHSA-23r4-5mxp-c7g5 2021-08-18 22:24:29 +02:00
Antonio Davi Macedo Coelho de Castro
3c00bcd791 Release 4.5.0 (#7070) 
* Release 4.5.0

* Update CHANGELOG.md

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>

* Improve braking change note

* Create a breaking changes sub-section

* Add release action

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>
 2020-12-14 19:29:06 -08:00
Antonio Davi Macedo Coelho de Castro
c9832023c4 Release 4.4.0 (#6985) 2020-11-02 08:01:26 -08:00
Manuel
983121581d changed incorrect key name in apple auth adapter tests (#6861) 
* replaced client_id with clientId

* retroactively added breaking change to change log
 2020-08-25 17:24:53 +02:00
Manuel
5b71993175 improve field deletion in collection (#6823) 
* added filter to updateMany when deleting field

* added test cases

* added changelog entry
 2020-07-27 02:22:04 +02:00
Tom Fox
97f2456a28 add details of security fix (#6822) 2020-07-23 08:58:56 -07:00
Antonio Davi Macedo Coelho de Castro
3654f0280b Fix message on 4.3.0 release (#6813) 2020-07-19 23:23:15 +01:00
Antonio Davi Macedo Coelho de Castro
6f060e0909 Release 4.3.0 (#6811) 
* Release version 4.3.0

* Update CHANGELOG.md

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>
 2020-07-19 10:37:36 -07:00
mess-lelouch
d69833332c Optimizing pointer CLP query decoration done by DatabaseController#addPointerPermissions (#6747) 
* Optimize CLP pointer query

* remove console log

* Update changelog

* Fix flow type checker issues

* Remove unused properties

* Fix typo, add one more test case for coverage

* Add support for CLP entry of type Object

Co-authored-by: Musa Yassin-Fort <musa.yassin@bureapr.com>
Co-authored-by: Diamond Lewis <findlewis@gmail.com>
 2020-07-17 13:14:43 -05:00
Manuel
3bd5684f67 Add idempotency (#6748) 
* added idempotency router and middleware

* added idempotency rules for routes classes, functions, jobs, installaions, users

* fixed typo

* ignore requests without header

* removed unused var

* enabled feature only for MongoDB

* changed code comment

* fixed inconsistend storage adapter specification

* Trigger notification

* Travis CI trigger

* Travis CI trigger

* Travis CI trigger

* rebuilt option definitions

* fixed incorrect import path

* added new request ID header to allowed headers

* fixed typescript typos

* add new system class to spec helper

* fixed typescript typos

* re-added postgres conn parameter

* removed postgres conn parameter

* fixed incorrect schema for index creation

* temporarily disabling index creation to fix postgres issue

* temporarily disabling index creation to fix postgres issue

* temporarily disabling index creation to fix postgres issue

* temporarily disabling index creation to fix postgres issue

* temporarily disabling index creation to fix postgres issue

* temporarily disabling index creation to fix postgres issue

* temporarily disabling index creation to fix postgres issue

* trying to fix postgres issue

* fixed incorrect auth when writing to _Idempotency

* trying to fix postgres issue

* Travis CI trigger

* added test cases

* removed number grouping

* fixed test description

* trying to fix postgres issue

* added Github readme docs

* added change log

* refactored tests; fixed some typos

* fixed test case

* fixed default TTL value

* Travis CI Trigger

* Travis CI Trigger

* Travis CI Trigger

* added test case to increase coverage

* Trigger Travis CI

* changed configuration syntax to use regex; added test cases

* removed unused vars

* removed IdempotencyRouter

* Trigger Travis CI

* updated docs

* updated docs

* updated docs

* updated docs

* update docs

* Trigger Travis CI

* fixed coverage

* removed code comments
 2020-07-15 13:10:33 -05:00
Arthur Cinader
1045eeb700 Prep release 4.2 (#6560) 
* Prep release 4.2

* fix links, consistent formatting

* remove unnecessary credit

* add one more commit

* Fix link, remove double spaces

* add a few more commits
run npm audit fix

* little fixes

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>
 2020-04-03 09:53:08 -07:00
Tom Fox
b1f1454c87 Add warning in changelog regarding upgrade to 4.0 and index creation (#6469) 
* bump version

* add the special note

* remove new version & add note about indexes to 4.0.2 & 4.0.0

* Update package-lock.json

* Update package.json

* add line break

* remove double space

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>
 2020-03-05 21:42:45 +00:00
Arthur Cinader
b9742b6fb9 Prep 4.1 (#6462) 
* increment version in prep for 4.1

* changelog for 4.1

* fix security doc link

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>
 2020-03-03 11:41:24 -08:00
Arthur Cinader
bde8ab6d55 Attempt to get Travis to deploy to npmjs (#6457) 
* Use deprecated skip_cleanup
as cleanup: false doesn't
appear to be working

* prepare release

* revert change to branch
 2020-03-02 10:46:07 -08:00
Arthur Cinader
cd06a02fe8 skip cleanup so we don't erase babel and stuff (#6452) 
* skip cleanup so we don't erase babel and stuff

* skip cleanup the right way!

* Add change log and bump version

* include one more commit

* remove breaking change from non breaking change.

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
 2020-02-28 17:34:19 -08:00
Arthur Cinader
4291f2b22a Prepare for 4.0 Release (#6412) 
* Preparee for 3.11.0 Release

* Little fixes

* add in newly merge pr's into the changelog.

* Remove inconsistent full stops

* bump version to 4.0

* update changelog for v 4.0

* a touch of wordmsithery.

* Nits

Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com>
 2020-02-28 15:22:38 -08:00
Arthur Cinader
fd0b535159 Case insensitive signup (#5634) 
* Always delete data after each, even for mongo.

* Add failing simple case test

* run all tests

* 1. when validating username be case insensitive

2. add _auth_data_anonymous to specialQueryKeys...whatever that is!

* More case sensitivity

1. also make email validation case insensitive
2. update comments to reflect what this change does

* wordsmithery and grammar

* first pass at a preformant case insensitive query.  mongo only so far.

* change name of parameter from insensitive to
caseInsensitive

* Postgres support

* properly handle auth data null

* wip

* use 'caseInsensitive' instead of 'insensitive' in all places.

* update commenet to reclect current plan

* skip the mystery test for now

* create case insensitive indecies for
mongo to support case insensitive
checks for email and username

* remove unneeded specialKey

* pull collation out to a function.

* not sure what i planned
to do with this test.
removing.

* remove typo

* remove another unused flag

* maintain order

* maintain order of params

* boil the ocean on param sequence
i like having explain last cause it seems
like something you would
change/remove after getting what you want
from the explain?

* add test to verify creation
and use of caseInsensitive index

* add no op func to prostgress

* get collation object from mongocollection
make flow lint happy by declaring things Object.

* fix typo

* add changelog

* kick travis

* properly reference static method

* add a test to confirm that anonymous users with
unique username that do collide when compared
insensitively can still be created.

* minot doc nits

* add a few tests to make sure our spy is working as expected
wordsmith the changelog

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
 2020-02-14 09:44:51 -08:00
Arthur Cinader
0fc811ad83 Change log and version bump for 3.10 release (#6321) 2020-01-08 09:17:35 -08:00
Antonio Davi Macedo Coelho de Castro
6edaa2e9a9 3.9.0 (#6045) 
* 3.9.0

* Update s3-files-adapter
 2019-09-12 15:31:10 -07:00
Manuel
6497ec72ed added breaking change note to 3.8 release (#6023) 
Breaking change as described here: https://github.com/parse-community/parse-server/issues/5983#issuecomment-527693465
 2019-09-03 20:31:19 -07:00
Tom Fox
48b834670d fix changelog formatting (#6009) 2019-09-01 21:55:28 -07:00
Arthur Cinader
ce2405abef Prepare for 3.8.0 (#5978) 
1. changelog
2. bumop version
3. run `nmp audit fix`
 2019-08-26 19:42:45 -07:00
Antonio Davi Macedo Coelho de Castro
fe18fe0f61 3.7.2 (#5872) 2019-07-31 02:19:01 -07:00
Antonio Davi Macedo Coelho de Castro
d4fa62ae26 3.7.1 (#5870) 2019-07-30 17:31:56 -07:00
Tom Fox
b96087ec61 3.7.0 version bump + changelog (#5854) 
* 3.7.0 version bump + changelog

* Update CHANGELOG.md
 2019-07-28 23:46:13 -07:00
Arthur Cinader
26943de778 Prepare 3.6.0 Release (#5792) 
* Re-apply "Prepare for 3.6.0 Release""

This reverts commit 08dbafe49a.

* fix link formatting

* revert mongodb-runner upgrade.

* Update CHANGELOG.md

* Fix formatting
 2019-07-11 09:22:36 -04:00
Arthur Cinader
08dbafe49a Revert "Prepare for 3.6.0 Release" 
This reverts commit 8c1124e3c4.
 2019-07-10 10:21:47 -04:00
Arthur Cinader
8c1124e3c4 Prepare for 3.6.0 Release 
also run 'npm audit fix' to address some dependency vulnerabilities
 2019-07-10 10:18:29 -04:00