Skip to content

Commit

Permalink
fix: Prototype pollution via Cloud Code Webhooks; fixes security vuln…
Browse files Browse the repository at this point in the history
  • Loading branch information
mtrezza authored Nov 9, 2022
1 parent 50a2468 commit 6c63f04
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
11 changes: 11 additions & 0 deletions spec/vulnerabilities.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,17 @@ describe('Vulnerabilities', () => {
);
});

it('denies expanding existing object with polluted keys', async () => {
const obj = await new Parse.Object('RCE', { a: { foo: [] } }).save();
await reconfigureServer({
requestKeywordDenylist: ['foo'],
});
obj.addUnique('a.foo', 'abc');
await expectAsync(obj.save()).toBeRejectedWith(
new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Prohibited keyword in request data: "foo".`)
);
});

it('denies creating a cloud trigger with polluted data', async () => {
Parse.Cloud.beforeSave('TestObject', ({ object }) => {
object.set('obj', {
Expand Down
6 changes: 5 additions & 1 deletion src/Controllers/DatabaseController.js
Original file line number Diff line number Diff line change
Expand Up @@ -1701,7 +1701,11 @@ class DatabaseController {
if (this.options && this.options.requestKeywordDenylist) {
// Scan request data for denied keywords
for (const keyword of this.options.requestKeywordDenylist) {
const match = Utils.objectContainsKeyValue({ firstKey: undefined }, keyword.key, undefined);
const match = Utils.objectContainsKeyValue(
{ [firstKey]: true, [nextPath]: true },
keyword.key,
true
);
if (match) {
throw new Parse.Error(
Parse.Error.INVALID_KEY_NAME,
Expand Down

0 comments on commit 6c63f04

Please sign in to comment.