fix: session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] (#8180)

mtrezza · web-flow · commit 37fed3062ccc · 2022-09-20T02:23:49.000+02:00
diff --git a/spec/ParseSession.spec.js b/spec/ParseSession.spec.js
@@ -3,6 +3,7 @@
 //
 
 'use strict';
+const request = require('../lib/request');
 
 function setupTestUsers() {
   const user1 = new Parse.User();
@@ -135,4 +136,31 @@ describe('Parse.Session', () => {
         fail(err);
       });
   });
+
+  it('cannot edit session with known ID', async () => {
+    await setupTestUsers();
+    const [first, second] = await new Parse.Query(Parse.Session).find({ useMasterKey: true });
+    const headers = {
+      'X-Parse-Application-Id': 'test',
+      'X-Parse-Rest-API-Key': 'rest',
+      'X-Parse-Session-Token': second.get('sessionToken'),
+      'Content-Type': 'application/json',
+    };
+    const firstUser = first.get('user').id;
+    const secondUser = second.get('user').id;
+    const e = await request({
+      method: 'PUT',
+      headers,
+      url: `http://localhost:8378/1/sessions/${first.id}`,
+      body: JSON.stringify({
+        foo: 'bar',
+        user: { __type: 'Pointer', className: '_User', objectId: secondUser },
+      }),
+    }).catch(e => e.data);
+    expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    expect(e.error).toBe('Object not found.');
+    await Parse.Object.fetchAll([first, second], { useMasterKey: true });
+    expect(first.get('user').id).toBe(firstUser);
+    expect(second.get('user').id).toBe(secondUser);
+  });
 });
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -1019,6 +1019,20 @@ RestWrite.prototype.handleSession = function () {
     } else if (this.data.sessionToken) {
       throw new Parse.Error(Parse.Error.INVALID_KEY_NAME);
     }
+    if (!this.auth.isMaster) {
+      this.query = {
+        $and: [
+          this.query,
+          {
+            user: {
+              __type: 'Pointer',
+              className: '_User',
+              objectId: this.auth.user.id,
+            },
+          },
+        ],
+      };
+    }
   }
 
   if (!this.query && !this.auth.isMaster) {
