From d1106174571b699f972929dd7cbb8e45b5283cbb Mon Sep 17 00:00:00 2001
From: Diamond Lewis <findlewis@gmail.com>
Date: Fri, 22 Nov 2019 19:10:23 -0600
Subject: [PATCH] Merge pull request from GHSA-wvh7-5p38-2qfc

https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-wvh7-5p38-2qfc
---
 integration/test/ParseUserTest.js | 18 ++++++++++++++++++
 src/ParseUser.js                  |  2 ++
 2 files changed, 20 insertions(+)

diff --git a/integration/test/ParseUserTest.js b/integration/test/ParseUserTest.js
index 34240f88e..132fccb73 100644
--- a/integration/test/ParseUserTest.js
+++ b/integration/test/ParseUserTest.js
@@ -898,4 +898,22 @@ describe('Parse User', () => {
     expect(user.get('authData').twitter.id).toBe(authData.id);
     expect(user.get('authData').facebook.id).toBe('test');
   });
+
+  it('fix GHSA-wvh7-5p38-2qfc', async () => {
+    Parse.User.enableUnsafeCurrentUser();
+    const user = new Parse.User();
+    user.setUsername('username');
+    user.setPassword('password');
+    await user.signUp();
+
+    const path = Parse.Storage.generatePath('currentUser');
+    let userData = Parse.Storage.getItem(path);
+    expect(JSON.parse(userData).password).toBeUndefined();
+
+    user.setPassword('password');
+    await user.save(null, { useMasterKey: true });
+
+    userData = Parse.Storage.getItem(path);
+    expect(JSON.parse(userData).password).toBeUndefined();
+  });
 });
diff --git a/src/ParseUser.js b/src/ParseUser.js
index 8166bc7cf..c778afaa6 100644
--- a/src/ParseUser.js
+++ b/src/ParseUser.js
@@ -869,6 +869,8 @@ const DefaultController = {
   updateUserOnDisk(user) {
     const path = Storage.generatePath(CURRENT_USER_KEY);
     const json = user.toJSON();
+    delete json.password;
+
     json.className = user.constructor.name === ParseUser.name ? '_User' : user.constructor.name;
     return Storage.setItemAsync(
       path, JSON.stringify(json)