Enhance authData validation and processing to address security concerns. Introduce stricter provider name validation to prevent prototype pollution and NoSQL injection. Refactor diffAuthData and related logic for improved safety, clarity, and efficiency. Add extensive test coverage for edge cases and malicious input handling.

Author: SNtGog

spec/Users.authdata.security.spec.js

@@ -1856,6 +1856,211 @@ describe('AuthData Security Tests', () => {
         expect(error.code).toBeDefined();
       }
     });
+
+    it('should reject provider names with prototype pollution attempts', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try to use constructor as provider name (enumerable by default)
+      try {
+        await user.save(
+          { authData: { constructor: { id: 'test' } } },
+          { sessionToken }
+        );
+        // If it doesn't throw, verify that constructor was not stored as malicious data
+        await user.fetch({ sessionToken });
+        const authData = user.get('authData');
+        // Constructor should not be in authData with our test data
+        // (either rejected or not configured, or stored but not as our test object)
+        if (authData && authData.constructor) {
+          const isOurTestData = typeof authData.constructor === 'object' && 
+                               authData.constructor.id === 'test';
+          expect(isOurTestData).toBe(false);
+        }
+      } catch (error) {
+        // Should reject with INVALID_KEY_NAME (either from validateAuthData or diffAuthData)
+        // If provider is not configured, may throw UNSUPPORTED_SERVICE, which is also acceptable
+        expect([Parse.Error.INVALID_KEY_NAME, Parse.Error.UNSUPPORTED_SERVICE]).toContain(error.code);
+        if (error.code === Parse.Error.INVALID_KEY_NAME) {
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+
+      // Try to use prototype as provider name
+      try {
+        await user.save(
+          { authData: { prototype: { id: 'test' } } },
+          { sessionToken }
+        );
+        // If it doesn't throw, verify that prototype was not stored as malicious data
+        await user.fetch({ sessionToken });
+        const authData = user.get('authData');
+        // Prototype should not be in authData with our test data
+        // (either rejected or not configured, or stored but not as our test object)
+        if (authData && authData.prototype) {
+          const isOurTestData = typeof authData.prototype === 'object' && 
+                               authData.prototype.id === 'test';
+          expect(isOurTestData).toBe(false);
+        }
+      } catch (error) {
+        // Should reject with INVALID_KEY_NAME (either from validateAuthData or diffAuthData)
+        // If provider is not configured, may throw UNSUPPORTED_SERVICE, which is also acceptable
+        expect([Parse.Error.INVALID_KEY_NAME, Parse.Error.UNSUPPORTED_SERVICE]).toContain(error.code);
+        if (error.code === Parse.Error.INVALID_KEY_NAME) {
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+
+      // Note: __proto__ is not enumerable by default in Object.keys(),
+      // so it won't be processed by diffAuthData. However, if it were
+      // enumerable (via Object.defineProperty with enumerable: true),
+      // it would be rejected by our validation. This is acceptable because
+      // normal object literals don't have enumerable __proto__.
+    });
+
+    it('should reject provider names with NoSQL injection attempts', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try to use dots in provider name (NoSQL injection)
+      const maliciousProviders = [
+        'gpgames.id',
+        'gpgames.access_token',
+        'provider.name.field',
+        'test.test',
+      ];
+
+      for (const maliciousProvider of maliciousProviders) {
+        try {
+          await user.save(
+            { authData: { [maliciousProvider]: { id: 'test' } } },
+            { sessionToken }
+          );
