[Snyk] Security upgrade @graphql-yoga/node from 2.6.0 to 2.13.5

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,24 @@
+# [6.4.0-alpha.7](https://github.com/parse-community/parse-server/compare/6.4.0-alpha.6...6.4.0-alpha.7) (2023-10-25)
+
+
+### Features
+
+* Add `$setOnInsert` operator to `Parse.Server.database.update` ([#8791](https://github.com/parse-community/parse-server/issues/8791)) ([f630a45](https://github.com/parse-community/parse-server/commit/f630a45aa5e87bc73a81fded061400c199b71a29))
+
+# [6.4.0-alpha.6](https://github.com/parse-community/parse-server/compare/6.4.0-alpha.5...6.4.0-alpha.6) (2023-10-18)
+
+
+### Bug Fixes
+
+* Security bump @babel/traverse from 7.20.5 to 7.23.2 ([#8777](https://github.com/parse-community/parse-server/issues/8777)) ([2d6b3d1](https://github.com/parse-community/parse-server/commit/2d6b3d18499179e99be116f25c0850d3f449509c))
+
+# [6.4.0-alpha.5](https://github.com/parse-community/parse-server/compare/6.4.0-alpha.4...6.4.0-alpha.5) (2023-10-14)
+
+
+### Bug Fixes
+
+* Context not passed to Cloud Code Trigger `beforeFind` when using `Parse.Query.include` ([#8765](https://github.com/parse-community/parse-server/issues/8765)) ([7d32d89](https://github.com/parse-community/parse-server/commit/7d32d8934f3ae7af7a7d8b9cc6a829c7d73973d3))
+
 # [6.4.0-alpha.4](https://github.com/parse-community/parse-server/compare/6.4.0-alpha.3...6.4.0-alpha.4) (2023-09-29)
 
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "6.4.0-alpha.4",
+  "version": "6.4.0-alpha.7",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
@@ -23,7 +23,7 @@
     "@graphql-tools/merge": "8.4.1",
     "@graphql-tools/schema": "9.0.4",
     "@graphql-tools/utils": "8.12.0",
-    "@graphql-yoga/node": "2.6.0",
+    "@graphql-yoga/node": "2.13.5",
     "@parse/fs-files-adapter": "1.2.2",
     "@parse/push-adapter": "4.2.0",
     "bcryptjs": "2.4.3",

spec/.eslintrc.json

@@ -15,6 +15,7 @@
       "equal": true,
       "expectAsync": true,
       "notEqual": true,
+      "it_id": true,
       "it_only_db": true,
       "it_only_mongodb_version": true,
       "it_only_postgres_version": true,

spec/CloudCode.spec.js

@@ -2510,6 +2510,31 @@ describe('beforeFind hooks', () => {
     expect(res2.get('pointerFieldArray')[0].get('aField')).toBe('aFieldValue');
     expect(spy).toHaveBeenCalledTimes(2);
   });
+
+  it('should have access to context in include query in beforeFind hook', async () => {
+    let beforeFindTestObjectCalled = false;
+    let beforeFindTestObject2Called = false;
+    const obj1 = new Parse.Object('TestObject');
+    const obj2 = new Parse.Object('TestObject2');
+    obj2.set('aField', 'aFieldValue');
+    await obj2.save();
+    obj1.set('pointerField', obj2);
+    await obj1.save();
+    Parse.Cloud.beforeFind('TestObject', req => {
+      expect(req.context).toBeDefined();
+      expect(req.context.a).toEqual('a');
+      beforeFindTestObjectCalled = true;
+    });
+    Parse.Cloud.beforeFind('TestObject2', req => {
+      expect(req.context).toBeDefined();
+      expect(req.context.a).toEqual('a');
+      beforeFindTestObject2Called = true;
+    });
+    const query = new Parse.Query('TestObject');
+    await query.include('pointerField').find({ context: { a: 'a' } });
+    expect(beforeFindTestObjectCalled).toBeTrue();
+    expect(beforeFindTestObject2Called).toBeTrue();
+  });
 });
 
 describe('afterFind hooks', () => {

spec/MongoStorageAdapter.spec.js

@@ -254,6 +254,61 @@ describe_only_db('mongo')('MongoStorageAdapter', () => {
     expect(obj.get('foo').test.date[0] instanceof Date).toBeTrue();
   });
 
