joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,416 Commits 2 Branches 18 Tags
47cfeee0ce56a16c6783083acd2cbda2c2bd844d
Commit Graph

1112 Commits

Author SHA1 Message Date
Manuel
47cfeee0ce fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg) (#8296) 2022-11-07 23:05:29 +01:00
Manuel
3d7a61ecd5 fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) (#8236) 2022-10-15 02:12:05 +02:00
Manuel
b3e7939f6b fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8186) 2022-09-20 22:32:19 +02:00
Manuel
7ca9ed0142 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) (#8183) 2022-09-20 02:19:43 +02:00
Manuel
634c44acd1 fix: brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8143) 2022-09-02 21:15:09 +02:00
Manuel
054f3e6ab0 fix: protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields ([GHSA-crrq-vr9j-fxxh](https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh)) (#8074) 2022-06-30 12:24:34 +02:00
Manuel
5f423224bd fix: invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) (#8059) 2022-06-18 01:29:49 +02:00
Manuel Trezza
c411c48d49 Create game_center.pem 2022-06-17 16:19:25 +02:00
Manuel Trezza
07786c1666 fix adapter 2022-06-17 16:19:25 +02:00
Manuel
1930a64e9c fix: authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) (#7963) 2022-05-01 02:46:57 +02:00
Manuel
d34761369e fix: sensitive keyword detection may produce false positives (#7883) 2022-03-24 02:49:39 +01:00
Manuel
886bfd7cac fix: security vulnerability that allows remote code execution (ghsa p6h4 93qp jhcm) (#7841) 2022-03-12 00:19:31 +01:00
Frans Bouwmeester
065facdc53 test: fix failing tests on 4.x LTS branch (#7661) 2021-10-30 19:19:54 +02:00
dblythy
4ac4b7f710 Merge pull request from GHSA-7pr3-p5fm-8r9x
Some checks failed
docker / build (push) Has been cancelled
Details 
* fix: LQ deletes session token

* add 4.10.4

* add changes
 2021-09-30 04:52:12 +02:00
Kartal Kaan Bozdoğan
6ae5835b19 Merge pull request from GHSA-xqp8-w826-hh6x 
* Backport the advisory fix

* Added a 4.10.3 section to CHANGELOG
 2021-09-02 12:46:48 +02:00
Manuel
f3133acf21 Release 4.10.1 (#7508) 
* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR #7464)

* fix Twitter API oauth Error (PR #7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83dd15eee379d9b258f02ac14e4950415835.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR #7457)

* Update CHANGELOG.md
 2021-08-23 13:53:33 +02:00
Manuel
1306da7454 Merge pull request from GHSA-23r4-5mxp-c7g5 2021-08-18 22:24:29 +02:00
Diamond Lewis
033a0bd443 Fix Prettier (#7066) 2020-12-13 11:19:04 -06:00
Snyk bot
d20b03c7e6 [Snyk] Upgrade mongodb from 3.6.2 to 3.6.3 (#7026) 
* fix: upgrade mongodb from 3.6.2 to 3.6.3

Snyk has created this PR to upgrade mongodb from 3.6.2 to 3.6.3.

See this package in npm:
https://www.npmjs.com/package/mongodb

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

* Bump mongo to 4.4.0

* fix tests

* disable fast fail

* fix fail fast

* revert changes

* await tests and wait for replication

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
 2020-12-10 10:02:26 -08:00
Zach Goldberg
abdfe61b82 Properly handle serverURL and publicServerUrl in Batch requests #6980 (#7049) 
* fix: detect if the caller is accessing us via local or parse for batch requests (#6980)

* chore: minor cleanup from PR
 2020-12-09 14:16:24 -06:00
Diamond Lewis
ca1b78220f Prevent invalid column names (className and length) (#7053) 
* Prevent invalid column names

