fix: security vulnerability that allows remote code execution (GHSA-p…

…6h4-93qp-jhcm) (#7844)

.madgerc

@@ -0,0 +1,10 @@
+{
+	"detectiveOptions": {
+		"ts": {
+			"skipTypeImports": true
+		},
+    "es6": {
+			"skipTypeImports": true
+		}
+	}
+}

resources/buildConfigDefinitions.js

@@ -172,6 +172,20 @@ function parseDefaultValue(elt, value, t) {
     literalValue = t.arrayExpression(array.map((value) => {
       if (typeof value == 'string') {
         return t.stringLiteral(value);
+      } else if (typeof value == 'number') {
+        return t.numericLiteral(value);
+      } else if (typeof value == 'object') {
+        const object = parsers.objectParser(value);
+        const props = Object.entries(object).map(([k, v]) => {
+          if (typeof v == 'string') {
+            return t.objectProperty(t.identifier(k), t.stringLiteral(v));
+          } else if (typeof v == 'number') {
+            return t.objectProperty(t.identifier(k), t.numericLiteral(v));
+          } else if (typeof v == 'boolean') {
+            return t.objectProperty(t.identifier(k), t.booleanLiteral(v));
+          }
+        });
+        return t.objectExpression(props);
       } else {
         throw new Error('Unable to parse array');
       }

spec/vulnerabilities.spec.js

@@ -0,0 +1,283 @@
+const request = require('../lib/request');
+
+describe('Vulnerabilities', () => {
+  describe('Object prototype pollution', () => {
+    it('denies object prototype to be polluted with keyword "constructor"', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const response = await request({
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/PP',
+        body: JSON.stringify({
+          obj: {
+            constructor: {
+              prototype: {
+                dummy: 0,
+              },
+            },
+          },
+        }),
+      }).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"constructor"}.');
+      expect(Object.prototype.dummy).toBeUndefined();
+    });
+
+    it('denies object prototype to be polluted with keypath string "constructor"', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const objResponse = await request({
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/PP',
+        body: JSON.stringify({
+          obj: {},
+        }),
+      }).catch(e => e);
+      const pollResponse = await request({
+        headers: headers,
+        method: 'PUT',
+        url: `http://localhost:8378/1/classes/PP/${objResponse.data.objectId}`,
+        body: JSON.stringify({
+          'obj.constructor.prototype.dummy': {
+            __op: 'Increment',
+            amount: 1,
+          },
+        }),
+      }).catch(e => e);
+      expect(Object.prototype.dummy).toBeUndefined();
+      expect(pollResponse.status).toBe(400);
+      const text = JSON.parse(pollResponse.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"constructor"}.');
+      expect(Object.prototype.dummy).toBeUndefined();
+    });
+
+    it('denies object prototype to be polluted with keyword "__proto__"', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const response = await request({
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/PP',
+        body: JSON.stringify({ 'obj.__proto__.dummy': 0 }),
+      }).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"__proto__"}.');
+      expect(Object.prototype.dummy).toBeUndefined();
+    });
+  });
+
+  describe('Request denylist', () => {
+    it('denies BSON type code data in write request by default', async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            _bsontype: 'Code',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"_bsontype","value":"Code"}.'
+      );
+    });
+
+    it('allows BSON type code data in write request with custom denylist', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            _bsontype: 'Code',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(201);
+      const text = JSON.parse(response.text);
+      expect(text.objectId).toBeDefined();
+    });
+
+    it('denies write request with custom denylist of key/value', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey', value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            aKey: 'aValue321',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"a[K]ey","value":"aValue[123]*"}.'
+      );
+    });
+
+    it('denies write request with custom denylist of nested key/value', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey', value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            nested: {
+              aKey: 'aValue321',
+              code: 'delete Object.prototype.evalFunctions',
+            },
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"a[K]ey","value":"aValue[123]*"}.'
+      );
+    });
+
+    it('denies write request with custom denylist of key/value in array', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey', value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: [
+            {
+              aKey: 'aValue321',
+              code: 'delete Object.prototype.evalFunctions',
+            },
+          ],
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe(
+        'Prohibited keyword in request data: {"key":"a[K]ey","value":"aValue[123]*"}.'
+      );
+    });
+
+    it('denies write request with custom denylist of key', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ key: 'a[K]ey' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            aKey: 'aValue321',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"key":"a[K]ey"}.');
+    });
+
+    it('denies write request with custom denylist of value', async () => {
+      await reconfigureServer({
+        requestKeywordDenylist: [{ value: 'aValue[123]*' }],
+      });
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const params = {
+        headers: headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/RCE',
+        body: JSON.stringify({
+          obj: {
+            aKey: 'aValue321',
+            code: 'delete Object.prototype.evalFunctions',
+          },
+        }),
+      };
+      const response = await request(params).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = JSON.parse(response.text);
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toBe('Prohibited keyword in request data: {"value":"aValue[123]*"}.');
+    });
+  });
+});

src/Config.js

@@ -35,7 +35,7 @@ export class Config {
     config.applicationId = applicationId;
     Object.keys(cacheInfo).forEach(key => {
       if (key == 'databaseController') {
-        config.database = new DatabaseController(cacheInfo.databaseController.adapter);
+        config.database = new DatabaseController(cacheInfo.databaseController.adapter, config);
       } else {
         config[key] = cacheInfo[key];
       }
@@ -78,6 +78,7 @@ export class Config {
     security,
     enforcePrivateUsers,
     schema,
+    requestKeywordDenylist,
   }) {
     if (masterKey === readOnlyMasterKey) {
       throw new Error('masterKey and readOnlyMasterKey should be different');
@@ -116,6 +117,15 @@ export class Config {
     this.validateSecurityOptions(security);
     this.validateSchemaOptions(schema);
     this.validateEnforcePrivateUsers(enforcePrivateUsers);
+    this.validateRequestKeywordDenylist(requestKeywordDenylist);
+  }
+
+  static validateRequestKeywordDenylist(requestKeywordDenylist) {
+    if (requestKeywordDenylist === undefined) {
+      requestKeywordDenylist = requestKeywordDenylist.default;
+    } else if (!Array.isArray(requestKeywordDenylist)) {
+      throw 'Parse Server option requestKeywordDenylist must be an array.';
+    }
   }
 
   static validateEnforcePrivateUsers(enforcePrivateUsers) {