+          fail(`Should have rejected provider name with dots: ${maliciousProvider}`);
+        } catch (error) {
+          expect(error.code).toBe(Parse.Error.INVALID_KEY_NAME);
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+    });
+
+    it('should reject provider names with special characters', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try various special characters
+      const maliciousProviders = [
+        'provider-name', // hyphen
+        'provider name', // space
+        'provider@name', // @
+        'provider#name', // #
+        'provider$name', // $
+        'provider[name]', // brackets
+        'provider{name}', // braces
+        'provider/name', // slash
+        'provider\\name', // backslash
+        'provider.name', // dot
+        '123provider', // starts with number
+        '', // empty string
+      ];
+
+      for (const maliciousProvider of maliciousProviders) {
+        try {
+          await user.save(
+            { authData: { [maliciousProvider]: { id: 'test' } } },
+            { sessionToken }
+          );
+          fail(`Should have rejected invalid provider name: ${maliciousProvider}`);
+        } catch (error) {
+          expect(error.code).toBe(Parse.Error.INVALID_KEY_NAME);
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+    });
+
+    it('should accept valid provider names', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Valid provider names should work
+      const validProviders = [
+        'gpgames',
+        'instagram',
+        'provider_name',
+        'providerName',
+        'ProviderName',
+        'provider123',
+        'p',
+        'provider_name_123',
+      ];
+
+      for (const validProvider of validProviders) {
+        // Skip if provider is not configured (will fail with different error)
+        if (validProvider === 'gpgames' || validProvider === 'instagram') {
+          continue;
+        }
+
+        try {
+          await user.save(
+            { authData: { [validProvider]: { id: 'test' } } },
+            { sessionToken }
+          );
+          // Should not throw INVALID_KEY_NAME error
+          // May throw UNSUPPORTED_SERVICE if provider not configured, which is expected
+        } catch (error) {
+          // Should not be INVALID_KEY_NAME for valid provider names
+          expect(error.code).not.toBe(Parse.Error.INVALID_KEY_NAME);
+        }
+      }
+    });
+
+    it('should prevent injection when linking multiple providers', async () => {
+      mockFetch(mockGpgamesLogin());
+      const user = await Parse.User.logInWith('gpgames', {
+        authData: { id: MOCK_USER_ID, code: 'C1' },
+      });
+      const sessionToken = user.getSessionToken();
+
+      // Try to link malicious provider name
+      // Use constructor which should be enumerable
+      try {
+        await user.save(
+          {
+            authData: {
+              constructor: { id: 'test' },
+            },
+          },
+          { sessionToken }
+        );
+        // If it doesn't throw, verify that constructor was not stored
+        await user.fetch({ sessionToken });
+        const authData = user.get('authData');
+        // Constructor should not be in authData (either rejected or not configured)
+        const hasConstructor = authData && authData.constructor && 
+                              typeof authData.constructor === 'object' && 
+                              authData.constructor.id === 'test';
+        expect(hasConstructor).toBe(false);
+      } catch (error) {
+        // Should reject with INVALID_KEY_NAME (either from validateAuthData or diffAuthData)
+        // If provider is not configured, may throw UNSUPPORTED_SERVICE, which is also acceptable
+        expect([Parse.Error.INVALID_KEY_NAME, Parse.Error.UNSUPPORTED_SERVICE]).toContain(error.code);
+        if (error.code === Parse.Error.INVALID_KEY_NAME) {
+          expect(error.message).toContain('Invalid provider name');
+        }
+      }
+    });
   });
 });
 

