fix: query aggregation pipeline cannot handle value of type Date when directAccess: true
#8167
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thanks for opening this pull request!
|
|
Ideally the failed test would be something along the lines of: it('direct access should pass dates', async () => {
await reconfigureServer({ directAccess: true });
...
});However that doesn't result in the observed bug that occurs on real servers. I have tested this fix on a real |
Codecov ReportBase: 94.21% // Head: 94.21% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## alpha #8167 +/- ##
=======================================
Coverage 94.21% 94.21%
=======================================
Files 182 182
Lines 13724 13726 +2
=======================================
+ Hits 12930 12932 +2
Misses 794 794
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Did you look at the test |
mtrezza
changed the title
Date when directAccess: true
mtrezza
changed the title
Date when directAccess: trueDate when directAccess: true
mtrezza
changed the title
Date when directAccess: trueDate when directAccess: true
Yes I did, and it doesn't override |
Maybe not overriding, but the way I'm a bit hesitant to fix this without a test to prevent this bug from being reintroduced. Maybe you could take a 2nd look. |
|
The test that I added makes sure that if a pipeline is used with a |
Maybe I misunderstood your comment, so there is a test that prevents this from being re-introduced? |
|
Yes, I added a test for that 😊 I didn't want coverage to go down either |
parseplatformorg
pushed a commit
that referenced
this pull request
Sep 17, 2022
# [5.3.0-alpha.24](5.3.0-alpha.23...5.3.0-alpha.24) (2022-09-17) ### Bug Fixes * query aggregation pipeline cannot handle value of type `Date` when `directAccess: true` ([#8167](#8167)) ([e424137](e424137))
|
🎉 This change has been released in version 5.3.0-alpha.24 |
parseplatformorg
pushed a commit
that referenced
this pull request
Oct 29, 2022
# [5.4.0-beta.1](5.3.0...5.4.0-beta.1) (2022-10-29) ### Bug Fixes * authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](GHSA-r657-33vp-gp22)) [skip release] ([#8187](#8187)) ([8c8ec71](8c8ec71)) * brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) ([#8146](#8146)) [skip release] ([4c0c7c7](4c0c7c7)) * certificate in Apple Game Center auth adapter not validated [skip release] ([#8058](#8058)) ([75af9a2](75af9a2)) * graphQL query ignores condition `equalTo` with value `false` ([#8032](#8032)) ([7f5a15d](7f5a15d)) * internal indices for classes `_Idempotency` and `_Role` are not protected in defined schema ([#8121](#8121)) ([c16f529](c16f529)) * invalid file request not properly handled [skip release] ([#8062](#8062)) ([4c9e956](4c9e956)) * liveQuery with `containedIn` not working when object field is an array ([#8128](#8128)) ([1d9605b](1d9605b)) * protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] ([#8076](#8076)) ([9fd4516](9fd4516)) * push notifications `badge` doesn't update with Installation beforeSave trigger ([#8162](#8162)) ([3c75c2b](3c75c2b)) * query aggregation pipeline cannot handle value of type `Date` when `directAccess: true` ([#8167](#8167)) ([e424137](e424137)) * relation constraints in compound queries `Parse.Query.or`, `Parse.Query.and` not working ([#8203](#8203)) ([28f0d26](28f0d26)) * security upgrade undici from 5.6.0 to 5.8.0 ([#8108](#8108)) ([4aa016b](4aa016b)) * server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](GHSA-h423-w6qv-2wj3)) [skip release] ([#8238](#8238)) ([c03908f](c03908f)) * session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] ([#8180](#8180)) ([37fed30](37fed30)) * sorting by non-existing value throws `INVALID_SERVER_ERROR` on Postgres ([#8157](#8157)) ([3b775a1](3b775a1)) * updating object includes unchanged keys in client response for certain key types ([#8159](#8159)) ([37af1d7](37af1d7)) ### Features * add convenience access to Parse Server configuration in Cloud Code via `Parse.Server` ([#8244](#8244)) ([9f11115](9f11115)) * add option to change the default value of the `Parse.Query.limit()` constraint ([#8152](#8152)) ([0388956](0388956)) * add support for MongoDB 6 ([#8242](#8242)) ([aba0081](aba0081)) * add support for Postgres 15 ([#8215](#8215)) ([2feb6c4](2feb6c4)) * liveQuery support for unsorted distance queries ([#8221](#8221)) ([0f763da](0f763da))
|
🎉 This change has been released in version 5.4.0-beta.1 |
