fix: Security upgrade jsonwebtoken to 9.0.0 #8420

dblythy · 2023-02-02T03:56:14Z

Pull Request

Report security issues confidentially.
Any contribution is under this license.
Link this pull request to an issue.

Issue

The latest JWT library prevents mocking of the decode property, which we use to determine a JWT's headers.

Closes: #8356
Closes: #8355

Approach

Add ability to mock decode

Tasks

Add tests

Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0. - [Release notes](https://github.com/auth0/node-jsonwebtoken/releases) - [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.0) --- updated-dependencies: - dependency-name: jsonwebtoken dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

parse-github-assistant · 2023-02-02T03:56:17Z

Thanks for opening this pull request!

❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

parse-github-assistant · 2023-02-02T03:56:30Z

I will reformat the title to use the proper commit message syntax.

codecov · 2023-02-05T02:51:55Z

Codecov Report

Base: 94.16% // Head: 94.33% // Increases project coverage by +0.16% 🎉

Coverage data is based on head (ee0a040) compared to base (4450ecb).
Patch coverage: 92.85% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #8420      +/-   ##
==========================================
+ Coverage   94.16%   94.33%   +0.16%     
==========================================
  Files         181      182       +1     
  Lines       14401    14398       -3     
==========================================
+ Hits        13561    13582      +21     
+ Misses        840      816      -24

Impacted Files	Coverage Δ
src/Adapters/Auth/utils.js	`87.50% <87.50%> (ø)`
src/Adapters/Auth/apple.js	`100.00% <100.00%> (ø)`
src/Adapters/Auth/facebook.js	`90.00% <100.00%> (-0.63%)`	⬇️
src/Adapters/Auth/google.js	`92.64% <100.00%> (-0.32%)`	⬇️
src/RestWrite.js	`94.91% <0.00%> (+0.29%)`	⬆️
src/Adapters/Files/GridFSBucketAdapter.js	`94.20% <0.00%> (+0.72%)`	⬆️
src/GraphQL/transformers/mutation.js	`97.19% <0.00%> (+9.34%)`	⬆️
src/GraphQL/loaders/filesMutations.js	`80.64% <0.00%> (+38.70%)`	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

dblythy · 2023-02-05T02:55:41Z

Ready for review

mtrezza

Is this really a feat PR? It seems that the auth adapter changes would be unnoticeable for the developer, in which case this would be a refactor.

mtrezza · 2023-02-07T11:11:45Z

Sorry, I figured it should probably be a fix to trigger a new release with the upgrade; otherwise the fix will only be released with the next fix or feat commit.

mtrezza

Looks good!

# [6.0.0-alpha.32](6.0.0-alpha.31...6.0.0-alpha.32) (2023-02-07) ### Bug Fixes * Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45))

parseplatformorg · 2023-02-07T11:47:30Z

🎉 This change has been released in version 6.0.0-alpha.32

# [6.1.0-beta.1](6.0.0...6.1.0-beta.1) (2023-03-02) ### Bug Fixes * Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45)) ### Features * Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([#8436](#8436)) ([b3b76de](b3b76de)) * Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([#7551](#7551)) ([e5d610e](e5d610e)) * Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([#8388](#8388)) ([a49e323](a49e323))

parseplatformorg · 2023-03-02T10:55:19Z

🎉 This change has been released in version 6.1.0-beta.1

# [6.1.0-alpha.1](6.0.0...6.1.0-alpha.1) (2023-03-03) ### Bug Fixes * Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45)) ### Features * Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([#8436](#8436)) ([b3b76de](b3b76de)) * Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([#7551](#7551)) ([e5d610e](e5d610e)) * Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([#8388](#8388)) ([a49e323](a49e323)) * Export `AuthAdapter` to make it available for extension with custom authentication adapters ([#8443](#8443)) ([40c1961](40c1961))

