Skip to content

Commit

Permalink
fix: Improve PostgreSQL injection detection; fixes security vulnerabi…
Browse files Browse the repository at this point in the history
…lity [GHSA-6927-3vr9-fxf2](GHSA-6927-3vr9-fxf2) which affects Parse Server deployments using a Postgres database (#8960)
  • Loading branch information
mtrezza authored Mar 1, 2024
1 parent 244e343 commit a6e6549
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
25 changes: 25 additions & 0 deletions spec/vulnerabilities.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -459,3 +459,28 @@ describe('Vulnerabilities', () => {
});
});
});

describe('Postgres regex sanitizater', () => {
it('sanitizes the regex correctly to prevent Injection', async () => {
const user = new Parse.User();
user.set('username', 'username');
user.set('password', 'password');
user.set('email', '[email protected]');
await user.signUp();

const response = await request({
method: 'GET',
url:
"http://localhost:8378/1/classes/_User?where[username][$regex]=A'B'%3BSELECT+PG_SLEEP(3)%3B--",
headers: {
'Content-Type': 'application/json',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
},
});

expect(response.status).toBe(200);
expect(response.data.results).toEqual(jasmine.any(Array));
expect(response.data.results.length).toBe(0);
});
});
2 changes: 1 addition & 1 deletion src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
Original file line number Diff line number Diff line change
Expand Up @@ -2656,7 +2656,7 @@ function literalizeRegexPart(s: string) {
.replace(/([^\\])(\\Q)/, '$1')
.replace(/^\\E/, '')
.replace(/^\\Q/, '')
.replace(/([^'])'/, `$1''`)
.replace(/([^'])'/g, `$1''`)
.replace(/^'([^'])/, `''$1`);
}

Expand Down

0 comments on commit a6e6549

Please sign in to comment.