fix: security vulnerability that allows remote code execution (ghsa p…

…6h4 93qp jhcm) (#7841)
parse-community · Mar 11, 2022 · 886bfd7 · 886bfd7
1 parent 318c203
commit 886bfd7
Show file tree

Hide file tree

Showing 10 changed files with 452 additions and 40 deletions.
diff --git a/resources/buildConfigDefinitions.js b/resources/buildConfigDefinitions.js
@@ -150,6 +150,20 @@ function parseDefaultValue(elt, value, t) {
     literalValue = t.arrayExpression(array.map((value) => {
       if (typeof value == 'string') {
         return t.stringLiteral(value);
+      } else if (typeof value == 'number') {
+        return t.numericLiteral(value);
+      } else if (typeof value == 'object') {
+        const object = parsers.objectParser(value);
+        const props = Object.entries(object).map(([k, v]) => {
+          if (typeof v == 'string') {
+            return t.objectProperty(t.identifier(k), t.stringLiteral(v));
+          } else if (typeof v == 'number') {
+            return t.objectProperty(t.identifier(k), t.numericLiteral(v));
+          } else if (typeof v == 'boolean') {
+            return t.objectProperty(t.identifier(k), t.booleanLiteral(v));
+          }
+        });
+        return t.objectExpression(props);
       } else {
         throw new Error('Unable to parse array');
       }

diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -0,0 +1,283 @@
+const request = require('../lib/request');
+
+describe('Vulnerabilities', () => {
+  describe('Object prototype pollution', () => {
+    it('denies object prototype to be polluted with keyword "constructor"', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const response = await request({
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/PP',
+        body: JSON.stringify({
+          obj: {
+            constructor: {
+              prototype: {
+                dummy: 0,
+              },
+            },
+          },
+        }),
+      }).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"constructor"}.');
+      expect(Object.prototype.dummy).toBeUndefined();
+    });
+
+    it('denies object prototype to be polluted with keypath string "constructor"', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const objResponse = await request({
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/PP',
+        body: JSON.stringify({
+          obj: {},
+        }),
+      }).catch(e => e);
+      const pollResponse = await request({
+        headers: headers,
+        method: 'PUT',
+        url: `http://localhost:8378/1/classes/PP/${objResponse.data.objectId}`,
+        body: JSON.stringify({
+          'obj.constructor.prototype.dummy': {
+            __op: 'Increment',
+            amount: 1,
+          },
+        }),
+      }).catch(e => e);
+      expect(Object.prototype.dummy).toBeUndefined();
+      expect(pollResponse.status).toBe(400);
+      const text = JSON.parse(pollResponse.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"constructor"}.');
+      expect(Object.prototype.dummy).toBeUndefined();
+    });
+
+    it('denies object prototype to be polluted with keyword "__proto__"', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const response = await request({
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/PP',
+        body: JSON.stringify({ 'obj.__proto__.dummy': 0 }),
+      }).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"__proto__"}.');
+      expect(Object.prototype.dummy).toBeUndefined();
+    });
+  });
+
+  describe('Request denylist', () => {
+    it('denies BSON type code data in write request by default', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            _bsontype: 'Code',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
+      );
+    });
+
+    it('allows BSON type code data in write request with custom denylist', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            _bsontype: 'Code',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(201);
+      const text = JSON.parse(response.text);
+      expect(text.objectId).toBeDefined();
+    });
+
+    it('denies write request with custom denylist of key/value', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey', value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            aKey: 'aValue321',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"a[K]ey","value":"aValue[123]*"}.'
+      );
+    });
+
+    it('denies write request with custom denylist of nested key/value', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey', value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            nested: {
+              aKey: 'aValue321',
+              code: 'delete Object.prototype.evalFunctions',
+            },
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"a[K]ey","value":"aValue[123]*"}.'
+      );
+    });
+
+    it('denies write request with custom denylist of key/value in array', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey', value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: [
+            {
+              aKey: 'aValue321',
+              code: 'delete Object.prototype.evalFunctions',
+            },
+          ],
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"a[K]ey","value":"aValue[123]*"}.'
+      );
+    });
+
+    it('denies write request with custom denylist of key', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            aKey: 'aValue321',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"a[K]ey"}.');
+    });
+
+    it('denies write request with custom denylist of value', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            aKey: 'aValue321',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"value":"aValue[123]*"}.');
+    });
+  });
+});
diff --git a/src/Config.js b/src/Config.js
@@ -33,7 +33,11 @@ export class Config {
           cacheInfo.schemaCacheTTL,
           cacheInfo.enableSingleSchemaCache
         );
-        config.database = new DatabaseController(cacheInfo.databaseController.adapter, schemaCache);
+        config.database = new DatabaseController(
+          cacheInfo.databaseController.adapter,
+          schemaCache,
+          config
+        );
       } else {
         config[key] = cacheInfo[key];
       }
@@ -71,6 +75,7 @@ export class Config {
     allowHeaders,
     idempotencyOptions,
     emailVerifyTokenReuseIfValid,
+    requestKeywordDenylist,
   }) {
     if (masterKey === readOnlyMasterKey) {
       throw new Error('masterKey and readOnlyMasterKey should be different');
@@ -105,6 +110,15 @@ export class Config {
     this.validateMaxLimit(maxLimit);
     this.validateAllowHeaders(allowHeaders);
     this.validateIdempotencyOptions(idempotencyOptions);
+    this.validateRequestKeywordDenylist(requestKeywordDenylist);
+  }
+
+  static validateRequestKeywordDenylist(requestKeywordDenylist) {
+    if (requestKeywordDenylist === undefined) {
+      requestKeywordDenylist = requestKeywordDenylist.default;
+    } else if (!Array.isArray(requestKeywordDenylist)) {
+      throw 'Parse Server option requestKeywordDenylist must be an array.';
+    }
   }
 
   static validateIdempotencyOptions(idempotencyOptions) {