fix: Improve PostgreSQL injection detection; fixes security vulnerabi…

…lity [GHSA-6927-3vr9-fxf2](GHSA-6927-3vr9-fxf2) which affects Parse Server deployments using a Postgres database (#8961)
parse-community · Mar 1, 2024 · cbefe77 · cbefe77
1 parent 9c85e63
commit cbefe77
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -433,3 +433,28 @@ describe('Vulnerabilities', () => {
  });
  });
 });
+
+describe('Postgres regex sanitizater', () => {
+ it('sanitizes the regex correctly to prevent Injection', async () => {
+ const user = new Parse.User();
+ user.set('username', 'username');
+ user.set('password', 'password');
+ user.set('email', 'email@example.com');
+ await user.signUp();
+
+ const response = await request({
+ method: 'GET',
+ url:
+ "http://localhost:8378/1/classes/_User?where[username][$regex]=A'B'%3BSELECT+PG_SLEEP(3)%3B--",
+ headers: {
+ 'Content-Type': 'application/json',
+ 'X-Parse-Application-Id': 'test',
+ 'X-Parse-REST-API-Key': 'rest',
+ },
+ });
+
+ expect(response.status).toBe(200);
+ expect(response.data.results).toEqual(jasmine.any(Array));
+ expect(response.data.results.length).toBe(0);
+ });
+});
diff --git a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
@@ -2656,7 +2656,7 @@ function literalizeRegexPart(s: string) {
  .replace(/([^\\])(\\Q)/, '$1')
  .replace(/^\\E/, '')
  .replace(/^\\Q/, '')
- .replace(/([^'])'/, `$1''`)
+ .replace(/([^'])'/g, `$1''`)
  .replace(/^'([^'])/, `''$1`);
 }