Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) #8143

Merged
merged 3 commits into from
Sep 2, 2022
Merged

fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) #8143

merged 3 commits into from
Sep 2, 2022

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Sep 2, 2022
edited
Loading

@parse-github-assistant
Copy link

parse-github-assistant bot commented Sep 2, 2022
edited
Loading

Thanks for opening this pull request!

  • ❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

@codecov
Copy link

codecov bot commented Sep 2, 2022
edited
Loading

Codecov Report

Merging #8143 (bc8e081) into release-4.x.x (8580a52) will decrease coverage by 9.68%.
The diff coverage is 100.00%.

❗ Current head bc8e081 differs from pull request most recent head 407732c. Consider uploading reports for the commit 407732c to get more accurate results

@@                Coverage Diff                @@
##           release-4.x.x    #8143      +/-   ##
=================================================
- Coverage          93.82%   84.14%   -9.69%     
=================================================
  Files                170      170              
  Lines              12502    12524      +22     
=================================================
- Hits               11730    10538    -1192     
- Misses               772     1986    +1214
Impacted Files Coverage Δ
src/Controllers/DatabaseController.js 95.17% <100.00%> (-0.04%) ⬇️
src/LiveQuery/ParseCloudCodePublisher.js 100.00% <100.00%> (ø)
src/LiveQuery/ParseLiveQueryServer.js 95.18% <100.00%> (+0.14%) ⬆️
src/RestQuery.js 95.60% <100.00%> (+0.08%) ⬆️
src/Routers/FilesRouter.js 87.60% <100.00%> (+0.53%) ⬆️
...dapters/Storage/Postgres/PostgresStorageAdapter.js 2.42% <0.00%> (-93.52%) ⬇️
src/Adapters/Storage/Postgres/PostgresClient.js 6.66% <0.00%> (-80.00%) ⬇️
src/Controllers/UserController.js 92.68% <0.00%> (-2.44%) ⬇️
src/Controllers/FilesController.js 92.00% <0.00%> (-2.00%) ⬇️
src/Routers/UsersRouter.js 93.75% <0.00%> (-0.63%) ⬇️
... and 4 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@mtrezza mtrezza changed the title fix: release 4.x.x p3c6 fix: brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) Sep 2, 2022
@mtrezza mtrezza merged commit 634c44a into parse-community:release-4.x.x Sep 2, 2022
parseplatformorg pushed a commit that referenced this pull request Sep 2, 2022
@semantic-release-bot
chore(release): 4.10.14 [skip ci]
e29f7c0 
## [4.10.14](4.10.13...4.10.14) (2022-09-02)

### Bug Fixes

* brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) ([#8143](#8143)) ([634c44a](634c44a))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 4.10.14

@parseplatformorg parseplatformorg added the state:released-4.x.x Released as LTS version label Sep 2, 2022
@parse-github-assistant
Copy link

The label state:released-4.x.x cannot be used here.

@parse-github-assistant parse-github-assistant bot removed the state:released-4.x.x Released as LTS version label Sep 2, 2022
@mtrezza mtrezza deleted the fix-release-4.x.x-p3c6 branch September 3, 2022 09:25
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtrezza @parseplatformorg