From cbefe770a7260b54748a058b8a7389937dc35833 Mon Sep 17 00:00:00 2001
From: Manuel <5673677+mtrezza@users.noreply.github.com>
Date: Fri, 1 Mar 2024 16:52:05 +0100
Subject: [PATCH] fix: Improve PostgreSQL injection detection; fixes security
 vulnerability
 [GHSA-6927-3vr9-fxf2](https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2)
 which affects Parse Server deployments using a Postgres database (#8961)

---
 spec/vulnerabilities.spec.js                  | 25 +++++++++++++++++++
 .../Postgres/PostgresStorageAdapter.js        |  2 +-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
index 9bfafcffcb..c0f519e78d 100644
--- a/spec/vulnerabilities.spec.js
+++ b/spec/vulnerabilities.spec.js
@@ -433,3 +433,28 @@ describe('Vulnerabilities', () => {
     });
   });
 });
+
+describe('Postgres regex sanitizater', () => {
+  it('sanitizes the regex correctly to prevent Injection', async () => {
+    const user = new Parse.User();
+    user.set('username', 'username');
+    user.set('password', 'password');
+    user.set('email', 'email@example.com');
+    await user.signUp();
+
+    const response = await request({
+      method: 'GET',
+      url:
+        "http://localhost:8378/1/classes/_User?where[username][$regex]=A'B'%3BSELECT+PG_SLEEP(3)%3B--",
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      },
+    });
+
+    expect(response.status).toBe(200);
+    expect(response.data.results).toEqual(jasmine.any(Array));
+    expect(response.data.results.length).toBe(0);
+  });
+});
diff --git a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
index 3ad59ec77f..efbe985bf9 100644
--- a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
+++ b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
@@ -2656,7 +2656,7 @@ function literalizeRegexPart(s: string) {
     .replace(/([^\\])(\\Q)/, '$1')
     .replace(/^\\E/, '')
     .replace(/^\\Q/, '')
-    .replace(/([^'])'/, `$1''`)
+    .replace(/([^'])'/g, `$1''`)
     .replace(/^'([^'])/, `''$1`);
 }