Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sensitive keyword detection may produce false positives #7882

Closed
4 tasks done
mtrezza opened this issue Mar 24, 2022 · 1 comment · Fixed by #7881 or #7883
Closed
4 tasks done

Sensitive keyword detection may produce false positives #7882

mtrezza opened this issue Mar 24, 2022 · 1 comment · Fixed by #7881 or #7883
Labels
type:bug Impaired feature or lacking behavior that is likely assumed

Comments

@mtrezza
Copy link
Member

mtrezza commented Mar 24, 2022

New Issue Checklist

Issue Description

A security feature that rejects requests containing sensitive keywords was introduced in #7843. The detection algorithm has a bug that may produce false positives in certain cases, blocking valid, non-malicious requests and sending a 4xx HTTP error code.

The bug does not produce false negatives, which means the security protection is still intact.

Steps to reproduce

  1. Configure Parse Server with option requestKeywordDenylist: [{ key: 'abc' }].
  2. Run this:
const obj = new TestObject({ a: { b: { c: 0 } } });
await obj.save();
obj.increment('a.b.c');
await obj.save();

Actual Outcome

The second obj.save() will be rejected.

Expected Outcome

The second obj.save() should be resolved.

Environment

Server

@parse-github-assistant
Copy link

parse-github-assistant bot commented Mar 24, 2022

Thanks for opening this issue!

  • 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

@mtrezza mtrezza added the type:bug Impaired feature or lacking behavior that is likely assumed label Mar 24, 2022
@mtrezza mtrezza linked a pull request Mar 24, 2022 that will close this issue
2 tasks
@mtrezza mtrezza changed the title Sensitive keyword detection may result in false positives Sensitive keyword detection may produce false positives Mar 24, 2022
@mtrezza mtrezza linked a pull request Mar 24, 2022 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:bug Impaired feature or lacking behavior that is likely assumed
Projects
None yet
1 participant