Skip to content

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Nov 7, 2022

Fixes security vulnerability GHSA-prm5-8g2m-24gg

@parse-github-assistant
Copy link

parse-github-assistant bot commented Nov 7, 2022

Thanks for opening this pull request!

  • ❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

@mtrezza mtrezza changed the title fix-release-24gg fix: Release-24gg Nov 7, 2022
@codecov
Copy link

codecov bot commented Nov 7, 2022

Codecov Report

Base: 94.12% // Head: 87.14% // Decreases project coverage by -6.98% ⚠️

Coverage data is based on head (08ee746) compared to base (4462b39).
Patch coverage: 87.68% of modified lines in pull request are covered.

❗ Current head 08ee746 differs from pull request most recent head 75d6080. Consider uploading reports for the commit 75d6080 to get more accurate results

Additional details and impacted files
@@             Coverage Diff             @@
##           release    #8295      +/-   ##
===========================================
- Coverage    94.12%   87.14%   -6.99%     
===========================================
  Files          182      182              
  Lines        13621    13737     +116     
===========================================
- Hits         12821    11971     -850     
- Misses         800     1766     +966     
Impacted Files Coverage Δ
src/Adapters/Cache/LRUCache.js 100.00% <ø> (ø)
src/Adapters/Files/GridFSBucketAdapter.js 9.48% <0.00%> (-70.02%) ⬇️
src/GraphQL/helpers/objectsQueries.js 86.71% <0.00%> (-3.91%) ⬇️
src/GraphQL/loaders/schemaTypes.js 100.00% <ø> (ø)
src/LiveQuery/SessionTokenCache.js 86.95% <ø> (ø)
src/Options/index.js 100.00% <ø> (ø)
src/Adapters/Auth/spotify.js 62.50% <60.00%> (-17.50%) ⬇️
src/GraphQL/loaders/defaultGraphQLTypes.js 97.06% <75.00%> (ø)
src/Adapters/Auth/facebook.js 90.62% <80.00%> (-1.44%) ⬇️
src/Auth.js 92.36% <83.33%> (-7.64%) ⬇️
... and 45 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@mtrezza mtrezza changed the title fix: Release-24gg fix: Remote code execution via MongoDB BSON parser through prototype pollution Nov 7, 2022
@mtrezza mtrezza merged commit 50eed3c into parse-community:release Nov 7, 2022
parseplatformorg pushed a commit that referenced this pull request Nov 7, 2022
## [5.3.1](5.3.0...5.3.1) (2022-11-07)

### Bug Fixes

* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([#8295](#8295)) ([50eed3c](50eed3c))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.3.1

@parseplatformorg parseplatformorg added the state:released Released as stable version label Nov 7, 2022
@mtrezza mtrezza deleted the fix-release-24gg branch November 9, 2022 18:13
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
* release:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jan 31, 2023
* beta:
  docs: remove "skip release" entries from changelog
  chore(release): 5.4.0 [skip ci]
  refactor: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8307)
  chore(release): 5.3.3 [skip ci]
  fix: Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) (parse-community#8305)
  chore(release): 5.3.2 [skip ci]
  refactor: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8303)
  fix: Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) (parse-community#8302)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8298)
  chore(release): 5.3.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) (parse-community#8295)
parseplatformorg pushed a commit that referenced this pull request Jan 31, 2023
# [6.0.0-alpha.31](6.0.0-alpha.30...6.0.0-alpha.31) (2023-01-31)

### Bug Fixes

* Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([#8302](#8302)) ([6728da1](6728da1))
* Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([#8305](#8305)) ([60c5a73](60c5a73))
* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([#8295](#8295)) ([50eed3c](50eed3c))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0-alpha.31

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jan 31, 2023
dblythy pushed a commit to dblythy/parse-server that referenced this pull request Feb 15, 2023
* Parse Server option `requestKeywordDenylist` can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability [GHSA-xprv-wvh7-qqqx](GHSA-xprv-wvh7-qqqx) ([parse-community#8302](parse-community#8302)) ([6728da1](parse-community@6728da1))
* Prototype pollution via Cloud Code Webhooks; fixes security vulnerability [GHSA-93vw-8fm5-p2jf](GHSA-93vw-8fm5-p2jf) ([parse-community#8305](parse-community#8305)) ([60c5a73](parse-community@60c5a73))
* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-prm5-8g2m-24gg](GHSA-prm5-8g2m-24gg) ([parse-community#8295](parse-community#8295)) ([50eed3c](parse-community@50eed3c))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released Released as stable version state:released-alpha Released as alpha version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants