Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Deny request if master key is not set in Parse Server option masterKeyIps regardless of ACL and CLP #8957

Merged
merged 10 commits into from
Mar 1, 2024
Merged

fix: Deny request if master key is not set in Parse Server option masterKeyIps regardless of ACL and CLP #8957

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
26a2e23
deny requests for ip restricted master keys
suathh Dec 10, 2023
c12c440
Merge branch 'alpha' into issue#8829
mtrezza Dec 25, 2023
b48f199
Merge branch 'alpha' into issue#8829
mtrezza Feb 23, 2024
19d305a
fix test cases according to new error while using master key with not…
EhsanParsania Feb 25, 2024
9c6b6d9
Merge branch 'alpha' into fix-deny-requests-for-ip-restricted-master-…
mtrezza Feb 27, 2024
23f8298
prevent returning more information than necessary in error message
EhsanParsania Feb 27, 2024
c8fe31b
restructure middlewares test cases
EhsanParsania Feb 27, 2024
fad4e74
fix expectation message
EhsanParsania Feb 28, 2024
41bcc3d
check log in two middlewares tests
EhsanParsania Feb 29, 2024
374b58f
Merge branch 'alpha' into fix-deny-requests-for-ip-restricted-master-…
mtrezza Mar 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 26 additions & 16 deletions spec/Middlewares.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ describe('middlewares', () => {
});

it('should use _ContentType if provided', done => {
AppCachePut(fakeReq.body._ApplicationId, {
masterKeyIps: ['127.0.0.1'],
});
expect(fakeReq.headers['content-type']).toEqual(undefined);
const contentType = 'image/jpeg';
fakeReq.body._ContentType = contentType;
Expand Down Expand Up @@ -153,25 +156,23 @@ describe('middlewares', () => {
});
fakeReq.ip = '127.0.0.1';
fakeReq.headers['x-parse-master-key'] = 'masterKey';
await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
expect(fakeReq.auth.isMaster).toBe(false);

let error;

try {
await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
} catch (err) {
error = err;
}

expect(error).toBeDefined();
expect(error.message).toEqual(`unauthorized`);
expect(logger.error).toHaveBeenCalledWith(
EhsanParsania marked this conversation as resolved.
Show resolved Hide resolved
`Request using master key rejected as the request IP address '127.0.0.1' is not set in Parse Server option 'masterKeyIps'.`
);
});

it('should not succeed if the ip does not belong to masterKeyIps list', async () => {
AppCachePut(fakeReq.body._ApplicationId, {
masterKey: 'masterKey',
masterKeyIps: ['10.0.0.1'],
});
fakeReq.ip = '127.0.0.1';
fakeReq.headers['x-parse-master-key'] = 'masterKey';
await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
expect(fakeReq.auth.isMaster).toBe(false);
});

it('should not succeed if the ip does not belong to maintenanceKeyIps list', async () => {
it('should not succeed and log if the ip does not belong to maintenanceKeyIps list', async () => {
const logger = require('../lib/logger').logger;
spyOn(logger, 'error').and.callFake(() => {});
AppCachePut(fakeReq.body._ApplicationId, {
Expand All @@ -180,8 +181,17 @@ describe('middlewares', () => {
});
fakeReq.ip = '10.0.0.2';
fakeReq.headers['x-parse-maintenance-key'] = 'masterKey';
await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
expect(fakeReq.auth.isMaintenance).toBe(false);

let error;

try {
EhsanParsania marked this conversation as resolved.
Show resolved Hide resolved
await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
} catch (err) {
error = err;
}

expect(error).toBeDefined();
expect(error.message).toEqual(`unauthorized`);
expect(logger.error).toHaveBeenCalledWith(
`Request using maintenance key rejected as the request IP address '10.0.0.2' is not set in Parse Server option 'maintenanceKeyIps'.`
);
Expand Down
4 changes: 4 additions & 0 deletions src/middlewares.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,10 @@ export function handleParseHeaders(req, res, next) {
`Request using master key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'masterKeyIps'.`
);
isMaster = false;
const error = new Error();
error.status = 403;
error.message = `unauthorized`;
throw error;
}

if (isMaster) {
Expand Down
Loading