diff --git a/integration/test/ParseUserTest.js b/integration/test/ParseUserTest.js index 34240f88e..132fccb73 100644 --- a/integration/test/ParseUserTest.js +++ b/integration/test/ParseUserTest.js @@ -898,4 +898,22 @@ describe('Parse User', () => { expect(user.get('authData').twitter.id).toBe(authData.id); expect(user.get('authData').facebook.id).toBe('test'); }); + + it('fix GHSA-wvh7-5p38-2qfc', async () => { + Parse.User.enableUnsafeCurrentUser(); + const user = new Parse.User(); + user.setUsername('username'); + user.setPassword('password'); + await user.signUp(); + + const path = Parse.Storage.generatePath('currentUser'); + let userData = Parse.Storage.getItem(path); + expect(JSON.parse(userData).password).toBeUndefined(); + + user.setPassword('password'); + await user.save(null, { useMasterKey: true }); + + userData = Parse.Storage.getItem(path); + expect(JSON.parse(userData).password).toBeUndefined(); + }); }); diff --git a/src/ParseUser.js b/src/ParseUser.js index 8166bc7cf..c778afaa6 100644 --- a/src/ParseUser.js +++ b/src/ParseUser.js @@ -869,6 +869,8 @@ const DefaultController = { updateUserOnDisk(user) { const path = Storage.generatePath(CURRENT_USER_KEY); const json = user.toJSON(); + delete json.password; + json.className = user.constructor.name === ParseUser.name ? '_User' : user.constructor.name; return Storage.setItemAsync( path, JSON.stringify(json)