refactor: Prototype pollution via Cloud Code Webhooks; fixes security…

… vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (#8307)
parse-community · Nov 9, 2022 · 735669a · 735669a
1 parent d9c3c02
commit 735669a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -109,6 +109,17 @@ describe('Vulnerabilities', () => {
       );
     });
 
+    it('denies expanding existing object with polluted keys', async () => {
+      const obj = await new Parse.Object('RCE', { a: { foo: [] } }).save();
+      await reconfigureServer({
+        requestKeywordDenylist: ['foo'],
+      });
+      obj.addUnique('a.foo', 'abc');
+      await expectAsync(obj.save()).toBeRejectedWith(
+        new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Prohibited keyword in request data: "foo".`)
+      );
+    });
+
     it('denies creating a cloud trigger with polluted data', async () => {
       Parse.Cloud.beforeSave('TestObject', ({ object }) => {
         object.set('obj', {

diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -1768,7 +1768,11 @@ class DatabaseController {
     if (this.options && this.options.requestKeywordDenylist) {
       // Scan request data for denied keywords
       for (const keyword of this.options.requestKeywordDenylist) {
-        const match = Utils.objectContainsKeyValue({ firstKey: undefined }, keyword.key, undefined);
+        const match = Utils.objectContainsKeyValue(
+          { [firstKey]: true, [nextPath]: true },
+          keyword.key,
+          true
+        );
         if (match) {
           throw new Parse.Error(
             Parse.Error.INVALID_KEY_NAME,