fix(deps): update dependency parse-server to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
parse-server	4.4.0 -> 6.5.9

GitHub Vulnerability Alerts

CVE-2020-26288

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext.
This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

CVE-2021-39187

Impact

Parse Server crashes when if a query request contains an invalid value for the explain option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch.

Patches

Upgrade to Parse Server 4.10.3

CVE-2021-39138

Impact

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password.

The server currently doesn't use createdWith to make decisions on how things work internally, so if a developer isn't using createdWith directly, there's nothing to worry about. The vulnerability only affects users who depend on createdWith by using it directly.

Patches

Upgrade to version 4.5.1.

Workarounds

Don't use the createdWith Session field to make decisions if you allow anonymous login.

References

n/a

GHSA-593v-wcqx-hq2w

Impact

A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:

"parse-server": "git@github.com:parse-community/parse-server.git#4.9.3"

We have since deleted the incorrect version tags, but they may still show up in your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.

You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag 4.9.3 and published a new Bitnami image for Parse Server.

If you are using any of the affected versions, we urgently recommend to upgrade to version 4.10.0.

These are the incorrect tags:

4.0.0-beta1
4.0.0-beta2
4.0.0-beta3
4.0.0-beta4
4.0.0-beta5
4.0.0-beta6
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.3
4.0.4
4.0.6
4.0.7
4.0.8
4.0.9
4.6.0
4.6.0-beta
4.7.0
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.9.0
4.9.1
4.9.2
4.9.3

Patches

Upgrade to version 4.10.0.

Workarounds

Downgrade to version 4.5.2.

References

n/a

CVE-2021-41109

Impact

For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.

Patches

Remove session token from LiveQuery payload.

Workaround

Set user.acl(new Parse.ACL()) in a beforeSave trigger to make the user private already on sign-up.

CVE-2022-24760

Impact

This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.

Patches

Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.

Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.

Workarounds

Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in index.js.

const BSON = require('bson');
 const internalDeserialize = BSON.prototype.deserialize;
 BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserialize(buffer, options, ...others);
 };
 const internalDeserializeStream = BSON.prototype.deserializeStream;
 BSON.prototype.deserializeStream = (
   data,
   startIndex,
   numberOfDocuments,
   documents,
   docStartIndex,
   options = Object.create(null),
   ...others
 ) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserializeStream(
     data,
     startIndex,
     numberOfDocuments,
     documents,
     docStartIndex,
     options,
     ...others
   );
 };

References

• Original report on huntr.dev

CVE-2022-24901

Impact

Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks.

Patches

The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

CVE-2022-31083

Impact

The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.

Patches

To prevent this, a new rootCertificateUrl property is introduced to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the rootCertificateUrl property defaults to the URL of the current root certificate as of May 27, 2022.

Keep in mind that the root certificate can change at any time (expected to be announced by Apple) and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter.

Workarounds

None.

References

• GHSA-rh9j-f5f8-rvgc
• https://developer.apple.com/news/?id=stttq465
• https://github.com/parse-community/parse-server

More information

• For questions or comments about this vulnerability visit our community forum or community chat
• Report other vulnerabilities at report.parseplatform.org

CVE-2022-31089

Impact

Certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as a single instance without redundancy, the availability impact may be high.

Patches

To prevent this, invalid requests are now properly handled.

Workarounds

None

References

• GHSA-xw6g-jjvf-wwf9
• https://github.com/parse-community/parse-server

For more information

• For questions or comments about this vulnerability visit our community forum or community chat
• Report other vulnerabilities at report.parseplatform.org

CVE-2022-31112

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

• GHSA-crrq-vr9j-fxxh
• https://github.com/parse-community/parse-server

For more information

If you have any questions or comments about this advisory:

• For questions or comments about this vulnerability visit our community forum or community chat
• Report other vulnerabilities at report.parseplatform.org

CVE-2022-36079

Impact

Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object.

Patches

The patch requires the master key to use internal and protected fields as query constraints.

Workarounds

Implement a Parse Cloud Trigger beforeFind and manually remove the query constraints, such as:

Parse.Cloud.beforeFind('TestObject', ({ query }) => {
  for (const key in query._where || []) {
    // Repeat logic for protected fields
    if (key.charAt(0) === '_') {
      delete query._where[key];
    }
  }
});

References

• GHSA-2m6g-crv8-p3c6

CVE-2022-39225

Impact

A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object.

Note that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity.

The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user.

While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID, even though the attacker would not know to which user a successfully guessed session object ID belongs.

Patches

The fix prevents writing to foreign session objects, even if the session object ID is known.

Workarounds

Add a beforeSave trigger to the _Session class and prevent writing if the requesting user is different from the user in the session object.

References

• GitHub advisory GHSA-6w4q-23cf-j9jp

CVE-2022-39231

Impact

Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented.

This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]). The vulnerability makes it possible to authenticate requests which are coming from a Facebook or Spotify app with a different app ID than the one specified in the appIds configuration.

Both adapters still validate the access token with the respective authentication provider. An app ID is automatically assigned by the authentication provider. For this vulnerability to be exploited, an attacker would have to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID.

The documentation did not explicitly specify that the parameter appIds must be set as an array of strings and setting a string also worked. Therefore, there is a possibility that there are deployments where appIds is set as a string, making them vulnerable.

Patches

The fix makes Parse Server check the type of the value set for appIds and throws an error if the value is not an array.

Workarounds

No known workarounds.

References

• GitHub advisory GHSA-r657-33vp-gp22

CVE-2022-39313

Impact

Parse Server crashes when a file download request is received with an invalid byte range.

Patches

Improved parsing of the range parameter to properly handle invalid range requests.

Workarounds

None

References

• GHSA-h423-w6qv-2wj3

CVE-2022-39396

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Collaborators

Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative

References

• GHSA-prm5-8g2m-24gg

CVE-2022-41878

Impact

Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

• GHSA-xprv-wvh7-qqqx

CVE-2022-41879

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

• GHSA-93vw-8fm5-p2jf

CVE-2023-22474

Impact

Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option masterKeyIps by setting an allowed IP address as the x-forwarded-for header value.

Patches

The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option trustProxy accordingly, see the express framework's trust proxy setting.

References

• GHSA-vm5r-c87r-pf6x
• https://expressjs.com/en/guide/behind-proxies.html

CVE-2023-32689

Impact

Phishing attack vulnerability by uploading malicious files. A malicious user could upload a HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.

An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.

Patches

The fix adds a new Parse Server option fileUpload.fileExtensions to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to ['.*'] or another custom value to override the default.

References

• GHSA-9prm-jqwx-45x9
• https://github.com/parse-community/parse-server/pull/8538 (Parse Server 6)
• https://github.com/parse-community/parse-server/pull/8537 (Parse Server 5)

CVE-2023-36475

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Credits

• Discovered by hir0ot working with Trend Micro Zero Day Initiative
• Fixed by dbythy
• Reviewed by mtrezza

References

• GHSA-462x-c3jw-7vr6
• GHSA-prm5-8g2m-24gg

CVE-2023-41058

Impact

A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query.

Patches

The vulnerability was fixed by implementing a patch in the internal query pipeline to prevent a Parse Pointer to be used to access internal Parse Server classes or circumvent the beforeFind trigger.

Workarounds

There is no known workaround to prevent a Parse Pointer to be used to access internal Parse Server classes. A workaround if a beforeFind trigger is used as a security layer is to instead use the Parse Server provided security layers to manage access levels with Class-Level Permissions and Object-Level Access Control.

References

• GitHub security advisory: GHSA-fcv6-fg5r-jm9q
• Patched in Parse Server 6.x: https://github.com/parse-community/parse-server/releases/tag/6.2.2
• Patched in Parse Server 5.x (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.5

CVE-2023-46119

Impact

Parse Server crashes when uploading a file without extension.

Patches

A permanent fix has been implemented to prevent the server from crashing.

Workarounds

There are no known workarounds.

References

• GitHub security advisory: GHSA-792q-q67h-w579
• Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1
• Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6

CVE-2024-27298

Impact

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Patches

The algorithm to detect SQL injection has been improved.

Workarounds

None.

References

• GHSA-6927-3vr9-fxf2
• https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6)
• https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release)

Credits

• Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder)
• Ehsan Persania (remediation developer)
• Manuel Trezza (coordinator)

CVE-2024-29027

Impact

Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.

Patches

Added string sanitation for Cloud Function name and Cloud Job name.

