joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,814 Commits 2 Branches 18 Tags
8011b2fdace4c25a967c0193dd4d32c2dbd4e4bc
Commit Graph

1205 Commits

Author SHA1 Message Date
Manuel
066f29673a fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) (#8235) 2022-10-15 00:48:22 +02:00
Manuel
ecf0814499 fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8185) 2022-09-20 22:31:19 +02:00
Manuel
6d0b2f5346 fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)) (#8182) 2022-09-20 02:18:07 +02:00
Manuel
e39d51bd32 fix: brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8144) 2022-09-02 21:13:18 +02:00
Manuel
309f64ced8 fix: protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields ([GHSA-crrq-vr9j-fxxh](https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh)) (https://github.com/parse-community/parse-server/pull/8074) (#8073) 2022-06-30 12:26:39 +02:00
Manuel
5be375dec2 fix: invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) (#8060) 2022-06-18 01:33:19 +02:00
Manuel
ba2b0a9cb9 fix: certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory ([GHSA-rh9j-f5f8-rvgc](https://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc)) 2022-06-17 18:29:26 +02:00
Manuel
af4a0417a9 fix: authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) (#7962) 2022-05-01 02:28:16 +02:00
Manuel
0d6f9e951d fix: sensitive keyword detection may produce false positives (#7881) 2022-03-24 02:54:07 +01:00
dblythy
443a509905 feat: improved LiveQuery error logging with additional information (#7837) 2022-03-23 02:11:39 +01:00
Manuel Trezza
1593575a87 build: release 2022-03-18 15:17:12 +01:00
Manuel
e569f402b1 fix: security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7844) 2022-03-12 14:47:23 +01:00
Manuel
971adb5438 fix: security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7843) 2022-03-12 13:49:57 +01:00
Antoine Cormouls
f88aa2a62a feat: upgrade to MongoDB Node.js driver 4.x for MongoDB 5.0 support (#7794) 
BREAKING CHANGE: The MongoDB GridStore adapter has been removed. By default, Parse Server already uses GridFS, so if you do not manually use the GridStore adapter, you can ignore this change.
 2022-02-06 18:30:36 +01:00
yog27ray
315290d161 feat: add Cloud Code context to ParseObject.fetch (#7779) 2022-01-25 12:40:22 +01:00
dependabot[bot]
9082351411 fix: bump node-fetch from 2.6.1 to 3.1.1 (#7782) 2022-01-22 14:31:45 +01:00
Manuel
3b92fa1ca9 fix: schema cache not cleared in some cases (#7771) 2022-01-13 03:04:49 +01:00
ThornWu
5af6e5dfaa fix: schema cache not cleared in some cases (#7678) 2022-01-13 02:03:33 +01:00
Corey
a5ffb95022 refactor: remove deprecated url.parse() method (#7751) 2022-01-06 15:26:00 +01:00
Corey
a43638f300 test: improve transaction tests to use async/await (#7759) 2022-01-04 00:49:43 +01:00
Corey
0c3feaaa17 feat: add Idempotency to Postgres (#7750) 2022-01-02 19:25:53 +01:00
Corey
7af5de4b98 test: improve PushController tests (#7760) 2022-01-02 15:51:49 +01:00
Corey
caf4a2341f feat: support postgresql protocol in database URI (#7757) 2022-01-02 15:25:43 +01:00
Corey
912edacb53 test: make GraphQL server test more reliable (#7758) 2022-01-02 14:59:00 +01:00
Corey
16b1b2a197 feat: support relativeTime query constraint on Postgres (#7747) 2022-01-02 01:10:54 +01:00
Ben Devore
6a6248b6cb fix: adding or modifying a nested property requires addField permissions (#7679) 2021-12-07 00:52:59 +01:00
Manuel
8ee0445c0a fix: unable to use objectId size higher than 19 on GraphQL API (#7722) 2021-11-27 13:36:49 +01:00
Antoine Cormouls
ed86c80772 fix: unable to use objectId size higher than 19 on GraphQL API (#7627) 2021-11-27 12:27:08 +01:00