+  it('upserts with $setOnInsert', async () => {
+    const uuid = require('uuid');
+    const uuid1 = uuid.v4();
+    const uuid2 = uuid.v4();
+    const schema = {
+      className: 'MyClass',
+      fields: {
+        x: { type: 'Number' },
+        count: { type: 'Number' },
+      },
+      classLevelPermissions: {},
+    };
+
+    const myClassSchema = new Parse.Schema(schema.className);
+    myClassSchema.setCLP(schema.classLevelPermissions);
+    await myClassSchema.save();
+
+    const query = {
+      x: 1,
+    };
+    const update = {
+      objectId: {
+        __op: 'SetOnInsert',
+        amount: uuid1,
+      },
+      count: {
+        __op: 'Increment',
+        amount: 1,
+      },
+    };
+    await Parse.Server.database.update(
+      'MyClass',
+      query,
+      update,
+      { upsert: true },
+    );
+    update.objectId.amount = uuid2;
+    await Parse.Server.database.update(
+      'MyClass',
+      query,
+      update,
+      { upsert: true },
+    );
+
+    const res = await Parse.Server.database.find(
+      schema.className,
+      {},
+      {},
+    );
+    expect(res.length).toBe(1);
+    expect(res[0].objectId).toBe(uuid1);
+    expect(res[0].count).toBe(2);
+    expect(res[0].x).toBe(1);
+  });
+
   it('handles updating a single object with array, object date', done => {
     const adapter = new MongoStorageAdapter({ uri: databaseURI });
 

spec/ParseFile.spec.js

@@ -1432,6 +1432,34 @@ describe('Parse.File testing', () => {
       }
     });
 
+    it('allows file without extension', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileExtensions: ['^[^hH][^tT][^mM][^lL]?$'],
+        },
+      });
+      const headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+
+      const values = ['filenamewithoutextension'];
+
+      for (const value of values) {
+        await expectAsync(
+          request({
+            method: 'POST',
+            headers: headers,
+            url: `http://localhost:8378/1/files/${value}`,
+            body: '<html></html>\n',
+          }).catch(e => {
+            throw new Error(e.data.error);
+          })
+        ).toBeResolved();
+      }
+    });
+
     it('works with array', async () => {
       await reconfigureServer({
         fileUpload: {

spec/helper.js

@@ -428,6 +428,29 @@ global.it_exclude_dbs = excluded => {
   }
 };
 
+let testExclusionList = [];
+try {
+  // Fetch test exclusion list
+  testExclusionList = require('./testExclusionList.json');
+  console.log(`Using test exclusion list with ${testExclusionList.length} entries`);
+} catch(error) {
+  if(error.code !== 'MODULE_NOT_FOUND') {
+    throw error;
+  }
+}
+
+// Disable test if its UUID is found in testExclusionList
+global.it_id = (id, func) => {
+  if (testExclusionList.includes(id)) {
+    return xit;
+  } else {
+    if(func === undefined)
+      return it;
+    else
+      return func;
+  }
+};
+
 global.it_only_db = db => {
   if (
     process.env.PARSE_SERVER_TEST_DB === db ||

src/Adapters/Storage/Mongo/MongoTransform.js

@@ -986,6 +986,13 @@ function transformUpdateOperator({ __op, amount, objects }, flatten) {
         return { __op: '$inc', arg: amount };
       }
 
