Skip to content

Commit

Permalink
fix: Server crashes on invalid Cloud Function or Cloud Job name; fixe…
Browse files Browse the repository at this point in the history
…s security vulnerability [GHSA-6hh7-46r2-vf29](GHSA-6hh7-46r2-vf29) (#9024)
  • Loading branch information
mtrezza authored Mar 19, 2024
1 parent 901aaf8 commit 9f6e342
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 1 deletion.
33 changes: 33 additions & 0 deletions spec/ParseHooks.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -694,3 +694,36 @@ describe('triggers', () => {
expect(req.context).toBeUndefined();
});
});

describe('sanitizing names', () => {
const invalidNames = [
`test'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5cxxxxxxxxxxxxxxx.yyyyy'%2b'fy.com%5cxus'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20`,
`test.function.name`,
];

it('should not crash server and return error on invalid Cloud Function name', async () => {
for (const invalidName of invalidNames) {
let error;
try {
await Parse.Cloud.run(invalidName);
} catch (err) {
error = err;
}
expect(error).toBeDefined();
expect(error.message).toMatch(/Invalid function/);
}
});

it('should not crash server and return error on invalid Cloud Job name', async () => {
for (const invalidName of invalidNames) {
let error;
try {
await Parse.Cloud.startJob(invalidName);
} catch (err) {
error = err;
}
expect(error).toBeDefined();
expect(error.message).toMatch(/Invalid job/);
}
});
});
8 changes: 7 additions & 1 deletion src/triggers.js
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,12 @@ const Category = {
};

function getStore(category, name, applicationId) {
const invalidNameRegex = /['"`]/;
if (invalidNameRegex.test(name)) {
// Prevent a malicious user from injecting properties into the store
return {};
}

const path = name.split('.');
path.splice(-1); // remove last component
applicationId = applicationId || Parse.applicationId;
Expand All @@ -94,7 +100,7 @@ function getStore(category, name, applicationId) {
for (const component of path) {
store = store[component];
if (!store) {
return undefined;
return {};
}
}
return store;
Expand Down

0 comments on commit 9f6e342

Please sign in to comment.