Corey
c789f6c979 refactor: test moved to correct test group (#7717) 2021-11-25 19:16:46 +01:00
Marvin ROGER
45cc58c7e5 feat: add support for Node 16 (#7707) 
BREAKING CHANGE: Removes official Node 15 support which has reached it end-of-life date.
 2021-11-18 23:37:47 +01:00
Manuel
200d4ba9a5 revert: refactor: allow ES import for cloud string if package type is module (#7691) 
This reverts commit 0225340ccb.
 2021-11-10 16:49:47 +01:00
Manuel
b64640c570 revert: refactor: allow ES import for cloud string if package type is module 
This reverts commit 0225340ccb.
 2021-11-10 16:26:20 +01:00
Samuel Denis-D'Ortun
25d5c30be2 feat: add user-defined schema and migrations (#7418) 2021-11-01 14:28:49 +01:00
Corey
090350a7a0 feat: add support for Postgres 14 (#7644) 2021-10-31 20:49:03 +01:00
Frans Bouwmeester
28fa7167e8 test: port test changes from 4.x LTS branch; upgrade spec reporter from 6.0.0 to 7.0.0 (#7667) 2021-10-30 19:21:24 +02:00
Kingtous
174886e385 fix: combined and query with relational query condition returns incorrect results (#7593) 2021-10-29 19:03:50 +02:00
Antoine Cormouls
626fad2e71 fix: setting a field to null does not delete it via GraphQL API (#7649) 
BREAKING CHANGE: To delete a field via the GraphQL API, the field value has to be set to `null`. Previously, setting a field value to `null` would save a null value in the database, which was not according to the [GraphQL specs](https://spec.graphql.org/June2018/#sec-Null-Value). To delete a file field use `file: null`, the previous way of using `file: { file: null }` has become obsolete.
 2021-10-27 01:33:48 +02:00
dblythy
12eb6c823b refactor: replace hardcoded error codes with references (#7546) 2021-10-18 20:19:47 +02:00
Corey
b5fc0d59db ci: enable more tests on Postgres adapter (#7641) 2021-10-18 16:51:56 +02:00
Antoine Cormouls
85ef7217b0 feat: alphabetical graphql api, fix internal reassign, enhanced Graphql schema cache system (#7344) 2021-10-11 14:51:28 +02:00
dblythy
ab1dddd406 fix: add deprecation warning for Parse.Cloud.httpRequest (#7595) 2021-10-09 05:04:12 +02:00
dblythy
68a3a87501 fix: set objects in afterFind triggers (#7311) 2021-10-09 02:34:09 +02:00
Brandon Scott
197fcbda00 refactor: modernize HTTPRequest tests (#7604) 2021-10-08 22:44:40 +02:00
dblythy
caee281bc5 fix: allow LiveQuery on Parse.Session (#7554) 2021-10-08 17:24:33 +02:00
dblythy
484c2e81ca fix: improve security by deprecating creating users with public access by default (#7319) 2021-10-08 05:24:20 +02:00
dblythy
d90c1591ad test: fix failing tests after removal of session token (#7599) 2021-09-30 13:41:04 +02:00
dblythy
834ae366f9 Merge pull request from GHSA-7pr3-p5fm-8r9x 
* fix: strip sessionToken on _User LiveQuery

* delete authData

* add changelog

* Update package.json

* Update CHANGELOG.md

* add changes

* Update ParseLiveQuery.spec.js

Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
 2021-09-30 04:52:12 +02:00
dblythy
8ed94421e6 fix: add support for descending sorting of full text search (#7496) 2021-09-15 16:15:08 +02:00
dblythy
0225340ccb refactor: allow ES import for cloud string if package type is module (#7560) 
* allow module import for Parse Cloud

* Update .babelrc

* catch esm error

* Update ParseServer.js

* add tests

* Update CHANGELOG.md

* Update CloudCode.spec.js

Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com>
 2021-09-14 14:10:37 +02:00
Manuel
24188a39a7 refactor: remove restricted session field (#7543) 
* add issue bot for prs

* Update CHANGELOG.md

* Update issue-bot.yml

* remove session restriction artifacts

* Update CHANGELOG.md

* Update CHANGELOG.md
 2021-09-04 03:03:46 +02:00