Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

refactor: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers #8303

Merged
merged 1 commit into from
Nov 9, 2022
Merged

refactor: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers #8303

merged 1 commit into from
Nov 9, 2022

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Nov 9, 2022
edited
Loading

Fixes security vulnerability GHSA-xprv-wvh7-qqqx

@parse-github-assistant
Copy link

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title fix: beta qqqx fix: Beta qqqx Nov 9, 2022
@parse-github-assistant
Copy link

parse-github-assistant bot commented Nov 9, 2022
edited
Loading

Thanks for opening this pull request!

  • ❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

@codecov
Copy link

codecov bot commented Nov 9, 2022
edited
Loading

Codecov Report

Base: 94.18% // Head: 94.12% // Decreases project coverage by -0.06% ⚠️

Coverage data is based on head (118033b) compared to base (443a509).
Patch coverage: 89.80% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##             beta    #8303      +/-   ##
==========================================
- Coverage   94.18%   94.12%   -0.07%     
==========================================
  Files         182      182              
  Lines       13622    13785     +163     
==========================================
+ Hits        12830    12975     +145     
- Misses        792      810      +18
Impacted Files Coverage Δ
src/Adapters/Cache/LRUCache.js 100.00% <ø> (ø)
src/Deprecator/Deprecations.js 100.00% <ø> (ø)
src/GraphQL/loaders/schemaTypes.js 100.00% <ø> (ø)
src/LiveQuery/SessionTokenCache.js 86.95% <ø> (ø)
src/Options/index.js 100.00% <ø> (ø)
src/SchemaMigrations/Migrations.js 0.00% <ø> (ø)
src/Adapters/Auth/gcenter.js 59.52% <39.13%> (-38.73%) ⬇️
src/Adapters/Auth/spotify.js 62.50% <60.00%> (-17.50%) ⬇️
src/GraphQL/helpers/objectsQueries.js 90.62% <75.00%> (-0.22%) ⬇️
src/Adapters/Auth/facebook.js 90.62% <80.00%> (-1.44%) ⬇️
... and 46 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@mtrezza mtrezza changed the title fix: Beta qqqx fix: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers Nov 9, 2022
@mtrezza mtrezza changed the title fix: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers refactor: Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers Nov 9, 2022
@mtrezza mtrezza merged commit d9c3c02 into parse-community:beta Nov 9, 2022
@mtrezza mtrezza deleted the fix-beta-qqqx branch November 9, 2022 19:57
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.4.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Nov 19, 2022
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.4.0

@parseplatformorg parseplatformorg added the state:released-5.x.x Released as LTS version label Nov 19, 2022
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
@mtrezza
Merge branch 'release' into build-release-beta
99c4238 
* release:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
@mtrezza
Merge branch 'beta' into build-release-beta
39a074f 
* beta:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0-alpha.31

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jan 31, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
state:released Released as stable version state:released-5.x.x Released as LTS version state:released-alpha Released as alpha version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtrezza @parseplatformorg