Add Security Checks Log

resources/buildConfigDefinitions.js

@@ -47,7 +47,8 @@ function getENVPrefix(iface) {
     'LiveQueryOptions' : 'PARSE_SERVER_LIVEQUERY_',
     'IdempotencyOptions' : 'PARSE_SERVER_EXPERIMENTAL_IDEMPOTENCY_',
     'AccountLockoutOptions' : 'PARSE_SERVER_ACCOUNT_LOCKOUT_',
-    'PasswordPolicyOptions' : 'PARSE_SERVER_PASSWORD_POLICY_'
+    'PasswordPolicyOptions' : 'PARSE_SERVER_PASSWORD_POLICY_',
+    'SecurityChecksOptions' : 'PARSE_SERVER_SECURITY_CHECKS_'
   }
   if (options[iface.id.name]) {
     return options[iface.id.name]
@@ -163,14 +164,8 @@ function parseDefaultValue(elt, value, t) {
     if (type == 'NumberOrBoolean') {
       literalValue = t.numericLiteral(parsers.numberOrBoolParser('')(value));
     }
-    if (type == 'CustomPagesOptions') {
-      const object = parsers.objectParser(value);
-      const props = Object.keys(object).map((key) => {
-        return t.objectProperty(key, object[value]);
-      });
-      literalValue = t.objectExpression(props);
-    }
-    if (type == 'IdempotencyOptions') {
+    const literalTypes = ['IdempotencyOptions','CustomPagesOptions','SecurityChecksOptions'];
+    if (literalTypes.includes(type)) {
       const object = parsers.objectParser(value);
       const props = Object.keys(object).map((key) => {
         return t.objectProperty(key, object[value]);

spec/ParseServer.Security.spec.js

@@ -0,0 +1,75 @@
+'use strict';
+const Parse = require('parse/node');
+const request = require('../lib/request');
+
+const defaultHeaders = {
+  'X-Parse-Application-Id': 'test',
+  'X-Parse-Rest-API-Key': 'rest',
+  'Content-Type': 'application/json',
+};
+const masterKeyHeaders = {
+  'X-Parse-Application-Id': 'test',
+  'X-Parse-Rest-API-Key': 'rest',
+  'X-Parse-Master-Key': 'test',
+  'Content-Type': 'application/json',
+};
+const defaultOptions = {
+  headers: defaultHeaders,
+  json: true,
+};
+const masterKeyOptions = {
+  headers: masterKeyHeaders,
+  json: true,
+};
+
+describe('SecurityChecks', () => {
+  it('should reject access when not using masterKey (/securityChecks)', done => {
+    request(
+      Object.assign({ url: Parse.serverURL + '/securityChecks' }, defaultOptions)
+    ).then(done.fail, () => done());
+  });
+  it('should reject access by default to  /securityChecks, even with masterKey', done => {
+    request(
+      Object.assign({ url: Parse.serverURL + '/securityChecks' }, masterKeyOptions)
+    ).then(done.fail, () => done());
+  });
+  it('can get security advice', async done => {
+    await reconfigureServer({
+      securityChecks: {
+        enableSecurityChecks: true,
+        enableLogOutput: true,
+      },
+    });
+    const options = Object.assign({}, masterKeyOptions, {
+      method: 'GET',
+      url: Parse.serverURL + '/securityChecks',
+    });
+    request(options).then(res => {
+      expect(res.data.CLP).not.toBeUndefined();
+      expect(res.data.ServerConfig).not.toBeUndefined();
+      expect(res.data.Files).not.toBeUndefined();
+      expect(res.data.Total).not.toBeUndefined();
+      done();
+    });
+  });
+
+  it('can get security on start', async done => {
+    await reconfigureServer({
+      securityChecks: {
+        enableSecurityChecks: true,
+        enableLogOutput: true,
+      },
+    });
+    const logger = require('../lib/logger').logger;
+    spyOn(logger, 'warn').and.callFake(() => {});
+    await new Promise(resolve => {
+      setTimeout(() => {
+        resolve();
+      }, 2000);
+    });
+    expect(logger.warn.calls.mostRecent().args[0]).toContain(
+      'Clients are currently allowed to create new classes.'
+    );
+    done();
+  });
+});

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

@@ -18,6 +18,7 @@ import Parse from 'parse/node';
 import _ from 'lodash';
 import defaults from '../../../defaults';
 import logger from '../../../logger';
+import url from 'url';
 
