Skip to content

Security issue - Public URL contains server url and app id. HTTP request payload contains app id #3636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tran-huy-phuc opened this issue Mar 14, 2017 · 3 comments
Closed

Security issue - Public URL contains server url and app id. HTTP request payload contains app id #3636

tran-huy-phuc opened this issue Mar 14, 2017 · 3 comments

Comments

@tran-huy-phuc
Copy link

Issue Description

I am using Parse-server as a backend for my website. Every thing looks work well. But when I tried to open the images which are store on my backend, the url of images show server url and app id. Also, when I check the payload of HTTP Request, it shows the app id there.
I think I did something wrong with parse server config but I am not sure. If someone have server url and app id, he can change my database. Is this an issue with Parse or is this my mistake?

Steps to reproduce

From my website, right click on any image > Open Image In New Tab. The image will be opened in new tab, the url of image contains server url and app id.

Expected Results

Somehow to hide or change the server url and app id.

Actual Outcome

The server url and app id are showing.

Environment Setup

  • Server

    • parse-server version (Be specific! Don't say 'latest'.) : [any version]
    • Operating System: [Linux - Ubuntu 16.04]
    • Hardware: [Not sure]
    • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): [Digital Ocean]

  • Database

    • MongoDB version: [any version]
    • Storage engine: [Local storage]
    • Hardware: [Not sure]
    • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): [Digital Ocean]

Logs/Trace

Include all relevant logs. You can turn on additional logging by configuring VERBOSE=1 in your environment.
@yoterpa
Copy link

yoterpa commented Mar 14, 2017
edited
Loading

AppId is just a reference to identify your App out of multiple Apps you are serving from your parse-server. There is no way you can keep it a secret as long as you want your App to talk to the server.

To secure your App, you should use ACL's, beforeSave and beforeDelete triggers properly.

@bohemima
Copy link
Contributor

Have a look at the following blog series, they are still relevant (too some degree);

http://blog.parse.com/learn/engineering/parse-security-i-are-you-the-key-master/
http://blog.parse.com/learn/engineering/parse-security-ii-class-hysteria/
http://blog.parse.com/learn/engineering/parse-security-iii-are-you-on-the-list/
http://blog.parse.com/learn/engineering/parse-security-iv-ahead-in-the-cloud/
http://blog.parse.com/learn/engineering/parse-security-v-how-to-make-friends/

@natanrolnik
Copy link
Contributor

Thanks for answering, @yoterpa and @bohemima. Indeed, the applicationId and client keys are a legacy feature/requirement from Parse.com, where they needed the app id to identify your app. Nowadays, as Parse Server doesn't have support to handle multiple apps, they are actually not needed and give a false sense of security. There was even some discussion in the past in favor of removing them.

@thphuc You can have a look at the links @bohemima posted - CLPs, ACLs, and master key are the real ways of securing your app's data in the server level. You might also read the docs here: http://parseplatform.org/docs/js/guide/#client-vs-server

@parseplatformorg parseplatformorg mentioned this issue May 21, 2023
Closed
@parseplatformorg parseplatformorg mentioned this issue May 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bohemima @natanrolnik @yoterpa @tran-huy-phuc