Issue 246 fix - Unconditionally remove the hidden fields from incoming body in middlewares.js:handleParseHeaders #302
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If the incoming request has app id specified both in the header AND the JSON body, then check that both are the same. Flag the request as invalid if they are not the same. If the app id is not specified in the headers, then pick it up from the JSON body. Moreover, remove the app config keys (app id, master key, js key, .net key etc.) from the request body unconditionally - ie. even if those are specified in the header. This is so that if the proxy fronting the app is not able these keys from the body. Signed-off-by: Kunal Gangakhedkar <[email protected]>
De-indent the block after removing the if conditional for appid passed in the header. Signed-off-by: Kunal Gangakhedkar <[email protected]>
Signed-off-by: Kunal Gangakhedkar <[email protected]>
|
This is failing several tests. |
|
If you get around to it, please fix and submit a new PR. Thanks. |
|
Yes, stuck in some other high-priority work as of now :( Will merge with latest repo, fix, test and send a new pull request when time permits. thanks for taking a look at it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When different instances of parse-server are fronted by a proxy (like haproxy), it may not be possible to modify the body - even if it can read and process the body and set some headers based on the info from body (these can, in turn, be used for forwarding decisions).
In case if the parse-server instance encounters such a situation, it should still remove the variables from the body after verifying that the hidden fields set in the headers and the body are actually matching.
AFAIK, only Parse-JS-SDK sends the app information in the body - all other SDKs send it correctly in the headers.