Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: Prototype pollution via Cloud Code Webhooks #8305

Merged
merged 1 commit into from
Nov 9, 2022
Merged

fix: Prototype pollution via Cloud Code Webhooks #8305

merged 1 commit into from
Nov 9, 2022

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Nov 9, 2022
edited
Loading

Fixes security vulnerability GHSA-93vw-8fm5-p2jf

@parse-github-assistant
Copy link

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title fix: release p2jf fix: Release p2jf Nov 9, 2022
@parse-github-assistant
Copy link

parse-github-assistant bot commented Nov 9, 2022
edited
Loading

Thanks for opening this pull request!

  • ❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

@codecov
Copy link

codecov bot commented Nov 9, 2022
edited
Loading

Codecov Report

Base: 94.30% // Head: 94.31% // Increases project coverage by +0.01% 🎉

Coverage data is based on head (40fd022) compared to base (6728da1).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@             Coverage Diff             @@
##           release    #8305      +/-   ##
===========================================
+ Coverage    94.30%   94.31%   +0.01%     
===========================================
  Files          182      182              
  Lines        13740    13740              
===========================================
+ Hits         12957    12959       +2     
+ Misses         783      781       -2
Impacted Files Coverage Δ
src/Controllers/DatabaseController.js 93.89% <100.00%> (+0.14%) ⬆️
src/batch.js 94.73% <0.00%> (+1.75%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@mtrezza mtrezza changed the title fix: Release p2jf fix: Prototype pollution via Cloud Code Webhooks Nov 9, 2022
@mtrezza mtrezza merged commit 60c5a73 into parse-community:release Nov 9, 2022
parseplatformorg pushed a commit that referenced this pull request Nov 9, 2022
@semantic-release-bot
chore(release): 5.3.3 [skip ci]
fd8a11b 
## [5.3.3](5.3.2...5.3.3) (2022-11-09)

### Bug Fixes

* Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([#8305](#8305)) ([60c5a73](60c5a73))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.3.3

@parseplatformorg parseplatformorg added the state:released Released as stable version label Nov 9, 2022
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
@mtrezza
Merge branch 'release' into build-release-beta
99c4238 
* release:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
@mtrezza
Merge branch 'beta' into build-release-beta
39a074f 
* beta:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
parseplatformorg pushed a commit that referenced this pull request Jan 31, 2023
@semantic-release-bot
chore(release): 6.0.0-alpha.31 [skip ci]
8414ad3 
# [6.0.0-alpha.31](6.0.0-alpha.30...6.0.0-alpha.31) (2023-01-31)

### Bug Fixes

* Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([#8302](#8302)) ([6728da1](6728da1))
* Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([#8305](#8305)) ([60c5a73](60c5a73))
* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([#8295](#8295)) ([50eed3c](50eed3c))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0-alpha.31

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jan 31, 2023
dblythy pushed a commit to dblythy/parse-server that referenced this pull request Feb 15, 2023
@semantic-release-bot @dblythy
chore(release): 6.0.0-alpha.31 [skip ci]
27f0190 
* Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([parse-community#8302](parse-community#8302)) ([6728da1](parse-community@6728da1))
* Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([parse-community#8305](parse-community#8305)) ([60c5a73](parse-community@60c5a73))
* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([parse-community#8295](parse-community#8295)) ([50eed3c](parse-community@50eed3c))
@mtrezza mtrezza deleted the fix-release-p2jf branch June 5, 2023 16:09
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
state:released Released as stable version state:released-alpha Released as alpha version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtrezza @parseplatformorg