Skip to content

refactor: Remote code execution via MongoDB BSON parser through prototype pollution#8677

Merged
mtrezza merged 6 commits intobetafrom
fix-beta-7vr6
Jun 28, 2023
Merged

refactor: Remote code execution via MongoDB BSON parser through prototype pollution#8677
mtrezza merged 6 commits intobetafrom
fix-beta-7vr6

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented Jun 28, 2023
edited
Loading

Fixes security vulnerability GHSA-462x-c3jw-7vr6

@parse-github-assistant
Copy link

parse-github-assistant bot commented Jun 28, 2023

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title fix: beta 7vr6 fix: Beta 7vr6 Jun 28, 2023
@parse-github-assistant
Copy link

parse-github-assistant bot commented Jun 28, 2023
edited
Loading

Thanks for opening this pull request!

  • ❌ Please link an issue that describes the reason for this pull request, otherwise your pull request will be closed. Make sure to write it as Closes: #123 in the PR description, so I can recognize it.

@mtrezza mtrezza changed the title fix: Beta 7vr6 refactor: Remote code execution via MongoDB BSON parser through prototype pollution Jun 28, 2023
@codecov
Copy link

codecov bot commented Jun 28, 2023
edited
Loading

Codecov Report

Patch coverage: 100.00% and project coverage change: -0.50 ⚠️

Comparison is base (e212eb5) 94.45% compared to head (b915ed2) 93.95%.

❗ Current head b915ed2 differs from pull request most recent head 443b1ec. Consider uploading reports for the commit 443b1ec to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             beta    #8677      +/-   ##
==========================================
- Coverage   94.45%   93.95%   -0.50%     
==========================================
  Files         184      184              
  Lines       14635    14640       +5     
==========================================
- Hits        13823    13755      -68     
- Misses        812      885      +73
Impacted Files Coverage Δ
src/Controllers/DatabaseController.js 93.98% <100.00%> (+0.05%) ⬆️
src/RestWrite.js 94.87% <100.00%> (-0.19%) ⬇️
src/Routers/FilesRouter.js 93.29% <100.00%> (-0.05%) ⬇️
src/Utils.js 98.13% <100.00%> (+0.09%) ⬆️

... and 8 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@mtrezza mtrezza merged commit d6b17ba into beta Jun 28, 2023
@mtrezza mtrezza deleted the fix-beta-7vr6 branch June 28, 2023 21:37
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Sep 16, 2023

🎉 This change has been released in version 6.3.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Sep 16, 2023
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Sep 16, 2023
@mtrezza
Merge branch 'beta' into build
4baeae4 
* beta:
  chore(release): 6.3.0 [skip ci]
  release
  refactor: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger (parse-community#8734)
  chore(release): 6.2.2 [skip ci]
  fix: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger; fixes security vulnerability [GHSA-fcv6-fg5r-jm9q](GHSA-fcv6-fg5r-jm9q)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8677)
  chore(release): 6.2.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8674)
  refactor: Add option to convert `Parse.Object` to instance in Cloud Function payload (parse-community#8656)
ashish-naik added a commit to ashish-naik/parse-server-FB-signup-error206 that referenced this pull request Sep 19, 2023
@ashish-naik
Merge commit 'b1e1bf6708f5d32b2846e66de40f48fb0ec1dc86' into alpha
dd5529c 
* commit 'b1e1bf6708f5d32b2846e66de40f48fb0ec1dc86':
  chore(release): 6.4.0-beta.1 [skip ci]
  release
  chore(release): 6.3.0 [skip ci]
  release
  chore(release): 6.3.0-alpha.9 [skip ci]
  perf: Improve performance of recursive pointer iterations (parse-community#8741)
  refactor: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger (parse-community#8734)
  chore(release): 6.2.2 [skip ci]
  fix: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger; fixes security vulnerability [GHSA-fcv6-fg5r-jm9q](GHSA-fcv6-fg5r-jm9q)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8677)
  chore(release): 6.2.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8674)
  refactor: Add option to convert `Parse.Object` to instance in Cloud Function payload (parse-community#8656)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state:released Released as stable version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mtrezza @parseplatformorg @dblythy