Headline
CVE-2022-31112: fix: protected fields exposed via LiveQuery; this removes protected f… · parse-community/parse-server@309f64c
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.
@@ -10,11 +10,18 @@ import { ParsePubSub } from './ParsePubSub’; import SchemaController from '…/Controllers/SchemaController’; import _ from 'lodash’; import { v4 as uuidv4 } from 'uuid’; import { runLiveQueryEventHandlers, getTrigger, runTrigger, resolveError, toJSONwithObjects } from '…/triggers’; import { runLiveQueryEventHandlers, getTrigger, runTrigger, resolveError, toJSONwithObjects, } from '…/triggers’; import { getAuthForSessionToken, Auth } from '…/Auth’; import { getCacheController } from '…/Controllers’; import { getCacheController, getDatabaseController } from '…/Controllers’; import LRU from 'lru-cache’; import UserRouter from '…/Routers/UsersRouter’; import DatabaseController from '…/Controllers/DatabaseController’;
class ParseLiveQueryServer { clients: Map; @@ -185,14 +192,14 @@ class ParseLiveQueryServer { if (res.object && typeof res.object.toJSON === ‘function’) { deletedParseObject = toJSONwithObjects(res.object, res.object.className || className); } if ( (deletedParseObject.className === ‘_User’ || deletedParseObject.className === ‘_Session’) && !client.hasMasterKey ) { delete deletedParseObject.sessionToken; delete deletedParseObject.authData; } await this._filterSensitiveData( classLevelPermissions, res, client, requestId, op, subscription.query ); client.pushDelete(requestId, deletedParseObject); } catch (e) { const error = resolveError(e); @@ -339,16 +346,14 @@ class ParseLiveQueryServer { res.original.className || className ); } if ( (currentParseObject.className === ‘_User’ || currentParseObject.className === ‘_Session’) && !client.hasMasterKey ) { delete currentParseObject.sessionToken; delete originalParseObject?.sessionToken; delete currentParseObject.authData; delete originalParseObject?.authData; } await this._filterSensitiveData( classLevelPermissions, res, client, requestId, op, subscription.query ); const functionName = ‘push’ + res.event.charAt(0).toUpperCase() + res.event.slice(1); if (client[functionName]) { client[functionName](requestId, currentParseObject, originalParseObject); @@ -540,6 +545,54 @@ class ParseLiveQueryServer { // return rolesQuery.find({useMasterKey:true}); }
async _filterSensitiveData( classLevelPermissions: ?any, res: any, client: any, requestId: number, op: string, query: any ) { const subscriptionInfo = client.getSubscriptionInfo(requestId); const aclGroup = [‘*’]; let clientAuth; if (typeof subscriptionInfo !== ‘undefined’) { const { userId, auth } = await this.getAuthForSessionToken(subscriptionInfo.sessionToken); if (userId) { aclGroup.push(userId); } clientAuth = auth; } const filter = obj => { if (!obj) { return; } let protectedFields = classLevelPermissions?.protectedFields || []; if (!client.hasMasterKey && !Array.isArray(protectedFields)) { protectedFields = getDatabaseController(this.config).addProtectedFields( classLevelPermissions, res.object.className, query, aclGroup, clientAuth ); } return DatabaseController.filterSensitiveData( client.hasMasterKey, aclGroup, clientAuth, op, classLevelPermissions, res.object.className, protectedFields, obj, query ); }; res.object = filter(res.object); res.original = filter(res.original); }
_getCLPOperation(query: any) { return typeof query === ‘object’ && Object.keys(query).length == 1 &&
Related news
### Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. ### Patches The LiveQueryController now removes protected fields from the client response. ### Workarounds Use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh - https://github.com/parse-community/parse-server ### For more information If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/) - Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/)