parseplatformorg
pushed a commit
that referenced
this pull request
Oct 31, 2022
# [5.4.0-alpha.1](5.3.0...5.4.0-alpha.1) (2022-10-31) ### Bug Fixes * authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](GHSA-r657-33vp-gp22)) [skip release] ([#8187](#8187)) ([8c8ec71](8c8ec71)) * brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) ([#8146](#8146)) [skip release] ([4c0c7c7](4c0c7c7)) * certificate in Apple Game Center auth adapter not validated [skip release] ([#8058](#8058)) ([75af9a2](75af9a2)) * graphQL query ignores condition `equalTo` with value `false` ([#8032](#8032)) ([7f5a15d](7f5a15d)) * internal indices for classes `_Idempotency` and `_Role` are not protected in defined schema ([#8121](#8121)) ([c16f529](c16f529)) * invalid file request not properly handled [skip release] ([#8062](#8062)) ([4c9e956](4c9e956)) * liveQuery with `containedIn` not working when object field is an array ([#8128](#8128)) ([1d9605b](1d9605b)) * protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] ([#8076](#8076)) ([9fd4516](9fd4516)) * push notifications `badge` doesn't update with Installation beforeSave trigger ([#8162](#8162)) ([3c75c2b](3c75c2b)) * query aggregation pipeline cannot handle value of type `Date` when `directAccess: true` ([#8167](#8167)) ([e424137](e424137)) * relation constraints in compound queries `Parse.Query.or`, `Parse.Query.and` not working ([#8203](#8203)) ([28f0d26](28f0d26)) * security upgrade undici from 5.6.0 to 5.8.0 ([#8108](#8108)) ([4aa016b](4aa016b)) * server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](GHSA-h423-w6qv-2wj3)) [skip release] ([#8238](#8238)) ([c03908f](c03908f)) * session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] ([#8180](#8180)) ([37fed30](37fed30)) * sorting by non-existing value throws `INVALID_SERVER_ERROR` on Postgres ([#8157](#8157)) ([3b775a1](3b775a1)) * updating object includes unchanged keys in client response for certain key types ([#8159](#8159)) ([37af1d7](37af1d7)) ### Features * add convenience access to Parse Server configuration in Cloud Code via `Parse.Server` ([#8244](#8244)) ([9f11115](9f11115)) * add option to change the default value of the `Parse.Query.limit()` constraint ([#8152](#8152)) ([0388956](0388956)) * add support for MongoDB 6 ([#8242](#8242)) ([aba0081](aba0081)) * add support for Postgres 15 ([#8215](#8215)) ([2feb6c4](2feb6c4)) * liveQuery support for unsorted distance queries ([#8221](#8221)) ([0f763da](0f763da))
|
🎉 This change has been released in version 5.4.0-alpha.1 |
parseplatformorg
pushed a commit
that referenced
this pull request
Nov 19, 2022
# [5.4.0](5.3.3...5.4.0) (2022-11-19) ### Bug Fixes * authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](GHSA-r657-33vp-gp22)) [skip release] ([#8187](#8187)) ([8c8ec71](8c8ec71)) * brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) ([#8146](#8146)) [skip release] ([4c0c7c7](4c0c7c7)) * certificate in Apple Game Center auth adapter not validated [skip release] ([#8058](#8058)) ([75af9a2](75af9a2)) * graphQL query ignores condition `equalTo` with value `false` ([#8032](#8032)) ([7f5a15d](7f5a15d)) * internal indices for classes `_Idempotency` and `_Role` are not protected in defined schema ([#8121](#8121)) ([c16f529](c16f529)) * invalid file request not properly handled [skip release] ([#8062](#8062)) ([4c9e956](4c9e956)) * liveQuery with `containedIn` not working when object field is an array ([#8128](#8128)) ([1d9605b](1d9605b)) * protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] ([#8076](#8076)) ([9fd4516](9fd4516)) * push notifications `badge` doesn't update with Installation beforeSave trigger ([#8162](#8162)) ([3c75c2b](3c75c2b)) * query aggregation pipeline cannot handle value of type `Date` when `directAccess: true` ([#8167](#8167)) ([e424137](e424137)) * relation constraints in compound queries `Parse.Query.or`, `Parse.Query.and` not working ([#8203](#8203)) ([28f0d26](28f0d26)) * security upgrade undici from 5.6.0 to 5.8.0 ([#8108](#8108)) ([4aa016b](4aa016b)) * server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](GHSA-h423-w6qv-2wj3)) [skip release] ([#8238](#8238)) ([c03908f](c03908f)) * session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] ([#8180](#8180)) ([37fed30](37fed30)) * sorting by non-existing value throws `INVALID_SERVER_ERROR` on Postgres ([#8157](#8157)) ([3b775a1](3b775a1)) * updating object includes unchanged keys in client response for certain key types ([#8159](#8159)) ([37af1d7](37af1d7)) ### Features * add convenience access to Parse Server configuration in Cloud Code via `Parse.Server` ([#8244](#8244)) ([9f11115](9f11115)) * add option to change the default value of the `Parse.Query.limit()` constraint ([#8152](#8152)) ([0388956](0388956)) * add support for MongoDB 6 ([#8242](#8242)) ([aba0081](aba0081)) * add support for Postgres 15 ([#8215](#8215)) ([2feb6c4](2feb6c4)) * liveQuery support for unsorted distance queries ([#8221](#8221)) ([0f763da](0f763da))
|