parseplatformorg · 2023-03-03T16:53:57Z

🎉 This change has been released in version 6.1.0-alpha.1

# [6.1.0](6.0.0...6.1.0) (2023-05-01) ### Bug Fixes * LiveQuery can return incorrectly formatted date ([#8456](#8456)) ([4ce135a](4ce135a)) * Nested date is incorrectly decoded as empty object `{}` when fetching a Parse Object ([#8446](#8446)) ([22d2446](22d2446)) * Parameters missing in `afterFind` trigger of authentication adapters ([#8458](#8458)) ([ce34747](ce34747)) * Rate limiting across multiple servers via Redis not working ([#8469](#8469)) ([d9e347d](d9e347d)) * Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45)) ### Features * Add `afterFind` trigger to authentication adapters ([#8444](#8444)) ([c793bb8](c793bb8)) * Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([#8436](#8436)) ([b3b76de](b3b76de)) * Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([#7551](#7551)) ([e5d610e](e5d610e)) * Add rate limiting across multiple servers via Redis ([#8394](#8394)) ([34833e4](34833e4)) * Allow multiple origins for header `Access-Control-Allow-Origin` ([#8517](#8517)) ([4f15539](4f15539)) * Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([#8388](#8388)) ([a49e323](a49e323)) * Export `AuthAdapter` to make it available for extension with custom authentication adapters ([#8443](#8443)) ([40c1961](40c1961))

parseplatformorg · 2023-05-01T21:52:49Z

🎉 This change has been released in version 6.1.0

commit 1506273 Author: semantic-release-bot <semantic-release-bot@martynus.net> Date: Sat May 20 23:24:03 2023 +0000 chore(release): 6.2.0 [skip ci] # [6.2.0](parse-community/parse-server@6.1.0...6.2.0) (2023-05-20) ### Features * Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` ([parse-community#8538](parse-community#8538)) ([a318e7b](parse-community@a318e7b)) commit a318e7b Author: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Sun May 21 01:23:00 2023 +0200 feat: Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` (parse-community#8538) commit 832702d Author: semantic-release-bot <semantic-release-bot@martynus.net> Date: Mon May 1 21:50:23 2023 +0000 chore(release): 6.1.0 [skip ci] # [6.1.0](parse-community/parse-server@6.0.0...6.1.0) (2023-05-01) ### Bug Fixes * LiveQuery can return incorrectly formatted date ([parse-community#8456](parse-community#8456)) ([4ce135a](parse-community@4ce135a)) * Nested date is incorrectly decoded as empty object `{}` when fetching a Parse Object ([parse-community#8446](parse-community#8446)) ([22d2446](parse-community@22d2446)) * Parameters missing in `afterFind` trigger of authentication adapters ([parse-community#8458](parse-community#8458)) ([ce34747](parse-community@ce34747)) * Rate limiting across multiple servers via Redis not working ([parse-community#8469](parse-community#8469)) ([d9e347d](parse-community@d9e347d)) * Security upgrade jsonwebtoken to 9.0.0 ([parse-community#8420](parse-community#8420)) ([f5bfe45](parse-community@f5bfe45)) ### Features * Add `afterFind` trigger to authentication adapters ([parse-community#8444](parse-community#8444)) ([c793bb8](parse-community@c793bb8)) * Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([parse-community#8436](parse-community#8436)) ([b3b76de](parse-community@b3b76de)) * Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([parse-community#7551](parse-community#7551)) ([e5d610e](parse-community@e5d610e)) * Add rate limiting across multiple servers via Redis ([parse-community#8394](parse-community#8394)) ([34833e4](parse-community@34833e4)) * Allow multiple origins for header `Access-Control-Allow-Origin` ([parse-community#8517](parse-community#8517)) ([4f15539](parse-community@4f15539)) * Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([parse-community#8388](parse-community#8388)) ([a49e323](parse-community@a49e323)) * Export `AuthAdapter` to make it available for extension with custom authentication adapters ([parse-community#8443](parse-community#8443)) ([40c1961](parse-community@40c1961)) commit 18b63d1 Merge: f7eee19 f59d46c Author: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Mon May 1 23:49:22 2023 +0200 build: Release (parse-community#8526)

dependabot bot and others added 2 commits January 31, 2023 16:35

feat: bump jsonwebtoken to 9.0.0

bf48414

dblythy changed the title ~~Bump jwt~~ feat: bump jsonwebtoken to 9.0.0 Feb 2, 2023

dblythy marked this pull request as ready for review February 2, 2023 03:56

parse-github-assistant bot changed the title ~~feat: bump jsonwebtoken to 9.0.0~~ feat: Bump jsonwebtoken to 9.0.0 Feb 2, 2023