+    case 'SetOnInsert':
+      if (flatten) {
+        return amount;
+      } else {
+        return { __op: '$setOnInsert', arg: amount };
+      }
+
     case 'Add':
     case 'AddUnique':
       if (!(objects instanceof Array)) {

src/Controllers/DatabaseController.js

@@ -279,6 +279,9 @@ const flattenUpdateOperatorsForCreate = object => {
           }
           object[key] = object[key].amount;
           break;
+        case 'SetOnInsert':
+          object[key] = object[key].amount;
+          break;
         case 'Add':
           if (!(object[key].objects instanceof Array)) {
             throw new Parse.Error(Parse.Error.INVALID_JSON, 'objects to add must be an array');
@@ -1817,7 +1820,7 @@ class DatabaseController {
         keyUpdate &&
         typeof keyUpdate === 'object' &&
         keyUpdate.__op &&
-        ['Add', 'AddUnique', 'Remove', 'Increment'].indexOf(keyUpdate.__op) > -1
+        ['Add', 'AddUnique', 'Remove', 'Increment', 'SetOnInsert'].indexOf(keyUpdate.__op) > -1
       ) {
         // only valid ops that produce an actionable result
         // the op may have happened on a keypath

src/RestQuery.js

@@ -478,6 +478,7 @@ _UnsafeRestQuery.prototype.replaceInQuery = async function () {
     className: inQueryValue.className,
     restWhere: inQueryValue.where,
     restOptions: additionalOptions,
+    context: this.context,
   });
   return subquery.execute().then(response => {
     transformInQuery(inQueryObject, subquery.className, response.results);
@@ -537,6 +538,7 @@ _UnsafeRestQuery.prototype.replaceNotInQuery = async function () {
     className: notInQueryValue.className,
     restWhere: notInQueryValue.where,
     restOptions: additionalOptions,
+    context: this.context,
   });
 
   return subquery.execute().then(response => {
@@ -609,6 +611,7 @@ _UnsafeRestQuery.prototype.replaceSelect = async function () {
     className: selectValue.query.className,
     restWhere: selectValue.query.where,
     restOptions: additionalOptions,
+    context: this.context,
   });
 
   return subquery.execute().then(response => {
@@ -671,6 +674,7 @@ _UnsafeRestQuery.prototype.replaceDontSelect = async function () {
     className: dontSelectValue.query.className,
     restWhere: dontSelectValue.query.where,
     restOptions: additionalOptions,
+    context: this.context,
   });
 
   return subquery.execute().then(response => {
@@ -860,6 +864,7 @@ _UnsafeRestQuery.prototype.handleInclude = function () {
     this.auth,
     this.response,
     this.include[0],
+    this.context,
     this.restOptions
   );
   if (pathResponse.then) {
@@ -946,7 +951,7 @@ _UnsafeRestQuery.prototype.handleAuthAdapters = async function () {
 // Adds included values to the response.
 // Path is a list of field names.
 // Returns a promise for an augmented response.
-function includePath(config, auth, response, path, restOptions = {}) {
+function includePath(config, auth, response, path, context, restOptions = {}) {
   var pointers = findPointers(response.results, path);
   if (pointers.length == 0) {
     return response;
@@ -1026,6 +1031,7 @@ function includePath(config, auth, response, path, restOptions = {}) {
       className,
       restWhere: where,
       restOptions: includeRestOptions,
+      context: context,
     });
     return query.execute({ op: 'get' }).then(results => {
       results.className = className;

src/Routers/FilesRouter.js

@@ -159,9 +159,9 @@ export class FilesRouter {
       } else if (contentType && contentType.includes('/')) {
         extension = contentType.split('/')[1];
       }
-      extension = extension.split(' ').join('');
+      extension = extension?.split(' ')?.join('');
 
-      if (!isValidExtension(extension)) {
+      if (extension && !isValidExtension(extension)) {
         next(
           new Parse.Error(
             Parse.Error.FILE_SAVE_ERROR,