🎉 This change has been released in version 5.4.0 |
|
🎉 This change has been released in version 5.4.0 |
dblythy
pushed a commit
to dblythy/parse-server
that referenced
this pull request
Feb 15, 2023
* authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](GHSA-r657-33vp-gp22)) [skip release] ([parse-community#8187](parse-community#8187)) ([8c8ec71](parse-community@8c8ec71)) * brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) ([parse-community#8146](parse-community#8146)) [skip release] ([4c0c7c7](parse-community@4c0c7c7)) * certificate in Apple Game Center auth adapter not validated [skip release] ([parse-community#8058](parse-community#8058)) ([75af9a2](parse-community@75af9a2)) * graphQL query ignores condition `equalTo` with value `false` ([parse-community#8032](parse-community#8032)) ([7f5a15d](parse-community@7f5a15d)) * internal indices for classes `_Idempotency` and `_Role` are not protected in defined schema ([parse-community#8121](parse-community#8121)) ([c16f529](parse-community@c16f529)) * invalid file request not properly handled [skip release] ([parse-community#8062](parse-community#8062)) ([4c9e956](parse-community@4c9e956)) * liveQuery with `containedIn` not working when object field is an array ([parse-community#8128](parse-community#8128)) ([1d9605b](parse-community@1d9605b)) * protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] ([parse-community#8076](parse-community#8076)) ([9fd4516](parse-community@9fd4516)) * push notifications `badge` doesn't update with Installation beforeSave trigger ([parse-community#8162](parse-community#8162)) ([3c75c2b](parse-community@3c75c2b)) * query aggregation pipeline cannot handle value of type `Date` when `directAccess: true` ([parse-community#8167](parse-community#8167)) ([e424137](parse-community@e424137)) * relation constraints in compound queries `Parse.Query.or`, `Parse.Query.and` not working ([parse-community#8203](parse-community#8203)) ([28f0d26](parse-community@28f0d26)) * security upgrade undici from 5.6.0 to 5.8.0 ([parse-community#8108](parse-community#8108)) ([4aa016b](parse-community@4aa016b)) * server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](GHSA-h423-w6qv-2wj3)) [skip release] ([parse-community#8238](parse-community#8238)) ([c03908f](parse-community@c03908f)) * session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] ([parse-community#8180](parse-community#8180)) ([37fed30](parse-community@37fed30)) * sorting by non-existing value throws `INVALID_SERVER_ERROR` on Postgres ([parse-community#8157](parse-community#8157)) ([3b775a1](parse-community@3b775a1)) * updating object includes unchanged keys in client response for certain key types ([parse-community#8159](parse-community#8159)) ([37af1d7](parse-community@37af1d7)) * add convenience access to Parse Server configuration in Cloud Code via `Parse.Server` ([parse-community#8244](parse-community#8244)) ([9f11115](parse-community@9f11115)) * add option to change the default value of the `Parse.Query.limit()` constraint ([parse-community#8152](parse-community#8152)) ([0388956](parse-community@0388956)) * add support for MongoDB 6 ([parse-community#8242](parse-community#8242)) ([aba0081](parse-community@aba0081)) * add support for Postgres 15 ([parse-community#8215](parse-community#8215)) ([2feb6c4](parse-community@2feb6c4)) * liveQuery support for unsorted distance queries ([parse-community#8221](parse-community#8221)) ([0f763da](parse-community@0f763da))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New Pull Request Checklist
Issue Description
Aggregation pipeline with dates do not work with
directAccessRelated issue: #7748
Closes #7748
Approach
If a date is already a date in an aggregate pipeline, it should stay as a date. It is currently converted to
{}TODOs before merging