From be0a45659094ee3e92957f618eb2fa8bbfdece35 Mon Sep 17 00:00:00 2001 From: pavan-dulam Date: Thu, 11 Apr 2024 15:07:04 +0530 Subject: [PATCH 1/4] feat:Ensure Database Password Security Check Covers All Possible URIs --- spec/SecurityCheckGroups.spec.js | 38 ++++++++++++++++--- .../CheckGroups/CheckGroupDatabase.js | 12 +++++- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/spec/SecurityCheckGroups.spec.js b/spec/SecurityCheckGroups.spec.js index 43d523c214..2e2538c01c 100644 --- a/spec/SecurityCheckGroups.spec.js +++ b/spec/SecurityCheckGroups.spec.js @@ -62,17 +62,43 @@ describe('Security Check Groups', () => { expect(group.checks().length).toBeGreaterThan(0); }); - it('checks succeed correctly', async () => { - const config = Config.get(Parse.applicationId); - config.database.adapter._uri = 'protocol://user:aMoreSecur3Passwor7!@example.com'; + it('checks succeed correctly with database adapter defined', async () => { + const databaseAdapter = { + _uri: 'protocol://user:aMoreSecur3Passwor7!@example.com' + }; + const config = { + database: { adapter: databaseAdapter } + }; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.success); }); - it('checks fail correctly', async () => { - const config = Config.get(Parse.applicationId); - config.database.adapter._uri = 'protocol://user:insecure@example.com'; + it('checks succeed correctly with databaseURI defined', async () => { + const config = { + databaseURI: 'protocol://user:aMoreSecur3Passwor7!@example.com' + }; + const group = new CheckGroupDatabase(); + await group.run(); + expect(group.checks()[0].checkState()).toBe(CheckState.success); + }); + + it('checks fail correctly with database adapter defined', async () => { + const databaseAdapter = { + _uri: 'protocol://user:insecure@example.com' + }; + const config = { + database: { adapter: databaseAdapter } + }; + const group = new CheckGroupDatabase(); + await group.run(); + expect(group.checks()[0].checkState()).toBe(CheckState.fail); + }); + + it('checks fail correctly with databaseURI defined', async () => { + const config = { + databaseURI: 'protocol://user:insecure@example.com' + }; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.fail); diff --git a/src/Security/CheckGroups/CheckGroupDatabase.js b/src/Security/CheckGroups/CheckGroupDatabase.js index bc57fef8a3..377438eee8 100644 --- a/src/Security/CheckGroups/CheckGroupDatabase.js +++ b/src/Security/CheckGroups/CheckGroupDatabase.js @@ -14,8 +14,18 @@ class CheckGroupDatabase extends CheckGroup { } setChecks() { const config = Config.get(Parse.applicationId); + let databaseUrl; const databaseAdapter = config.database.adapter; - const databaseUrl = databaseAdapter._uri; + if (databaseAdapter) { + // If database adapter is defined, use its URI + databaseUrl = databaseAdapter._uri; + } else if (config.databaseURI) { + // If database adapter is not defined, fallback to config.databaseURI + databaseUrl = config.databaseURI; + } else { + // Handle the case where neither database adapter nor databaseURI is defined + throw 1; + } return [ new Check({ title: 'Secure database password', From d7a823017517ca2da313742a66b8f7e4a8f67ac5 Mon Sep 17 00:00:00 2001 From: pavan-dulam Date: Thu, 11 Apr 2024 15:07:04 +0530 Subject: [PATCH 2/4] feat: Ensure Database Password Security Check Covers All Possible URIs --- spec/SecurityCheckGroups.spec.js | 38 ++++++++++++++++--- .../CheckGroups/CheckGroupDatabase.js | 12 +++++- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/spec/SecurityCheckGroups.spec.js b/spec/SecurityCheckGroups.spec.js index 43d523c214..2e2538c01c 100644 --- a/spec/SecurityCheckGroups.spec.js +++ b/spec/SecurityCheckGroups.spec.js @@ -62,17 +62,43 @@ describe('Security Check Groups', () => { expect(group.checks().length).toBeGreaterThan(0); }); - it('checks succeed correctly', async () => { - const config = Config.get(Parse.applicationId); - config.database.adapter._uri = 'protocol://user:aMoreSecur3Passwor7!@example.com'; + it('checks succeed correctly with database adapter defined', async () => { + const databaseAdapter = { + _uri: 'protocol://user:aMoreSecur3Passwor7!@example.com' + }; + const config = { + database: { adapter: databaseAdapter } + }; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.success); }); - it('checks fail correctly', async () => { - const config = Config.get(Parse.applicationId); - config.database.adapter._uri = 'protocol://user:insecure@example.com'; + it('checks succeed correctly with databaseURI defined', async () => { + const config = { + databaseURI: 'protocol://user:aMoreSecur3Passwor7!