Workarounds

Sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.

References

• GHSA-6hh7-46r2-vf29
• https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 (Fix for Parse Server 7 alpha)
• https://github.com/parse-community/parse-server/releases/tag/6.5.5 (Fix for Parse Server 6 LTS)

CVE-2024-39309

Impact

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Patches

The algorithm to detect SQL injection has been improved.

Workarounds

None.

References

• GHSA-c2hr-cqg6-8j6r
• https://github.com/parse-community/parse-server/pull/9167 (fix for Parse Server 7)
• https://github.com/parse-community/parse-server/pull/9168 (fix for Parse Server 6)

Credits

• Smile Thanapattheerakul of Trend Micro (finder)
• Manuel Trezza (coordinator)

CVE-2024-47183

Impact

If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.

Patches

Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected.

Workarounds

• Disable custom object IDs by setting allowCustomObjectId: false or not setting the option which defaults to false.
• Use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix role:.

References

• GHSA-8xq9-g7ch-35hg
• https://github.com/parse-community/parse-server/pull/9317 (fix for Parse Server 7)
• https://github.com/parse-community/parse-server/pull/9318 (fix for Parse Server 6)

---

Release Notes

parse-community/parse-server (parse-server)

v6.5.9

Compare Source

Bug Fixes

• Custom object ID allows to acquire role privileges (GHSA-8xq9-g7ch-35hg) (#​9318) (1bfbccf)

v6.5.8

Compare Source

Bug Fixes

• Various vulnerabilities related to cross-site scripting (#​9310) (d5290d4)

v6.5.7

Compare Source

Bug Fixes

• SQL injection when using Parse Server with PostgreSQL; fixes security vulnerability GHSA-c2hr-cqg6-8j6r (#​9168) (f332d54)

v6.5.6

Compare Source

Bug Fixes

• Facebook Limited Login not working due to incorrect domain in JWT validation (#​9120) (0e92f76)

v6.5.5

Compare Source

Bug Fixes

• Server crashes on invalid Cloud Function or Cloud Job name; fixes security vulnerability GHSA-6hh7-46r2-vf29 (#​9023) (5ae6d6a)

v6.5.4

Compare Source

Bug Fixes

• Server crashes when receiving an array of Parse.Pointer in the request body (#​9012) (8ff444d)

v6.5.3

Compare Source

Bug Fixes

• Security upgrade follow-redirects from 1.15.5 to 1.15.6 (#​9019) (422958e)

v6.5.2

Compare Source

Bug Fixes

• Security upgrade @​parse/push-adapter from 5.1.0 to 5.1.1 (#​8975) (0fa0aab)

v6.5.1

Compare Source

Bug Fixes

• Security upgrade @​parse/push-adapter from 5.0.2 to 5.1.0 (#​8972) (bba24dd)

v6.5.0

Compare Source

Bug Fixes

• Improve PostgreSQL injection detection; fixes security vulnerability GHSA-6927-3vr9-fxf2 which affects Parse Server deployments using a Postgres database (#​8960) (a6e6549)

v6.4.0

Compare Source

Bug Fixes

• Parse Server option fileUpload.fileExtensions does not work with an array of extensions (#​8688) (6a4a00c)
• Redis 4 does not reconnect after unhandled error (#​8706) (2b3d4e5)
• Remove config logging when launching Parse Server via CLI (#​8710) (ae68f0c)
• Server does not start via CLI when auth option is set (#​8666) (4e2000b)

Features

• Add conditional email verification via dynamic Parse Server options verifyUserEmails, sendUserEmailVerification that now accept functions (#​8425) (44acd6d)
• Add property Parse.Server.version to determine current version of Parse Server in Cloud Code (#​8670) (a9d376b)
• Add TOTP authentication adapter (#​8457) (cc079a4)

Performance Improvements

• Improve performance of recursive pointer iterations (#​8741) (45a3ed0)

v6.3.1

Compare Source

Bug Fixes

• Server crash when uploading file without extension; fixes security vulnerability GHSA-792q-q67h-w579 (#​8781) (fd86278)

v6.3.0

Compare Source

Bug Fixes

• Cloud Code Trigger afterSave executes even if not set (#​8520) (afd0515)
• GridFS file storage doesn't work with certain enableSchemaHooks settings (#​8467) (d4cda4b)
• Inaccurate table total row count for PostgreSQL (#​8511) (0823a02)
• LiveQuery server is not shut down properly when handleShutdown is called (#​8491) (967700b)
• Rate limit feature is incompatible with Node 14 (#​8578) (f911f2c)
• Unnecessary log entries by extendSessionOnUse (#​8562) (fd6a007)

