fix: afterSave trigger removes pointer in Parse object #7913
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thanks for opening this pull request!
|
Codecov Report
@@ Coverage Diff @@
## alpha #7913 +/- ##
=======================================
Coverage 94.12% 94.13%
=======================================
Files 182 182
Lines 13622 13630 +8
=======================================
+ Hits 12822 12830 +8
Misses 800 800
Continue to review full report at Codecov.
|
|
Also fixes API returning unchanged keys (which can lead to a massive increase in data traffic), which was an unexpected change due to #7839. Tests cases added as well to ensure save response has required keys only. |
mtrezza
reviewed
Mar 31, 2022
Moumouls
suggested changes
Apr 3, 2022
|
Hi @dblythy, I know that we have "default columns" in "SchemaController" but it seems to not fit into the use case since for example for the Parse. User class, the password will be returned. Here I can suggest to avoid any security issues, that you can return "objectId, createdAt, updatedAt" for all classes. And just return "username" in the case of "Parse. User" RestWrite ops. In terms of variable definitions, you could use the same architecture as the SchemaController: Define at the top of the file a "defaultMandatoryColumsInResponse" in object format like const defaultMandatoryColumnsInResponse = Object.freeze({
_Default: ['objectId', 'createdAt', 'updatedAt']
_User: ['username']
}In the future, it will be easily extensible and readable. |
mtrezza
force-pushed
the
alpha
branch
2 times, most recently
from
59215e6
to
e6d7d8f
Compare
|
@dblythy there was an issue with the commit history, for the review, could you rebase on alpha to get a clean changes diffs. Then request me a new review 🚀 |
mtrezza
reviewed
May 10, 2022
mtrezza
requested changes
May 19, 2022
mtrezza
requested changes
May 19, 2022
|
Yep! |
mtrezza
changed the title
parseplatformorg
pushed a commit
that referenced
this pull request
May 20, 2022
# [5.3.0-alpha.12](5.3.0-alpha.11...5.3.0-alpha.12) (2022-05-20) ### Bug Fixes * afterSave trigger removes pointer in Parse object ([#7913](#7913)) ([47d796e](47d796e))
|
🎉 This change has been released in version 5.3.0-alpha.12 |
parseplatformorg
pushed a commit
that referenced
this pull request
Jun 17, 2022
# [5.3.0-beta.1](5.2.1...5.3.0-beta.1) (2022-06-17) ### Bug Fixes * afterSave trigger removes pointer in Parse object ([#7913](#7913)) ([47d796e](47d796e)) * auto-release process may fail if optional back-merging task fails ([#8051](#8051)) ([cf925e7](cf925e7)) * custom database options are not passed to MongoDB GridFS ([#7911](#7911)) ([b1e5565](b1e5565)) * depreciate allowClientClassCreation defaulting to true ([#7925](#7925)) ([38ed96a](38ed96a)) * errors in GraphQL do not show the original error but a general `Unexpected Error` ([#8045](#8045)) ([0d81887](0d81887)) * interrupted WebSocket connection not closed by LiveQuery server ([#8012](#8012)) ([2d5221e](2d5221e)) * live query role cache does not clear when a user is added to a role ([#8026](#8026)) ([199dfc1](199dfc1)) * peer dependency mismatch for GraphQL dependencies ([#7934](#7934)) ([0a6faa8](0a6faa8)) * return correct response when revert is used in beforeSave ([#7839](#7839)) ([19900fc](19900fc)) * security upgrade @parse/fs-files-adapter from 1.2.1 to 1.2.2 ([#7948](#7948)) ([3a70fda](3a70fda)) * security upgrade moment from 2.29.1 to 2.29.2 ([#7931](#7931)) ([731c550](731c550)) * security upgrade parse push adapter from 4.1.0 to 4.1.2 ([#7893](#7893)) ([93667b4](93667b4)) * websocket connection of LiveQuery interrupts frequently ([#8048](#8048)) ([03caae1](03caae1)) ### Features * add MongoDB 5.1 compatibility ([#7682](#7682)) ([022a856](022a856)) * add MongoDB 5.2 support ([#7894](#7894)) ([5bfa716](5bfa716)) * add support for Node 17 and 18 ([#7896](#7896)) ([3e9f292](3e9f292)) * align file trigger syntax with class trigger; use the new syntax `Parse.Cloud.beforeSave(Parse.File, (request) => {})`, the old syntax `Parse.Cloud.beforeSaveFile((request) => {})` has been deprecated ([#7966](#7966)) ([c6dcad8](c6dcad8)) * replace GraphQL Apollo with GraphQL Yoga ([#7967](#7967)) ([1aa2204](1aa2204)) * selectively enable / disable default authentication adapters ([#7953](#7953)) ([c1e808f](c1e808f)) * upgrade mongodb from 4.4.1 to 4.5.0 ([#7991](#7991)) ([e692b5d](e692b5d)) ### Performance Improvements * reduce database operations when using the constant parameter in Cloud Function validation ([#7892](#7892)) ([041197f](041197f))
|
