Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Remote code execution via MongoDB BSON parser through prototype pollution #8295

Merged
merged 1 commit into from
Nov 7, 2022

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Nov 7, 2022

Fixes security vulnerability GHSA-prm5-8g2m-24gg

@parse-github-assistant
Copy link

parse-github-assistant bot commented Nov 7, 2022

Thanks for opening this pull request!

  • ❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

@mtrezza mtrezza changed the title fix-release-24gg fix: Release-24gg Nov 7, 2022
@codecov
Copy link

codecov bot commented Nov 7, 2022

Codecov Report

Base: 94.12% // Head: 87.14% // Decreases project coverage by -6.98% ⚠️

Coverage data is based on head (08ee746) compared to base (4462b39).
Patch coverage: 87.68% of modified lines in pull request are covered.

❗ Current head 08ee746 differs from pull request most recent head 75d6080. Consider uploading reports for the commit 75d6080 to get more accurate results

Additional details and impacted files
@@             Coverage Diff             @@
##           release    #8295      +/-   ##
===========================================
- Coverage    94.12%   87.14%   -6.99%     
===========================================
  Files          182      182              
  Lines        13621    13737     +116     
===========================================
- Hits         12821    11971     -850     
- Misses         800     1766     +966     
Impacted Files Coverage Δ
src/Adapters/Cache/LRUCache.js 100.00% <ø> (ø)
src/Adapters/Files/GridFSBucketAdapter.js 9.48% <0.00%> (-70.02%) ⬇️
src/GraphQL/helpers/objectsQueries.js 86.71% <0.00%> (-3.91%) ⬇️
src/GraphQL/loaders/schemaTypes.js 100.00% <ø> (ø)
src/LiveQuery/SessionTokenCache.js 86.95% <ø> (ø)
src/Options/index.js 100.00% <ø> (ø)
src/Adapters/Auth/spotify.js 62.50% <60.00%> (-17.50%) ⬇️
src/GraphQL/loaders/defaultGraphQLTypes.js 97.06% <75.00%> (ø)
src/Adapters/Auth/facebook.js 90.62% <80.00%> (-1.44%) ⬇️
src/Auth.js 92.36% <83.33%> (-7.64%) ⬇️
... and 45 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@mtrezza mtrezza changed the title fix: Release-24gg fix: Remote code execution via MongoDB BSON parser through prototype pollution Nov 7, 2022
@mtrezza mtrezza merged commit 50eed3c into parse-community:release Nov 7, 2022
parseplatformorg pushed a commit that referenced this pull request Nov 7, 2022
## [5.3.1](5.3.0...5.3.1) (2022-11-07)

### Bug Fixes

* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([#8295](#8295)) ([50eed3c](50eed3c))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.3.1

@parseplatformorg parseplatformorg added the state:released Released as stable version label Nov 7, 2022
@mtrezza mtrezza deleted the fix-release-24gg branch November 9, 2022 18:13
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
* release:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
* beta:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
parseplatformorg pushed a commit that referenced this pull request Jan 31, 2023
# [6.0.0-alpha.31](6.0.0-alpha.30...6.0.0-alpha.31) (2023-01-31)

### Bug Fixes

* Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([#8302](#8302)) ([6728da1](6728da1))
* Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([#8305](#8305)) ([60c5a73](60c5a73))
* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([#8295](#8295)) ([50eed3c](50eed3c))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0-alpha.31

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jan 31, 2023
dblythy pushed a commit to dblythy/parse-server that referenced this pull request Feb 15, 2023
* Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([parse-community#8302](parse-community#8302)) ([6728da1](parse-community@6728da1))
* Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([parse-community#8305](parse-community#8305)) ([60c5a73](parse-community@60c5a73))
* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([parse-community#8295](parse-community#8295)) ([50eed3c](parse-community@50eed3c))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
state:released Released as stable version state:released-alpha Released as alpha version
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants