Skip to content

fix: Remote code execution via MongoDB BSON parser through prototype pollution #8674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 28, 2023
Merged

fix: Remote code execution via MongoDB BSON parser through prototype pollution #8674

merged 1 commit into from
Jun 28, 2023

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Jun 28, 2023
edited
Loading

Fixes security vulnerability GHSA-462x-c3jw-7vr6

@parse-github-assistant
Copy link

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title fix: release-7vr6 fix: Release-7vr6 Jun 28, 2023
@parse-github-assistant
Copy link

parse-github-assistant bot commented Jun 28, 2023
edited
Loading

Thanks for opening this pull request!

  • ❌ Please link an issue that describes the reason for this pull request, otherwise your pull request will be closed. Make sure to write it as Closes: #123 in the PR description, so I can recognize it.

@mtrezza mtrezza changed the base branch from alpha to release June 28, 2023 20:07
@codecov
Copy link

codecov bot commented Jun 28, 2023
edited
Loading

Codecov Report

Patch coverage: 95.32% and project coverage change: +0.17 🎉

Comparison is base (c16f529) 94.18% compared to head (54ef680) 94.35%.

❗ Current head 54ef680 differs from pull request most recent head cb58be4. Consider uploading reports for the commit cb58be4 to get more accurate results

Additional details and impacted files 
@@             Coverage Diff             @@
##           release    #8674      +/-   ##
===========================================
+ Coverage    94.18%   94.35%   +0.17%     
===========================================
  Files          182      185       +3     
  Lines        13717    14761    +1044     
===========================================
+ Hits         12919    13928    +1009     
- Misses         798      833      +35
Impacted Files Coverage Δ
src/Adapters/Analytics/AnalyticsAdapter.js 50.00% <ø> (+16.66%) ⬆️
src/Adapters/Cache/CacheAdapter.js 100.00% <ø> (ø)
src/Adapters/Email/MailAdapter.js 100.00% <ø> (ø)
src/Adapters/Files/FilesAdapter.js 100.00% <ø> (ø)
src/Adapters/Logger/LoggerAdapter.js 100.00% <ø> (ø)
src/Adapters/PubSub/PubSubAdapter.js 100.00% <ø> (ø)
src/Adapters/Push/PushAdapter.js 66.66% <ø> (+16.66%) ⬆️
src/Adapters/WebSocketServer/WSSAdapter.js 100.00% <ø> (ø)
src/Deprecator/Deprecations.js 100.00% <ø> (ø)
src/GraphQL/helpers/objectsQueries.js 90.90% <ø> (+0.28%) ⬆️
... and 66 more

... and 65 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@mtrezza mtrezza merged commit 3dd99dd into release Jun 28, 2023
@mtrezza mtrezza deleted the fix-release-7vr6 branch June 28, 2023 20:57
@mtrezza mtrezza changed the title fix: Release-7vr6 fix: Remote code execution via MongoDB BSON parser through prototype pollution Jun 28, 2023
parseplatformorg pushed a commit that referenced this pull request Jun 28, 2023
@semantic-release-bot
chore(release): 6.2.1 [skip ci]
3289181 
## [6.2.1](6.2.0...6.2.1) (2023-06-28)

### Bug Fixes

* Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) ([#8674](#8674)) ([3dd99dd](3dd99dd))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.2.1

@parseplatformorg parseplatformorg added the state:released Released as stable version label Jun 28, 2023
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Sep 16, 2023
@mtrezza
Merge branch 'release' into build
391c7a0 
* release:
  chore(release): 6.2.2 [skip ci]
  fix: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger; fixes security vulnerability [GHSA-fcv6-fg5r-jm9q](GHSA-fcv6-fg5r-jm9q)
  chore(release): 6.2.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8674)
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Sep 16, 2023
@mtrezza
Merge branch 'beta' into build
4baeae4 
* beta:
  chore(release): 6.3.0 [skip ci]
  release
  refactor: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger (parse-community#8734)
  chore(release): 6.2.2 [skip ci]
  fix: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger; fixes security vulnerability [GHSA-fcv6-fg5r-jm9q](GHSA-fcv6-fg5r-jm9q)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8677)
  chore(release): 6.2.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8674)
  refactor: Add option to convert `Parse.Object` to instance in Cloud Function payload (parse-community#8656)
ashish-naik added a commit to ashish-naik/parse-server-FB-signup-error206 that referenced this pull request Sep 19, 2023
@ashish-naik
Merge commit 'b1e1bf6708f5d32b2846e66de40f48fb0ec1dc86' into alpha
dd5529c 
* commit 'b1e1bf6708f5d32b2846e66de40f48fb0ec1dc86':
  chore(release): 6.4.0-beta.1 [skip ci]
  release
  chore(release): 6.3.0 [skip ci]
  release
  chore(release): 6.3.0-alpha.9 [skip ci]
  perf: Improve performance of recursive pointer iterations (parse-community#8741)
  refactor: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger (parse-community#8734)
  chore(release): 6.2.2 [skip ci]
  fix: Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger; fixes security vulnerability [GHSA-fcv6-fg5r-jm9q](GHSA-fcv6-fg5r-jm9q)
  refactor: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8677)
  chore(release): 6.2.1 [skip ci]
  fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](GHSA-462x-c3jw-7vr6) (parse-community#8674)
  refactor: Add option to convert `Parse.Object` to instance in Cloud Function payload (parse-community#8656)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
state:released Released as stable version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mtrezza @parseplatformorg @dblythy