Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: can access all installations via REST #1372

Closed
markuswinkler opened this issue Apr 5, 2016 · 4 comments · Fixed by #1374
Closed

Bug: can access all installations via REST #1372

markuswinkler opened this issue Apr 5, 2016 · 4 comments · Fixed by #1374
Labels
type:bug Impaired feature or lacking behavior that is likely assumed

Comments

@markuswinkler
Copy link

Based on this article (https://www.parse.com/questions/what-are-the-recommended-permissions-for-the-installations-class) a query for _Installation should only return your own installation object.

However, if I run this cURL call I can get all installation objects.

curl -X GET \
  -H "X-Parse-Application-Id: {validID}" \
  -H "Content-Type: application/json" \
  http://localhost:1337/parse/classes/_Installation

That request should always return empty (or with an error).
@ghost
Copy link

ghost commented Apr 5, 2016

Are you check security setting?

@flovilmart
Copy link
Contributor

I believe you can lock it down with a CLP dis allowing public find, an allowing everything else, but we should have that: {"code":119,"error":"Clients aren't allowed to perform the find operation on the installation collection."} by default an that you can't override by CLP

@flovilmart flovilmart added type:bug Impaired feature or lacking behavior that is likely assumed in-process labels Apr 5, 2016
@flovilmart
Copy link
Contributor

Just checked with Parse.com API, and I'm locking down the find operation on installation the same way we lock down the delete operation! Thanks for reporting that security issue

flovilmart added a commit that referenced this issue Apr 5, 2016
@flovilmart
Disables find on installation from clients
b910a99 
- fixes #1372
@flovilmart flovilmart mentioned this issue Apr 5, 2016
Merged
@markuswinkler
Copy link
Author

Great! Thanks! 👍

flovilmart added a commit that referenced this issue Apr 5, 2016
@flovilmart
Disables find on installation from clients
5773143 
- fixes #1372
@brianyyz brianyyz mentioned this issue Jun 2, 2016
Closed
@dependabot-preview dependabot-preview bot mentioned this issue Dec 15, 2018
Closed
@dependabot-preview dependabot-preview bot mentioned this issue Jan 21, 2019
Closed
@snyk-bot snyk-bot mentioned this issue Mar 12, 2020
Open
@snyk-bot snyk-bot mentioned this issue Sep 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug Impaired feature or lacking behavior that is likely assumed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disables find on installation from clients parse-community/parse-server
2 participants
@flovilmart @markuswinkler