Features

• extendSessionOnUse to automatically renew Parse Sessions (#​8505) (6f885d3)
• Add new Parse Server option preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#​8451) (82da308)
• Add option to change the log level of logs emitted by Cloud Functions (#​8530) (2caea31)
• Add support for $eq query constraint in LiveQuery (#​8614) (656d673)
• Add zones for rate limiting by ip, user, session, global (#​8508) (03fba97)
• Allow Parse.Object pointers in Cloud Code arguments (#​8490) (28aeda3)

Reverts

• fix: Inaccurate table total row count for PostgreSQL (6722110)

v6.2.2

Compare Source

Bug Fixes

• Parse Pointer allows to access internal Parse Server classes and circumvent beforeFind query trigger; fixes security vulnerability GHSA-fcv6-fg5r-jm9q (be4c7e2) (#​8733)

v6.2.1

Compare Source

Bug Fixes

• Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability GHSA-462x-c3jw-7vr6 (#​8674) (3dd99dd)

v6.2.0

Compare Source

Features

• Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern ^[^hH][^tT][^mM][^lL]?$, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to ['.*'] (#​8538) (a318e7b)

v6.1.0

Compare Source

Bug Fixes

• LiveQuery can return incorrectly formatted date (#​8456) (4ce135a)
• Nested date is incorrectly decoded as empty object {} when fetching a Parse Object (#​8446) (22d2446)
• Parameters missing in afterFind trigger of authentication adapters (#​8458) (ce34747)
• Rate limiting across multiple servers via Redis not working (#​8469) (d9e347d)
• Security upgrade jsonwebtoken to 9.0.0 (#​8420) (f5bfe45)

Features

• Add afterFind trigger to authentication adapters (#​8444) (c793bb8)
• Add option schemaCacheTtl for schema cache pulling as alternative to enableSchemaHooks (#​8436) (b3b76de)
• Add Parse Server option resetPasswordSuccessOnInvalidEmail to choose success or error response on password reset with invalid email (#​7551) (e5d610e)
• Add rate limiting across multiple servers via Redis (#​8394) (34833e4)
• Allow multiple origins for header Access-Control-Allow-Origin (#​8517) (4f15539)
• Deprecate LiveQuery fields option in favor of keys for semantic consistency (#​8388) (a49e323)
• Export AuthAdapter to make it available for extension with custom authentication adapters (#​8443) (40c1961)

v6.0.0

Compare Source

Migration Guide

This is a major release with breaking changes. We prepared a migration guide to help you migrating from Parse Server 5. For the full list of breaking changes see the section below.

