Skip to content

Commit

Permalink
fix: session object properties can be updated by foreign user; this f…
Browse files Browse the repository at this point in the history
…ixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] (parse-community#8180)
  • Loading branch information
mtrezza authored Sep 20, 2022
1 parent 004faf4 commit 37fed30
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 0 deletions.
28 changes: 28 additions & 0 deletions spec/ParseSession.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
//

'use strict';
const request = require('../lib/request');

function setupTestUsers() {
const user1 = new Parse.User();
Expand Down Expand Up @@ -135,4 +136,31 @@ describe('Parse.Session', () => {
fail(err);
});
});

it('cannot edit session with known ID', async () => {
await setupTestUsers();
const [first, second] = await new Parse.Query(Parse.Session).find({ useMasterKey: true });
const headers = {
'X-Parse-Application-Id': 'test',
'X-Parse-Rest-API-Key': 'rest',
'X-Parse-Session-Token': second.get('sessionToken'),
'Content-Type': 'application/json',
};
const firstUser = first.get('user').id;
const secondUser = second.get('user').id;
const e = await request({
method: 'PUT',
headers,
url: `http://localhost:8378/1/sessions/${first.id}`,
body: JSON.stringify({
foo: 'bar',
user: { __type: 'Pointer', className: '_User', objectId: secondUser },
}),
}).catch(e => e.data);
expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
expect(e.error).toBe('Object not found.');
await Parse.Object.fetchAll([first, second], { useMasterKey: true });
expect(first.get('user').id).toBe(firstUser);
expect(second.get('user').id).toBe(secondUser);
});
});
14 changes: 14 additions & 0 deletions src/RestWrite.js
Original file line number Diff line number Diff line change
Expand Up @@ -1019,6 +1019,20 @@ RestWrite.prototype.handleSession = function () {
} else if (this.data.sessionToken) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME);
}
if (!this.auth.isMaster) {
this.query = {
$and: [
this.query,
{
user: {
__type: 'Pointer',
className: '_User',
objectId: this.auth.user.id,
},
},
],
};
}
}

if (!this.query && !this.auth.isMaster) {
Expand Down

0 comments on commit 37fed30

Please sign in to comment.