Skip to content

Commit

Permalink
fix: invalid file request not properly handled [skip release] (#8062)
Browse files Browse the repository at this point in the history
  • Loading branch information
mtrezza authored Jun 18, 2022
1 parent 75af9a2 commit 4c9e956
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 5 deletions.
7 changes: 7 additions & 0 deletions changelogs/CHANGELOG_release.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
## [5.2.3](https://github.com/parse-community/parse-server/compare/5.2.2...5.2.3) (2022-06-17)


### Bug Fixes

* invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server ([GHSA-xw6g-jjvf-wwf9](https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9)) ([#8060](https://github.com/parse-community/parse-server/issues/8060)) ([5be375d](https://github.com/parse-community/parse-server/commit/5be375dec2fa35425c1003ae81c55995ac72af92))

## [5.2.2](https://github.com/parse-community/parse-server/compare/5.2.1...5.2.2) (2022-06-17)


Expand Down
2 changes: 1 addition & 1 deletion package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "parse-server",
"version": "5.2.2",
"version": "5.2.3",
"description": "An express module providing a Parse-compatible API server",
"main": "lib/index.js",
"repository": {
Expand Down
38 changes: 38 additions & 0 deletions spec/ParseFile.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -654,6 +654,44 @@ describe('Parse.File testing', () => {
});
});

describe('getting files', () => {
it('does not crash on file request with invalid app ID', async () => {
const res1 = await request({
url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt',
}).catch(e => e);
expect(res1.status).toBe(403);
expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' });
// Ensure server did not crash
const res2 = await request({ url: 'http://localhost:8378/1/health' });
expect(res2.status).toEqual(200);
expect(res2.data).toEqual({ status: 'ok' });
});

it('does not crash on file request with invalid path', async () => {
const res1 = await request({
url: 'http://localhost:8378/1/files/invalid-id//invalid-path/%20/invalid-file.txt',
}).catch(e => e);
expect(res1.status).toBe(403);
expect(res1.data).toEqual({ error: 'unauthorized' });
// Ensure server did not crash
const res2 = await request({ url: 'http://localhost:8378/1/health' });
expect(res2.status).toEqual(200);
expect(res2.data).toEqual({ status: 'ok' });
});

it('does not crash on file metadata request with invalid app ID', async () => {
const res1 = await request({
url: `http://localhost:8378/1/files/invalid-id/metadata/invalid-file.txt`,
});
expect(res1.status).toBe(200);
expect(res1.data).toEqual({});
// Ensure server did not crash
const res2 = await request({ url: 'http://localhost:8378/1/health' });
expect(res2.status).toEqual(200);
expect(res2.data).toEqual({ status: 'ok' });
});
});

xdescribe('Gridstore Range tests', () => {
it('supports range requests', done => {
const headers = {
Expand Down
12 changes: 9 additions & 3 deletions src/Routers/FilesRouter.js
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ export class FilesRouter {

getHandler(req, res) {
const config = Config.get(req.params.appId);
if (!config) {
res.status(403);
const err = new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.');
res.json({ code: err.code, error: err.message });
return;
}
const filesController = config.filesController;
const filename = req.params.filename;
const contentType = mime.getType(filename);
Expand Down Expand Up @@ -245,10 +251,10 @@ export class FilesRouter {
}

async metadataHandler(req, res) {
const config = Config.get(req.params.appId);
const { filesController } = config;
const { filename } = req.params;
try {
const config = Config.get(req.params.appId);
const { filesController } = config;
const { filename } = req.params;
const data = await filesController.getMetadata(filename);
res.status(200);
res.json(data);
Expand Down

0 comments on commit 4c9e956

Please sign in to comment.