fix: Remote code execution via MongoDB BSON parser through prototype pollution #8295

mtrezza · 2022-11-07T21:25:25Z

Fixes security vulnerability GHSA-prm5-8g2m-24gg

parse-github-assistant · 2022-11-07T21:25:28Z

Thanks for opening this pull request!

❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

codecov · 2022-11-07T21:33:31Z

Codecov Report

Base: 94.12% // Head: 87.14% // Decreases project coverage by -6.98% ⚠️

Coverage data is based on head (08ee746) compared to base (4462b39).
Patch coverage: 87.68% of modified lines in pull request are covered.

❗ Current head 08ee746 differs from pull request most recent head 75d6080. Consider uploading reports for the commit 75d6080 to get more accurate results

Additional details and impacted files

@@             Coverage Diff             @@
##           release    #8295      +/-   ##
===========================================
- Coverage    94.12%   87.14%   -6.99%     
===========================================
  Files          182      182              
  Lines        13621    13737     +116     
===========================================
- Hits         12821    11971     -850     
- Misses         800     1766     +966

Impacted Files	Coverage Δ
src/Adapters/Cache/LRUCache.js	`100.00% <ø> (ø)`
src/Adapters/Files/GridFSBucketAdapter.js	`9.48% <0.00%> (-70.02%)`	⬇️
src/GraphQL/helpers/objectsQueries.js	`86.71% <0.00%> (-3.91%)`	⬇️
src/GraphQL/loaders/schemaTypes.js	`100.00% <ø> (ø)`
src/LiveQuery/SessionTokenCache.js	`86.95% <ø> (ø)`
src/Options/index.js	`100.00% <ø> (ø)`
src/Adapters/Auth/spotify.js	`62.50% <60.00%> (-17.50%)`	⬇️
src/GraphQL/loaders/defaultGraphQLTypes.js	`97.06% <75.00%> (ø)`
src/Adapters/Auth/facebook.js	`90.62% <80.00%> (-1.44%)`	⬇️
src/Auth.js	`92.36% <83.33%> (-7.64%)`	⬇️
... and 45 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

## [5.3.1](5.3.0...5.3.1) (2022-11-07) ### Bug Fixes * Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([#8295](#8295)) ([50eed3c](50eed3c))

parseplatformorg · 2022-11-07T22:11:04Z

🎉 This change has been released in version 5.3.1

* release: docs: remove "skip release" entries from changelog chore(release): 5.4.0 [skip ci] refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307) chore(release): 5.3.3 [skip ci] fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305) chore(release): 5.3.2 [skip ci] refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303) fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302) refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298) chore(release): 5.3.1 [skip ci] fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)

* beta: docs: remove "skip release" entries from changelog chore(release): 5.4.0 [skip ci] refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307) chore(release): 5.3.3 [skip ci] fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305) chore(release): 5.3.2 [skip ci] refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303) fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302) refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298) chore(release): 5.3.1 [skip ci] fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)

# [6.0.0-alpha.31](6.0.0-alpha.30...6.0.0-alpha.31) (2023-01-31) ### Bug Fixes * Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([#8302](#8302)) ([6728da1](6728da1)) * Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([#8305](#8305)) ([60c5a73](60c5a73)) * Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([#8295](#8295)) ([50eed3c](50eed3c))

parseplatformorg · 2023-01-31T15:38:39Z

🎉 This change has been released in version 6.0.0-alpha.31

* Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([parse-community#8302](parse-community#8302)) ([6728da1](parse-community@6728da1)) * Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([parse-community#8305](parse-community#8305)) ([60c5a73](parse-community@60c5a73)) * Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([parse-community#8295](parse-community#8295)) ([50eed3c](parse-community@50eed3c))

fix

75d6080

mtrezza changed the title ~~fix-release-24gg~~ fix: Release-24gg Nov 7, 2022

mtrezza changed the title ~~fix: Release-24gg~~ fix: Remote code execution via MongoDB BSON parser through prototype pollution Nov 7, 2022

mtrezza merged commit 50eed3c into parse-community:release Nov 7, 2022

parseplatformorg added the state:released Released as stable version label Nov 7, 2022

mtrezza deleted the fix-release-24gg branch November 9, 2022 18:13

parseplatformorg added the state:released-alpha Released as alpha version label Jan 31, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Remote code execution via MongoDB BSON parser through prototype pollution #8295

fix: Remote code execution via MongoDB BSON parser through prototype pollution #8295

mtrezza commented Nov 7, 2022 •

edited

Loading

parse-github-assistant bot commented Nov 7, 2022 •

edited

Loading

codecov bot commented Nov 7, 2022 •

edited

Loading

parseplatformorg commented Nov 7, 2022

parseplatformorg commented Jan 31, 2023

fix: Remote code execution via MongoDB BSON parser through prototype pollution #8295

fix: Remote code execution via MongoDB BSON parser through prototype pollution #8295

Conversation

mtrezza commented Nov 7, 2022 • edited Loading

parse-github-assistant bot commented Nov 7, 2022 • edited Loading

Thanks for opening this pull request!

codecov bot commented Nov 7, 2022 • edited Loading

Codecov Report

parseplatformorg commented Nov 7, 2022

parseplatformorg commented Jan 31, 2023

mtrezza commented Nov 7, 2022 •

edited

Loading

parse-github-assistant bot commented Nov 7, 2022 •

edited

Loading

codecov bot commented Nov 7, 2022 •

edited

Loading