@example.com' + }; + const group = new CheckGroupDatabase(); + await group.run(); + expect(group.checks()[0].checkState()).toBe(CheckState.success); + }); + + it('checks fail correctly with database adapter defined', async () => { + const databaseAdapter = { + _uri: 'protocol://user:insecure@example.com' + }; + const config = { + database: { adapter: databaseAdapter } + }; + const group = new CheckGroupDatabase(); + await group.run(); + expect(group.checks()[0].checkState()).toBe(CheckState.fail); + }); + + it('checks fail correctly with databaseURI defined', async () => { + const config = { + databaseURI: 'protocol://user:insecure@example.com' + }; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.fail); diff --git a/src/Security/CheckGroups/CheckGroupDatabase.js b/src/Security/CheckGroups/CheckGroupDatabase.js index bc57fef8a3..377438eee8 100644 --- a/src/Security/CheckGroups/CheckGroupDatabase.js +++ b/src/Security/CheckGroups/CheckGroupDatabase.js @@ -14,8 +14,18 @@ class CheckGroupDatabase extends CheckGroup { } setChecks() { const config = Config.get(Parse.applicationId); + let databaseUrl; const databaseAdapter = config.database.adapter; - const databaseUrl = databaseAdapter._uri; + if (databaseAdapter) { + // If database adapter is defined, use its URI + databaseUrl = databaseAdapter._uri; + } else if (config.databaseURI) { + // If database adapter is not defined, fallback to config.databaseURI + databaseUrl = config.databaseURI; + } else { + // Handle the case where neither database adapter nor databaseURI is defined + throw 1; + } return [ new Check({ title: 'Secure database password', From 4e9fa64a4a4c29e21d9e2fd2aa69a4c0932863d3 Mon Sep 17 00:00:00 2001 From: pavan-dulam Date: Fri, 26 Apr 2024 16:53:50 +0530 Subject: [PATCH 3/4] fix: resolve lint no-unused-vars --- spec/SecurityCheckGroups.spec.js | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/spec/SecurityCheckGroups.spec.js b/spec/SecurityCheckGroups.spec.js index 2e2538c01c..b90b1f6960 100644 --- a/spec/SecurityCheckGroups.spec.js +++ b/spec/SecurityCheckGroups.spec.js @@ -63,42 +63,32 @@ describe('Security Check Groups', () => { }); it('checks succeed correctly with database adapter defined', async () => { - const databaseAdapter = { - _uri: 'protocol://user:aMoreSecur3Passwor7!@example.com' - }; - const config = { - database: { adapter: databaseAdapter } - }; + const config = Config.get(Parse.applicationId); + config.database.adapter._uri = 'protocol://user:aMoreSecur3Passwor7!@example.com'; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.success); }); it('checks succeed correctly with databaseURI defined', async () => { - const config = { - databaseURI: 'protocol://user:aMoreSecur3Passwor7!@example.com' - }; + const config = Config.get(Parse.applicationId); + config.databaseURI = 'protocol://user:insecure@example.com'; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.success); }); it('checks fail correctly with database adapter defined', async () => { - const databaseAdapter = { - _uri: 'protocol://user:insecure@example.com' - }; - const config = { - database: { adapter: databaseAdapter } - }; + const config = Config.get(Parse.applicationId); + config.database.adapter._uri = 'protocol://user:insecure@example.com'; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.fail); }); it('checks fail correctly with databaseURI defined', async () => { - const config = { - databaseURI: 'protocol://user:insecure@example.com' - }; + const config = Config.get(Parse.applicationId); + config.databaseURI = 'protocol://user:insecure@example.com'; const group = new CheckGroupDatabase(); await group.run(); expect(group.checks()[0].checkState()).toBe(CheckState.fail); From 187e440db80994d55a8778e8de9f3c22cdfdce7f Mon Sep 17 00:00:00 2001 From: pavan-dulam Date: Fri, 26 Apr 2024 18:06:23 +0530 Subject: [PATCH 4/4] fix: removed unnecessary check --- src/Security/CheckGroups/CheckGroupDatabase.js | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/Security/CheckGroups/CheckGroupDatabase.js b/src/Security/CheckGroups/CheckGroupDatabase.js index 377438eee8..37ecf9eedd 100644 --- a/src/Security/CheckGroups/CheckGroupDatabase.js +++ b/src/Security/CheckGroups/CheckGroupDatabase.js @@ -22,10 +22,7 @@ class CheckGroupDatabase extends CheckGroup { } else if (config.databaseURI) { // If database adapter is not defined, fallback to config.databaseURI databaseUrl = config.databaseURI; - } else { - // Handle the case where neither database adapter nor databaseURI is defined - throw 1; - } + } return [ new Check({ title: 'Secure database password',