🎉 This change has been released in version 5.3.0-beta.1 |
parseplatformorg
pushed a commit
that referenced
this pull request
Oct 29, 2022
# [5.3.0](5.2.8...5.3.0) (2022-10-29) ### Bug Fixes * afterSave trigger removes pointer in Parse object ([#7913](#7913)) ([47d796e](47d796e)) * authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](GHSA-r657-33vp-gp22)) [skip release] ([#8188](#8188)) ([1a2b1b9](1a2b1b9)) * auto-release process may fail if optional back-merging task fails ([#8051](#8051)) ([cf925e7](cf925e7)) * brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) ([#8145](#8145)) [skip release] ([f0db4ca](f0db4ca)) * certificate in Apple Game Center auth adapter not validated [skip release] ([#8055](#8055)) ([4c2aa63](4c2aa63)) * custom database options are not passed to MongoDB GridFS ([#7911](#7911)) ([b1e5565](b1e5565)) * depreciate allowClientClassCreation defaulting to true ([#7925](#7925)) ([38ed96a](38ed96a)) * errors in GraphQL do not show the original error but a general `Unexpected Error` ([#8045](#8045)) ([0d81887](0d81887)) * interrupted WebSocket connection not closed by LiveQuery server ([#8012](#8012)) ([2d5221e](2d5221e)) * invalid file request not properly handled [skip release] ([#8061](#8061)) ([1a04a34](1a04a34)) * live query role cache does not clear when a user is added to a role ([#8026](#8026)) ([199dfc1](199dfc1)) * peer dependency mismatch for GraphQL dependencies ([#7934](#7934)) ([0a6faa8](0a6faa8)) * protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] ([#8075](#8075)) ([636d16e](636d16e)) * return correct response when revert is used in beforeSave ([#7839](#7839)) ([19900fc](19900fc)) * security upgrade @parse/fs-files-adapter from 1.2.1 to 1.2.2 ([#7948](#7948)) ([3a70fda](3a70fda)) * security upgrade moment from 2.29.1 to 2.29.2 ([#7931](#7931)) ([731c550](731c550)) * security upgrade parse push adapter from 4.1.0 to 4.1.2 ([#7893](#7893)) ([93667b4](93667b4)) * server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](GHSA-h423-w6qv-2wj3)) [skip release] ([#8237](#8237)) ([4c1befa](4c1befa)) * session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] ([#8181](#8181)) ([83cdc89](83cdc89)) * websocket connection of LiveQuery interrupts frequently ([#8048](#8048)) ([03caae1](03caae1)) ### Features * add MongoDB 5.1 compatibility ([#7682](#7682)) ([022a856](022a856)) * add MongoDB 5.2 support ([#7894](#7894)) ([5bfa716](5bfa716)) * add support for Node 17 and 18 ([#7896](#7896)) ([3e9f292](3e9f292)) * align file trigger syntax with class trigger; use the new syntax `Parse.Cloud.beforeSave(Parse.File, (request) => {})`, the old syntax `Parse.Cloud.beforeSaveFile((request) => {})` has been deprecated ([#7966](#7966)) ([c6dcad8](c6dcad8)) * replace GraphQL Apollo with GraphQL Yoga ([#7967](#7967)) ([1aa2204](1aa2204)) * selectively enable / disable default authentication adapters ([#7953](#7953)) ([c1e808f](c1e808f)) * upgrade mongodb from 4.4.1 to 4.5.0 ([#7991](#7991)) ([e692b5d](e692b5d)) ### Performance Improvements * reduce database operations when using the constant parameter in Cloud Function validation ([#7892](#7892)) ([041197f](041197f))
|
🎉 This change has been released in version 5.3.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New Pull Request Checklist
Issue Description
As discussed in #7912, afterSave triggers cause response object to strip out all keys on pointers.
Related issue: #7912
Approach
Skip stripping out response pointers
TODOs before merging