* remove className as invalid

* remove className from beforeSave hook response

* improve tests
 2020-12-09 12:19:15 -06:00
Antoine Cormouls
b398894341 Remove viewer from logout (#7029) 2020-12-07 15:45:51 -08:00
Antoine Cormouls
88e958a75f Prettier some files + opti object relation (#7044) 2020-12-06 20:25:08 -08:00
dblythy
b13a6a4ed2 feat: include sessionToken in onLiveQueryEvent (#7043) 
* feat: include user in onLiveQueryEvent

* Update ParseLiveQuery.spec.js

* increase coverage

* add space

* Update ParseLiveQuery.spec.js

* remove user from runLiveQueryEventHandlers
 2020-12-03 18:36:41 -06:00
Antonio Davi Macedo Coelho de Castro
54a61b7694 GitHub actions (#7035) 
* Trying to setup GitHub Actions

* Try to fix the workflow steps

* Fix NODE_VERSION

* Fix services

* Fix services 2

* Fix redis service, remove docker service

* Missing npm install

* Fix Use Node.js step name

* Remove greenkeeper

* I believe we do not need this command

* Try to include postgres

* Fix postgres script

* Remove before install script

* Fix postgres before script

* Try to fix connection to postgres

* Fix postgress port

* Postgres host

* Still trying to connect on postgres

* Still trying to connect on postgres - localhost

* Split postgres in a separate job

* Add postgres healthcheck

* Set postgres just like github example

* Fix postgres scripts with new credentials

* Still trying to fix postgres connection

* Now it looks only the username is wrong

* Passing postgres password in the right way

* try to install postgis

* New attempt to install postgis

* Fix postgis image name

* Try to output tests

* We need to start mongo

* Increase tests timeout

* Fix flaky test

* Add GitHub Actions badge

* Badge as html

* Fix badge link

* Remove Travis

* try to fix coverage

* Fix flaky test

* Improve ci workflow

* Change the mongo default test version

* Fix the job name in the if clause

* Ubuntu18.0.4

* Downgrade to 4.0.21

* Fix cache keys:

* Trying with mongo 4.0.4

* Rever os and mongo versions

* remove latest node
 2020-12-03 08:15:48 -08:00
Antonio Davi Macedo Coelho de Castro
da905a357d Merge pull request from GHSA-4w46-w44m-3jq3 
* strip password after authentication to prevent cleartext password storage

* fixed forgotten testcase forcing ;-/

* added test to check if password is not stored in user record

Co-authored-by: Fabian Strachanski <fabian@fastr.de>
 2020-12-02 13:08:02 -08:00
dblythy
e88f2e38f9 Feature: Reuse tokens if they haven't expired (#7017) 
* Reuse tokens if they haven't expired

* Fix failing tests

* Update UserController.js

* Update tests

* Tests for invalid config

* restart tests
 2020-11-25 09:30:52 -08:00
dblythy
0bf2e84f81 fix: consistent casing for afterLiveQueryEvent (#7023) 2020-11-24 13:58:35 -08:00
Fabian Strachanski
c958c46fa7 Add LDAPS-support to LDAP-Authcontroller (#7014) 
* Add LDAPS-support to LDAP-Authcontroller

* Add Testcase that failed with valid certificate but wrong credendtials to LDAP-Authcontroller

* change scope of 'error' and remove 'case undefined', because it's not needed anymore
 2020-11-18 16:20:59 -08:00
Diamond Lewis
c1971b2ab1 fix(beforeSave/afterSave): Return value instead of Parse.Op for nested fields (#7005) 
* fix(beforeSave): Return value instead of Parse.Op

* afterSave test

* Improve Tests

* Fixed postgres test by saveArgumentsByValue
 2020-11-12 13:14:44 -08:00
Diamond Lewis
a4c84c09be fix(beforeSave): Skip Sanitizing Database results (#7003) 
* fix(beforeSave): Skip Sanitizing Database results

* fix test
 2020-11-11 17:39:25 -08:00
Corey
568c285369 Fix includeAll for querying a Pointer and Pointer array (#7002) 
* initial test

* Add failing testcase

* fix includeAll by considering array
 2020-11-11 10:57:41 -06:00
dblythy
6fc3afce71 skipWithMasterKey on Built-In Validator (#6972) 
* Initial Commit

