fix: Prototype Pollution vulnerability in SingleInstanceStateController (GHSA-9g8m-v378-pcg3)
#2745
+124
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🚀 Thanks for opening this pull request! |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
📝 WalkthroughWalkthroughRefactors SingleInstanceStateController to use prototype-free maps via Object.create(null) for all state containers, updates related logic and imports, and adds a new exported removeState function. Adds tests guarding against prototype pollution with dangerous className/id inputs. Adjusts type declaration imports without API signature changes. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Client
participant Controller as SingleInstanceStateController
participant ObjState as objectState (proto-free)
participant ClassMap as per-class map (proto-free)
Client->>Controller: initializeState(obj)
Controller->>ObjState: ensure container (Object.create(null))
Controller->>ClassMap: ensure class map (Object.create(null))
Controller-->>Client: initialized
Client->>Controller: getState(obj)
Controller->>ObjState: lookup by className
ObjState-->>Controller: class map (proto-free)
Controller->>ClassMap: lookup by id
ClassMap-->>Controller: State | undefined
Controller-->>Client: State
Client->>Controller: removeState(obj)
Controller->>ObjState: lookup class map
Controller->>ClassMap: delete id -> return State | null
Controller-->>Client: removed State | null
note over Controller,ObjState: All maps are prototype-free to avoid<br/>__proto__/constructor/prototype key collisions.
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## alpha #2745 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 63 63
Lines 6185 6185
Branches 1456 1456
=========================================
Hits 6185 6185 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Moumouls
force-pushed
the
moumouls/fix-proto-pollution
branch
from
8cbe1fb to
ee630ff
Compare
|
@mtrezza ready to review |
|
@Moumouls Could you please check the failing types job? |
mtrezza
changed the title
SingleInstanceStateController.initializeState (GHSA-9g8m-v378-pcg3)
mtrezza
changed the title
SingleInstanceStateController.initializeState (GHSA-9g8m-v378-pcg3)SingleInstanceStateController (GHSA-9g8m-v378-pcg3)
parseplatformorg
pushed a commit
that referenced
this pull request
Oct 14, 2025
# [7.0.0-alpha.1](6.2.0-alpha.3...7.0.0-alpha.1) (2025-10-14) ### Bug Fixes * Prototype Pollution vulnerability in `SingleInstanceStateController`; fixes security vulnerability [GHSA-9g8m-v378-pcg3](GHSA-9g8m-v378-pcg3) ([#2745](#2745)) ([9e7c1ba](9e7c1ba)) * HTTP status code 3XX redirection for Parse Server URL not handled properly ([#2608](#2608)) ([58e7f58](58e7f58)) * Incorrect type in `ParseObject.fetch` parameter `options` ([#2726](#2726)) ([dc78419](dc78419)) * Prototype pollution in `Parse.Object` and internal APIs; fixes security vulnerability [GHSA-9f2h-7v79-mxw](https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3) ([#2749](#2749)) ([0097398](0097398)) * Unhandled exception when calling `Parse.Cloud.run` with option value `null` ([#2622](#2622)) ([#2623](#2623)) ([2818ed9](2818ed9)) ### Features * Add `Parse.File` upload and download progress in browser and Node environments ([#2503](#2503)) ([d3ca465](d3ca465)) * Add option `Parse.nodeLogging` to fully log `Parse.Object` in Node.js environments ([#1594](#1594)) ([de9d057](de9d057)) * Remove `Parse.serverAuthType`, `Parse.serverAuthToken` infavor of CoreManager `REQUEST_HEADERS` config ([#2639](#2639)) ([ddc66a1](ddc66a1)) ### BREAKING CHANGES * The methods `Parse.serverAuthType()` and `Parse.serverAuthToken()` have been removed; use the CoreManager `REQUEST_HEADER` config to set authorization headers instead. ([ddc66a1](ddc66a1))
|
🎉 This change has been released in version 7.0.0-alpha.1 |
parseplatformorg
pushed a commit
that referenced
this pull request
Oct 14, 2025
# [7.0.0](6.1.1...7.0.0) (2025-10-14) ### Bug Fixes * Prototype Pollution vulnerability in `SingleInstanceStateController`; fixes security vulnerability [GHSA-9g8m-v378-pcg3](GHSA-9g8m-v378-pcg3) ([#2745](#2745)) ([9e7c1ba](9e7c1ba)) * HTTP status code 3XX redirection for Parse Server URL not handled properly ([#2608](#2608)) ([58e7f58](58e7f58)) * Incorrect type in `ParseObject.fetch` parameter `options` ([#2726](#2726)) ([dc78419](dc78419)) * Missing error message when returning an internal server error ([#2543](#2543)) ([f91f3f1](f91f3f1)) * Prototype pollution in `Parse.Object` and internal APIs; fixes security vulnerability [GHSA-9f2h-7v79-mxw](GHSA-9f2h-7v79-mxw3) ([#2749](#2749)) ([0097398](0097398)) * Unhandled exception when calling `Parse.Cloud.run` with option value `null` ([#2622](#2622)) ([#2623](#2623)) ([2818ed9](2818ed9)) ### Features * Add `Parse.File` upload and download progress in browser and Node environments ([#2503](#2503)) ([d3ca465](d3ca465)) * Add `Uint8Array` support for `Parse.File` data ([#2548](#2548)) ([6f6bb66](6f6bb66)) * Add option `Parse.nodeLogging` to fully log `Parse.Object` in Node.js environments ([#1594](#1594)) ([de9d057](de9d057)) * Remove `Parse.serverAuthType`, `Parse.serverAuthToken` infavor of CoreManager `REQUEST_HEADERS` config ([#2639](#2639)) ([ddc66a1](ddc66a1)) ### Performance Improvements * Optimize bundle packaging with Vite ([#2553](#2553)) ([a4b19e5](a4b19e5)) ### BREAKING CHANGES * The methods `Parse.serverAuthType()` and `Parse.serverAuthToken()` have been removed; use the CoreManager `REQUEST_HEADER` config to set authorization headers instead. ([ddc66a1](ddc66a1))
|
🎉 This change has been released in version 7.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue
Closes: GHSA-9g8m-v378-pcg3
Approach
Use Object create null
Tasks
Summary by CodeRabbit