Skip to content

Commit

Permalink
fix: Remote code execution via MongoDB BSON parser through prototype …
Browse files Browse the repository at this point in the history
…pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (#8675)
  • Loading branch information
mtrezza authored Jun 28, 2023
1 parent a036071 commit 5fad292
Show file tree
Hide file tree
Showing 6 changed files with 101 additions and 33 deletions.
3 changes: 3 additions & 0 deletions .eslintrc.json
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,8 @@
"space-infix-ops": "error",
"no-useless-escape": "off",
"require-atomic-updates": "off"
},
"globals": {
"Parse": true
}
}
65 changes: 65 additions & 0 deletions spec/vulnerabilities.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,71 @@ describe('Vulnerabilities', () => {
);
});

it('denies creating global config with polluted data', async () => {
const headers = {
'Content-Type': 'application/json',
'X-Parse-Application-Id': 'test',
'X-Parse-Master-Key': 'test',
};
const params = {
method: 'PUT',
url: 'http://localhost:8378/1/config',
json: true,
body: {
params: {
welcomeMesssage: 'Welcome to Parse',
foo: { _bsontype: 'Code', code: 'shell' },
},
},
headers,
};
const response = await request(params).catch(e => e);
expect(response.status).toBe(400);
const text = JSON.parse(response.text);
expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
expect(text.error).toBe(
'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
);
});

it('denies direct database write wih prohibited keys', async () => {
const Config = require('../lib/Config');
const config = Config.get(Parse.applicationId);
const user = {
objectId: '1234567890',
username: 'hello',
password: 'pass',
_session_token: 'abc',
foo: { _bsontype: 'Code', code: 'shell' },
};
await expectAsync(config.database.create('_User', user)).toBeRejectedWith(
new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
)
);
});

it('denies direct database update wih prohibited keys', async () => {
const Config = require('../lib/Config');
const config = Config.get(Parse.applicationId);
const user = {
objectId: '1234567890',
username: 'hello',
password: 'pass',
_session_token: 'abc',
foo: { _bsontype: 'Code', code: 'shell' },
};
await expectAsync(
config.database.update('_User', { _id: user.objectId }, user)
).toBeRejectedWith(
new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
)
);
});

it('denies creating a hook with polluted data', async () => {
const express = require('express');
const bodyParser = require('body-parser');
Expand Down
10 changes: 10 additions & 0 deletions src/Controllers/DatabaseController.js
Original file line number Diff line number Diff line change
Expand Up @@ -467,6 +467,11 @@ class DatabaseController {
validateOnly: boolean = false,
validSchemaController: SchemaController.SchemaController
): Promise<any> {
try {
Utils.checkProhibitedKeywords(this.options, update);
} catch (error) {
return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
}
const originalQuery = query;
const originalUpdate = update;
// Make a copy of the object, so we don't mutate the incoming data.
Expand Down Expand Up @@ -797,6 +802,11 @@ class DatabaseController {
validateOnly: boolean = false,
validSchemaController: SchemaController.SchemaController
): Promise<any> {
try {
Utils.checkProhibitedKeywords(this.options, object);
} catch (error) {
return Promise.reject(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
}
// Make a copy of the object, so we don't mutate the incoming data.
const originalObject = object;
object = transformObjectACL(object);
Expand Down
23 changes: 5 additions & 18 deletions src/RestWrite.js
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,6 @@ function RestWrite(config, auth, className, query, data, originalData, clientSDK
}
}

this.checkProhibitedKeywords(data);

// When the operation is complete, this.response may have several
// fields.
// response: the actual data to be returned
Expand Down Expand Up @@ -288,7 +286,11 @@ RestWrite.prototype.runBeforeSaveTrigger = function () {
delete this.data.objectId;
}
}
this.checkProhibitedKeywords(this.data);
try {
Utils.checkProhibitedKeywords(this.config, this.data);
} catch (error) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, error);
}
});
};

Expand Down Expand Up @@ -1730,20 +1732,5 @@ RestWrite.prototype._updateResponseWithData = function (response, data) {
return response;
};

RestWrite.prototype.checkProhibitedKeywords = function (data) {
if (this.config.requestKeywordDenylist) {
// Scan request data for denied keywords
for (const keyword of this.config.requestKeywordDenylist) {
const match = Utils.objectContainsKeyValue(data, keyword.key, keyword.value);
if (match) {
throw new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
`Prohibited keyword in request data: ${JSON.stringify(keyword)}.`
);
}
}
}
};

export default RestWrite;
module.exports = RestWrite;
21 changes: 6 additions & 15 deletions src/Routers/FilesRouter.js
Original file line number Diff line number Diff line change
Expand Up @@ -173,22 +173,13 @@ export class FilesRouter {
const base64 = req.body.toString('base64');
const file = new Parse.File(filename, { base64 }, contentType);
const { metadata = {}, tags = {} } = req.fileData || {};
if (req.config && req.config.requestKeywordDenylist) {
try {
// Scan request data for denied keywords
for (const keyword of req.config.requestKeywordDenylist) {
const match =
Utils.objectContainsKeyValue(metadata, keyword.key, keyword.value) ||
Utils.objectContainsKeyValue(tags, keyword.key, keyword.value);
if (match) {
next(
new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
`Prohibited keyword in request data: ${JSON.stringify(keyword)}.`
)
);
return;
}
}
Utils.checkProhibitedKeywords(config, metadata);
Utils.checkProhibitedKeywords(config, tags);
} catch (error) {
next(new Parse.Error(Parse.Error.INVALID_KEY_NAME, error));
return;
}
file.setTags(tags);
file.setMetadata(metadata);
Expand Down
12 changes: 12 additions & 0 deletions src/Utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -358,6 +358,18 @@ class Utils {
}
return false;
}

static checkProhibitedKeywords(config, data) {
if (config?.requestKeywordDenylist) {
// Scan request data for denied keywords
for (const keyword of config.requestKeywordDenylist) {
const match = Utils.objectContainsKeyValue(data, keyword.key, keyword.value);
if (match) {
throw `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`;
}
}
}
}
}

module.exports = Utils;

0 comments on commit 5fad292

Please sign in to comment.