 // @flow-disable-next
 const mongodb = require('mongodb');
@@ -187,6 +188,52 @@ export class MongoStorageAdapter implements StorageAdapter {
     }
     return this.client.close(false);
   }
+  async getSecurityLogs(req: any) {
+    const options = req.config || req;
+    let databaseURI = options.databaseURI;
+    const warnings = [];
+    if (databaseURI.includes('@')) {
+      databaseURI = `mongodb://${databaseURI.split('@')[1]}`;
+      const pwd = options.databaseURI.split('//')[1].split('@')[0].split(':')[1] || '';
+      if (!pwd.match('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*])(?=.{14,})')) {
+        warnings.push({
+          title: `Weak Database Password`,
+          message:
+            'The database password set lacks complexity and length. This could potentially allow an attacker to brute force their way into the database, exposing the database.',
+        });
+      }
+    }
+    let databaseAdmin = '' + databaseURI;
+    try {
+      const parsedURI = url.parse(databaseAdmin);
+      parsedURI.port = '27017';
+      databaseAdmin = parsedURI.toString();
+    } catch (e) {
+      /* */
+    }
+    try {
+      await MongoClient.connect(databaseAdmin, { useNewUrlParser: true });
+      warnings.push({
+        title: `Unrestricted access to port 27017`,
+        message:
+          'The database requires no authentication to the admin port. This could potentially allow an attacker to easily access the database, exposing all of the database.',
+      });
+    } catch (e) {
+      /* */
+    }
+    try {
+      await MongoClient.connect(databaseURI, { useNewUrlParser: true });
+      warnings.push({
+        title: `Unrestricted access to the database`,
+        message:
+          'The database requires no authentication to connect. This could potentially allow an attacker to easily access the database, exposing all of the database.',
+      });
+    } catch (e) {
+      /* */
+    }
+
+    return warnings;
+  }
 
   _adaptiveCollection(name: string) {
     return this.connect()

src/Options/Definitions.js

@@ -360,6 +360,11 @@ module.exports.ParseServerOptions = {
     action: parsers.numberParser('schemaCacheTTL'),
     default: 5000,
   },
+  securityChecks: {
+    env: 'PARSE_SERVER_SECURITY_CHECKS_OPTIONS',
+    help: 'View recommendations for server improvements',
+    action: parsers.objectParser,
+  },
   serverCloseComplete: {
     env: 'PARSE_SERVER_SERVER_CLOSE_COMPLETE',
     help: 'Callback when server has closed',
@@ -552,6 +557,21 @@ module.exports.IdempotencyOptions = {
     default: 300,
   },
 };
+module.exports.SecurityChecksOptions = {
+  enableLogOutput: {
+    env: 'PARSE_SERVER_SECURITY_CHECKS_ENABLE_LOG_OUTPUT',
+    help:
+      'Is true if security warnings should be written to logs. This should only be enabled temporarily to not expose weak security settings in logs.',
+    action: parsers.booleanParser,
+    default: false,
+  },
+  enableSecurityChecks: {
+    env: 'PARSE_SERVER_SECURITY_CHECKS_ENABLE_SECURITY_CHECKS',
+    help: 'If true if Parse Server should self-check the security of its current configuration.',
+    action: parsers.booleanParser,
+    default: false,
+  },
+};
 module.exports.AccountLockoutOptions = {
   duration: {
     env: 'PARSE_SERVER_ACCOUNT_LOCKOUT_DURATION',

src/Options/docs.js

@@ -66,6 +66,7 @@
  * @property {Boolean} revokeSessionOnPasswordReset When a user changes their password, either through the reset password email or while logged in, all sessions are revoked if this is true. Set to false if you don't want to revoke sessions.
  * @property {Boolean} scheduledPush Configuration for push scheduling, defaults to false.
  * @property {Number} schemaCacheTTL The TTL for caching the schema for optimizing read/write operations. You should put a long TTL when your DB is in production. default to 5000; set 0 to disable.
+ * @property {SecurityChecksOptions} securityChecks View recommendations for server improvements
  * @property {Function} serverCloseComplete Callback when server has closed
  * @property {Function} serverStartComplete Callback when server has started
  * @property {String} serverURL URL to your parse server with http:// or https://.
@@ -121,6 +122,12 @@
  * @property {Number} ttl The duration in seconds after which a request record is discarded from the database, defaults to 300s.
  */
 