dblythy added 2 commits February 4, 2023 12:27

Update utils.js

6b49521

Update AuthenticationAdapters.spec.js

8d7c97c

Merge branch 'alpha' into bump-jwt

ee0a040

mtrezza reviewed Feb 5, 2023

View reviewed changes

dblythy changed the title ~~feat: Bump jsonwebtoken to 9.0.0~~ refactor: Bump jsonwebtoken to 9.0.0 Feb 5, 2023

mtrezza changed the title ~~refactor: Bump jsonwebtoken to 9.0.0~~ fix: Security upgrade jsonwebtoken from 8.5.1 to 9.0.0 Feb 7, 2023

mtrezza changed the title ~~fix: Security upgrade jsonwebtoken from 8.5.1 to 9.0.0~~ fix: Security upgrade jsonwebtoken to 9.0.0 Feb 7, 2023

mtrezza changed the title ~~fix: Security upgrade jsonwebtoken to 9.0.0~~ refactor: Upgrade jsonwebtoken to 9.0.0 Feb 7, 2023

mtrezza changed the title ~~refactor: Upgrade jsonwebtoken to 9.0.0~~ fix: Security upgrade jsonwebtoken to 9.0.0 Feb 7, 2023

This was referenced Feb 7, 2023

Bump jsonwebtoken to 9.0.0 #8356

Closed

Bump jsonwebtoken to 9.0.0 in LTS branch #8427

Closed

mtrezza approved these changes Feb 7, 2023

View reviewed changes

mtrezza merged commit f5bfe45 into parse-community:alpha Feb 7, 2023

parseplatformorg pushed a commit that referenced this pull request Feb 7, 2023

chore(release): 6.0.0-alpha.32 [skip ci]

e76123b

# [6.0.0-alpha.32](6.0.0-alpha.31...6.0.0-alpha.32) (2023-02-07) ### Bug Fixes * Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45))

parseplatformorg added the state:released-alpha Released as alpha version label Feb 7, 2023

mtrezza mentioned this pull request Feb 19, 2023

Bump jsonwebtoken from 8.5.1 to 9.0.0 #8377

Closed

3 tasks

parseplatformorg added the state:released-beta Released as beta version label Mar 2, 2023

parseplatformorg added the state:released Released as stable version label May 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Security upgrade jsonwebtoken to 9.0.0 #8420

fix: Security upgrade jsonwebtoken to 9.0.0 #8420

dblythy commented Feb 2, 2023 •

edited by mtrezza

Loading

parse-github-assistant bot commented Feb 2, 2023 •

edited

Loading

parse-github-assistant bot commented Feb 2, 2023

codecov bot commented Feb 5, 2023 •

edited

Loading

dblythy commented Feb 5, 2023

mtrezza left a comment •

edited

Loading

mtrezza commented Feb 7, 2023

mtrezza left a comment

parseplatformorg commented Feb 7, 2023

parseplatformorg commented Mar 2, 2023

parseplatformorg commented Mar 3, 2023

parseplatformorg commented May 1, 2023

fix: Security upgrade jsonwebtoken to 9.0.0 #8420

fix: Security upgrade jsonwebtoken to 9.0.0 #8420

Conversation

dblythy commented Feb 2, 2023 • edited by mtrezza Loading

Pull Request

Issue

Approach

Tasks

parse-github-assistant bot commented Feb 2, 2023 • edited Loading

Thanks for opening this pull request!

parse-github-assistant bot commented Feb 2, 2023

codecov bot commented Feb 5, 2023 • edited Loading

Codecov Report

dblythy commented Feb 5, 2023

mtrezza left a comment • edited Loading

Choose a reason for hiding this comment

mtrezza commented Feb 7, 2023

mtrezza left a comment

Choose a reason for hiding this comment

parseplatformorg commented Feb 7, 2023

parseplatformorg commented Mar 2, 2023

parseplatformorg commented Mar 3, 2023

parseplatformorg commented May 1, 2023

dblythy commented Feb 2, 2023 •

edited by mtrezza

Loading

parse-github-assistant bot commented Feb 2, 2023 •

edited

Loading

codecov bot commented Feb 5, 2023 •

edited

Loading

mtrezza left a comment •

edited

Loading