src/Auth.js

@@ -645,50 +645,93 @@ const handleAuthDataValidation = async (authData, req, foundUser) => {
   return acc;
 };
 
-const subsetEqual = (prev, next) => {
-  if (prev === next) return true;
-  if (prev == null || next == null) return false;
-
-  const tp = typeof prev;
-  const tn = typeof next;
-  if (tn !== 'object' || tp !== 'object') return prev === next;
-
-  if (Array.isArray(prev) && Array.isArray(next)) {
-    if (next.length > prev.length) return false;
-    for (let i = 0; i < next.length; i++) {
-      if (!subsetEqual(prev[i], next[i])) {
-        return false;
-      }
-    }
-    return true;
+const hasOwn = (o, k) => Object.prototype.hasOwnProperty.call(o, k);
+
+const toRecord = (v) => {
+  const out = Object.create(null);
+  if (!v || typeof v !== 'object' || Array.isArray(v)) return out;
+  for (const k of Object.keys(v)) {
+    out[k] = v[k];
   }
+  return out;
+};
 
-  if (Array.isArray(prev) !== Array.isArray(next)) {
-    return false;
+const assertSafeProviderKey = (p) => {
+  if (p === '__proto__' || p === 'constructor' || p === 'prototype') {
+    throw new Parse.Error(
+      Parse.Error.INVALID_KEY_NAME,
+      `Invalid provider name: ${p}. Provider names cannot be reserved JavaScript properties.`
+    );
+  }
+  if (!/^[A-Za-z][A-Za-z0-9_]*$/.test(p)) {
+    throw new Parse.Error(
+      Parse.Error.INVALID_KEY_NAME,
+      `Invalid provider name: ${p}. Provider names must start with a letter and contain only alphanumeric characters and underscores.`
+    );
   }
+};
 
-  for (const key in next) {
-    if (!(key in prev)) {
-      return false;
-    }
-    if (!subsetEqual(prev[key], next[key])) {
-      return false;
-    }
+const assertProviderData = (x) => {
+  if (x === null || typeof x === 'undefined') return;
+  if (!x || typeof x !== 'object' || Array.isArray(x)) {
+    throw new Parse.Error(
+      Parse.Error.VALIDATION_ERROR,
+      'Invalid provider data.'
+    );
+  }
+  if (Object.keys(x).length > 32) {
+    throw new Parse.Error(
+      Parse.Error.VALIDATION_ERROR,
+      'Provider data too large.'
+    );
+  }
+  if (typeof x.id !== 'undefined' && (typeof x.id !== 'string' || x.id.length > 256)) {
+    throw new Parse.Error(
+      Parse.Error.VALIDATION_ERROR,
+      'Invalid provider id.'
+    );
   }
+};
 
+const shallowStableEqual = (a, b) => {
+  if (a === b) return true;
+  if (!a || !b || typeof a !== 'object' || typeof b !== 'object' || Array.isArray(a) || Array.isArray(b)) {
+    return false;
+  }
+  const ak = Object.keys(a);
+  const bk = Object.keys(b);
+  if (ak.length !== bk.length) return false;
+  for (const k of ak) {
+    if (!hasOwn(b, k)) return false;
+    if (a[k] !== b[k]) return false;
+  }
   return true;
-}
+};
 
 const diffAuthData = (current = {}, incoming = {}) => {
-  const changed = {};
-  const unlink = {};
-  const unchanged = {};
+  // Convert to safe records (null-prototype) for internal processing
+  const cur = toRecord(current);
+  const inc = toRecord(incoming);
+
+  // Use null-prototype objects internally to prevent prototype pollution
+  const changed = Object.create(null);
+  const unlink = Object.create(null);
+  const unchanged = Object.create(null);
 
-  const providers = _.union(Object.keys(current), Object.keys(incoming));
+  const providers = _.union(Object.keys(cur), Object.keys(inc));
+
+  if (providers.length > 32) {
+    throw new Parse.Error(
+      Parse.Error.VALIDATION_ERROR,
+      'Too many providers. Maximum 32 providers allowed.'
+    );
+  }
 
   for (const p of providers) {
-    const prev = current[p];
-    const next = incoming[p];
+    assertSafeProviderKey(p);
+
+    const prev = hasOwn(cur, p) ? cur[p] : undefined;
+    const next = hasOwn(inc, p) ? inc[p] : undefined;
 
     if (next === null) {
       unlink[p] = true;
@@ -700,6 +743,8 @@ const diffAuthData = (current = {}, incoming = {}) => {
       continue;
     }
 
+    assertProviderData(next);
+
     if (_.isUndefined(prev)) {
       changed[p] = next;
       continue;
@@ -712,14 +757,14 @@ const diffAuthData = (current = {}, incoming = {}) => {
       continue;
     }
 
-    if (isDeepStrictEqual(prev, next)) {
-      unchanged[p] = prev;
-    } else if (subsetEqual(prev, next)) {
+    if (shallowStableEqual(prev, next) || isDeepStrictEqual(prev, next)) {
       unchanged[p] = prev;
     } else {
       changed[p] = next;
     }
   }
+  // Return null-prototype objects to maintain protection against prototype pollution
+  // Object.keys() works perfectly with null-prototype objects
   return { changed, unlink, unchanged };
 };
 
@@ -736,6 +781,5 @@ module.exports = {
   hasMutatedAuthData,
   checkIfUserHasProvidedConfiguredProvidersForLogin,
   handleAuthDataValidation,
-  subsetEqual,
   diffAuthData
 };