+/**
+ * @interface SecurityChecksOptions
+ * @property {Boolean} enableLogOutput Is true if security warnings should be written to logs. This should only be enabled temporarily to not expose weak security settings in logs.
+ * @property {Boolean} enableSecurityChecks If true if Parse Server should self-check the security of its current configuration.
+ */
+
 /**
  * @interface AccountLockoutOptions
  * @property {Number} duration number of minutes that a locked-out account remains locked out before automatically becoming unlocked.

src/Options/index.js

@@ -198,6 +198,9 @@ export interface ParseServerOptions {
   :ENV: PARSE_SERVER_EXPERIMENTAL_IDEMPOTENCY_OPTIONS
   :DEFAULT: false */
   idempotencyOptions: ?IdempotencyOptions;
+  /* View recommendations for server improvements
+  :ENV: PARSE_SERVER_SECURITY_CHECKS_OPTIONS */
+  securityChecks: ?SecurityChecksOptions;
   /* Full path to your GraphQL custom schema.graphql file */
   graphQLSchema: ?string;
   /* Mounts the GraphQL endpoint
@@ -292,6 +295,15 @@ export interface IdempotencyOptions {
   ttl: ?number;
 }
 
+export interface SecurityChecksOptions {
+  /* If true if Parse Server should self-check the security of its current configuration.
+  :DEFAULT: false */
+  enableSecurityChecks: ?boolean;
+  /* Is true if security warnings should be written to logs. This should only be enabled temporarily to not expose weak security settings in logs.
+  :DEFAULT: false */
+  enableLogOutput: ?boolean;
+}
+
 export interface AccountLockoutOptions {
   /* number of minutes that a locked-out account remains locked out before automatically becoming unlocked. */
   duration: ?number;

src/ParseServer.js

@@ -40,6 +40,7 @@ import { AggregateRouter } from './Routers/AggregateRouter';
 import { ParseServerRESTController } from './ParseServerRESTController';
 import * as controllers from './Controllers';
 import { ParseGraphQLServer } from './GraphQL/ParseGraphQLServer';
+import { securityChecks } from './SecurityChecks.js';
 
 // Mutate the Parse object to add the Cloud Code handlers
 addParseCloud();
@@ -80,6 +81,9 @@ class ParseServer {
         if (serverStartComplete) {
           serverStartComplete();
         }
+        if ((options.securityChecks || {}).enableLogOutput) {
+          this.getSecurityChecks();
+        }
       })
       .catch(error => {
         if (serverStartComplete) {
@@ -109,6 +113,35 @@ class ParseServer {
     return this._app;
   }
 
+  async getSecurityChecks() {
+    const config = Config.get(this.config.appId);
+    const response = await securityChecks(config);
+    const logger = logging.getLogger();
+    const warnings = response.response;
+    const clp = warnings.CLP;
+    const total = warnings.Total;
+    if (total == 0) {
+      return;
+    }
+    let errorString = `${total} security warning(s) for Parse Server:\n\n`;
+    delete warnings.Total;
+    delete warnings.CLP;
+    for (const security in warnings) {
+      for (const issue of warnings[security]) {
+        errorString += ` -${issue.title}\n`;
+        errorString += `   ${issue.message}\n\n`;
+      }
+    }
+    for (const issue in clp) {
+      errorString += `\n Add CLP for Class: ${issue}\n`;
+      const classData = clp[issue];
+      for (const clpIssue of classData) {
+        errorString += `   ${clpIssue.title}\n`;
+      }
+    }
+    logger.warn(errorString);
+  }
+
   handleShutdown() {
     const promises = [];
     const { adapter: databaseAdapter } = this.config.databaseController;

src/Routers/CloudCodeRouter.js

@@ -1,6 +1,7 @@
 import PromiseRouter from '../PromiseRouter';
 import Parse from 'parse/node';
 import rest from '../rest';
+import { securityChecks } from '../SecurityChecks.js';
 const triggers = require('../triggers');
 const middleware = require('../middlewares');
 
@@ -53,6 +54,7 @@ export class CloudCodeRouter extends PromiseRouter {
       middleware.promiseEnforceMasterKeyAccess,
       CloudCodeRouter.deleteJob
     );
+    this.route('GET', '/securityChecks', middleware.promiseEnforceMasterKeyAccess, securityChecks);
   }
 
   static getJobs(req) {