BREAKING CHANGES

• The Docker image does not contain the git dependency anymore; if you have been using git as a transitive dependency it now needs to be explicitly installed in your Docker file, for example with RUN apk --no-cache add git (#​8359) (40810b4)
• Fields in the internal scope of Parse Server (prefixed with underscore _) are only returned using the new maintenanceKey; previously the masterKey allowed reading of internal fields; see access scopes for a comparison of the keys' access permissions (#​8212) (f3bcc93)
• The method ParseServer.verifyServerUrl now returns a promise instead of a callback. (ffa4974)
• The MongoDB aggregation pipeline requires native MongoDB syntax instead of the custom Parse Server syntax; for example pipeline stage names require a leading dollar sign like $match and the MongoDB document ID is referenced using _id instead of objectId (#​8362) (d0d30c4)
• The mechanism to determine the client IP address has been rewritten; to correctly determine the IP address it is now required to set the Parse Server option trustProxy accordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting (#​8372) (892040d)
• The Node Package Manager lock file package-lock.json is upgraded to version 2; while it is backwards with version 1 for the npm installer, consider this if you run any non-npm analysis tools that use the lock file (#​8285) (ee72467)
• This release introduces the asynchronous initialization of Parse Server to prevent mounting Parse Server before being ready to receive request; it changes how Parse Server is imported, initialized and started; it also removes the callback serverStartComplete; see the Parse Server 6 migration guide for more details (#​8232) (99fcf45)
• Nested objects are now properly stored in the database using JSON serialization; previously, due to a bug only top-level objects were serialized, but nested objects were saved as raw JSON; for example, a nested Date object was saved as a JSON object like { "__type": "Date", "iso": "2020-01-01T00:00:00.000Z" } instead of its serialized representation 2020-01-01T00:00:00.000Z (#​8209) (1412666)
• The Parse Server option enforcePrivateUsers is set to true by default; in previous releases this option defaults to false; this change improves the default security configuration of Parse Server (#​8283) (ed499e3)
• This release restricts the use of masterKey to localhost by default; if you are using Parse Dashboard on a different server to connect to Parse Server you need to add the IP address of the server that hosts Parse Dashboard to this option (#​8281) (6c16021)
• This release upgrades to Redis 4; if you are using the Redis cache adapter with Parse Server then this is a breaking change as the Redis client options have changed; see the Redis migration guide for more details (#​8293) (7d622f0)
• This release removes support for MongoDB 4.0; the new minimum supported MongoDB version is 4.2. which also removes support for the deprecated MongoDB MMAPv1 storage engine (37245f6)
• Throwing an error in Cloud Code Triggers afterLogin, afterLogout returns a rejected promise; in previous releases it crashed the server if you did not handle the error on the Node.js process level; consider adapting your code if your app currently handles these errors on the Node.js process level with process.on('unhandledRejection', ...) (130d290)
• Config option directAccess defaults to true; set this to false in environments where multiple Parse Server instances run behind a load balancer and Parse requests within the current Node.js environment should be routed via the load balancer and distributed as HTTP requests among all instances via the serverURL. (f535ee6)
• The convenience method for HTTP requests Parse.Cloud.httpRequest is removed; use your preferred 3rd party library for making HTTP requests (2d79c08)
• This release removes Node 12 and Node 17 support (2546cc8)

Bug Fixes

• ParseServer.verifyServerUrl may fail if server response headers are missing; remove unnecessary logging (#​8391) (1c37a7c)
• Cloud Code trigger beforeSave does not work with Parse.Role (#​8320) (f29d972)
• ES6 modules do not await the import of Cloud Code files (#​8368) (a7bd180)
• Nested objects are encoded incorrectly for MongoDB (#​8209) (1412666)
• Parse Server option masterKeyIps does not include localhost by default for IPv6 (#​8322) (ab82635)
• Rate limiter may reject requests that contain a session token (#​8399) (c114dc8)
• Remove Node 12 and Node 17 support (#​8279) (2546cc8)
• Schema without class level permissions may cause error (#​8409) (aa2cd51)
• The client IP address may be determined incorrectly in some cases; this fixes a security vulnerability in which the Parse Server option masterKeyIps may be circumvented, see GHSA-vm5r-c87r-pf6x (#​8372) (892040d)
• Throwing error in Cloud Code Triggers afterLogin, afterLogout crashes server (#​8280) (130d290)

Features

• Access the internal scope of Parse Server using the new maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see access scopes (#​8212) (f3bcc93)
• Adapt verifyServerUrl for new asynchronous Parse Server start-up states (#​8366) (ffa4974)
• Add ParseQuery.watch to trigger LiveQuery only on update of specific fields (#​8028) (fc92faa)
• Add Node 19 support (#​8363) (a4990dc)
• Add option to change the log level of the logs emitted by triggers (#​8328) (8f3b694)
• Add request rate limiter based on IP address (#​8174) (6c79f6a)
• Asynchronous initialization of Parse Server (#​8232) (99fcf45)
• Improve authentication adapter interface to support multi-factor authentication (MFA), authentication challenges, and provide a more powerful interface for writing custom authentication adapters (#​8156) (5bbf9ca)
• Reduce Docker image size by improving stages (#​8359) (40810b4)
• Remove deprecation DEPPS1: Native MongoDB syntax in aggregation pipeline (#​8362) (d0d30c4)
• Remove deprecation DEPPS2: Config option directAccess defaults to true (#​8284) (f535ee6)
• Remove deprecation DEPPS3: Config option enforcePrivateUsers defaults to true ([#​8283](https://redirect.github.com/parse-community/p

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.