* Change to resolveMasterKey

* Change to skipWithMasterKey
 2020-10-26 12:49:30 -07:00
Corey
7f3ea3fe80 Add fileKey rotation to GridFSBucketAdapter (#6768) 
* add fileKey encryption to GridFSBucketStorageAdapter

* remove fileAdapter options from test spec

* ensure promise doesn't fall through in getFileData

* switch secretKey to fileKey

* add fileKey rotation for GridFSBucketAdapter

* improve catching decryption errors in testcases

* add testcase for rotating key from oldKey to noKey leaving all files decrypted

* removed fileKey from legacy test links. From the looks of the tests and the fileKey was appended to links. This key is now an encryption key

* clean up code

* make more consistant with FSAdapter

* use encryptionKey instead of fileKey

* Update ParseFile.spec.js

revert
 2020-10-25 22:17:43 -07:00
Diamond Lewis
74ba81104e Remove unused parameter in Cloud Function (#6969) 2020-10-25 22:41:23 -05:00
Diamond Lewis
e6ac3b6932 fix(prettier): Properly handle lint-stage files (#6970) 
Now handles top level files and recursive files in folders.

Set max line length to be 100
 2020-10-25 15:06:58 -05:00
dblythy
c2f2281e6d Validation Handler Update (#6968) 
* Initial Commit

* Update FunctionsRouter.js

* Update FunctionsRouter.js

* Change params to fields

* Changes requested

* Fix failing tests

* More tests

* More tests

* Remove existing functionality

* Remove legacy tests

* fix array typo

* Update triggers.js

* Docs

* Allow requireUserKeys to be object

* validateMasterKey

* Improve documentation

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
 2020-10-25 12:36:54 -05:00
Diamond Lewis
e89cf25bc2 fix(directAccess): Properly handle response status (#6966) 
* fix(directAccess): Properly handle response status

* clean up

* handle status in batch
 2020-10-25 12:34:50 -05:00
dblythy
68a1b30275 Show a message if cloud functions are duplicated (#6963) 
* Update triggers.js

* Update CloudCode.spec.js

* Logger changes

* Update CloudCode.spec.js
 2020-10-22 20:06:25 -05:00
dblythy
c68d05512f Pass request.query to afterFind (#6960) 
* Initial Commit

* Update triggers.js
 2020-10-21 21:40:40 -05:00
Antonio Davi Macedo Coelho de Castro
78b59fb26b Merge pull request from GHSA-2xm2-xj2q-qgpj 
* Test case and fixes

* Change requestTimeout default to 5s

* Document new function argument
 2020-10-21 16:32:07 -07:00
dblythy
ef2e54c39d LiveQueryEvent Error Logging Improvements (#6951) 
* LiveQueryEvent Improvements

* Update ParseLiveQueryServer.js

* Update ParseLiveQueryServer.js

* More Tests

* Update ParseLiveQueryServer.js

* Pass thrown errors to subscription

* Update ParseLiveQueryServer.js

* Update ParseLiveQueryServer.js

* Remove ACL error
 2020-10-21 16:50:21 -05:00
Diamond Lewis
72428dce0f fix(jobs): Add Error Message to JobStatus Failure (#6954) 2020-10-20 14:55:24 -07:00
dblythy
bf39cd68ef Create Cloud function afterLiveQueryEvent (#6859) 
* Before Connect + Before Subscribe #1

* Cleanup and Documentation

* Add E2E tests

* Bump parse to 2.15.0

* Create afterLiveQueryEvent

* Revert "Create afterLiveQueryEvent"

This reverts commit 828c678a6995216b843a75f5b3c864aec063ba43.

* afterLiveQueryEvent

* Add delete event

* Fix failing tests

* Fix lint

* Update ParseLiveQueryServer.js

* Remove Facebook AccountKit auth (#6870)

* Remove Facebook AccountKit auth

Account Kit services are no longer available.

https://developers.facebook.com/blog/post/2019/09/09/account-kit-services-no-longer-available-starting-march/

https://www.sinch.com/blog/facebook-account-kit-is-closing-down-are-your-apps-covered/

* remove flaky test

* fix: upgrade uuid from 8.2.0 to 8.3.0 (#6865)

Snyk has created this PR to upgrade uuid from 8.2.0 to 8.3.0.

See this package in npm:
https://www.npmjs.com/package/uuid

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#6864)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-590103

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade ldapjs from 2.0.0 to 2.1.0 (#6857)

Snyk has created this PR to upgrade ldapjs from 2.0.0 to 2.1.0.

See this package in npm:
https://www.npmjs.com/package/ldapjs

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade apollo-server-express from 2.15.1 to 2.16.0 (#6851)

Snyk has created this PR to upgrade apollo-server-express from 2.15.1 to 2.16.0.

See this package in npm:
https://www.npmjs.com/package/apollo-server-express

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13 (#6845)

Snyk has created this PR to upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/stitch

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/utils from 6.0.12 to 6.0.13 (#6846)

Snyk has created this PR to upgrade @graphql-tools/utils from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/utils

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* [Snyk] Upgrade winston from 3.2.1 to 3.3.2 (#6799)

* fix: upgrade winston from 3.2.1 to 3.3.2

Snyk has created this PR to upgrade winston from 3.2.1 to 3.3.2.

See this package in NPM:
https://www.npmjs.com/package/winston

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

* fix tests

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* afterLiveQueryEvent

* Add delete event

* Fix failing tests

* Before Connect + Before Subscribe #1

* Cleanup and Documentation

* Create afterLiveQueryEvent

* Revert "Create afterLiveQueryEvent"

This reverts commit 828c678a6995216b843a75f5b3c864aec063ba43.

* Update ParseLiveQueryServer.js

* Rebase

* Remove return value / deduplicate tests

* Add docs

* Add additional data to trigger

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
Co-authored-by: Snyk bot <snyk-bot@snyk.io>
 2020-10-19 10:38:55 -05:00
Antonio Davi Macedo Coelho de Castro
755c612fd8 Update vkontakte API to the latest version (#6944) 
* Update vkontakte API to the latest version

* Allow developers to set the api version (optional)
 2020-10-15 15:24:36 -07:00
Kevin Kuang
9d836ee87b Use an empty object as default value of options for Google Sign in (#6844) 
* Use an empty object as default value of options for Google Sign in

* add test case

* Update test case to specifically  for google auth
 2020-10-14 20:17:10 -07:00
Corey
de7ec58de3 Postgres: prepend className to unique indexes (#6741) 
* prepend className to unique index to allow multiple unique indexes for different classes

* add testcase

* switched test so it can be tested on older versions of parse-server and show failure

* get rid of console log messages on restart by checking if the index exists before creating it

* add IF NOT EXISTS and IF EXISTS to ALTER TABLE

* revert some of code

* ensureIndex use IF NOT EXISTS

* ALTER TABLE CONSTRAINT can't use IF, ADD/DROP COLUMN can

* retesting

* update

* switchted to CREATE UNIQUE INDEX instrad of ALTER TABLE... ALTER TABLE doesn't seem to be needed
 2020-10-11 22:47:45 -07:00
Antoine Cormouls
5693470101 transform input types also on user mutations (#6934) 2020-10-09 08:40:30 -07:00
Danaru
84896dbeec Set objectId into query for Email Validation (#6930) 
* Retrieve user concerned by email verification and ser objectId into query

* Linter ok

* Testing live query fired when email validation done

* Setting objectId into query if user exists

* Setting objectId into query if user exists
 2020-10-09 08:21:34 -07:00
Antoine Cormouls
62048260c9 GraphQL: Optimize queries, fixes some null returns (on object), fix stitched GraphQLUpload (#6709) 
* Optimize query, fixes some null returns, fix stitched GraphQLUpload

* Fix authData key selection

* Prefer Iso string since other GraphQL solutions use this format

* fix tests

Co-authored-by: Antonio Davi Macedo Coelho de Castro <adavimacedo@gmail.com>
 2020-10-01 15:19:26 -07:00