fix: Server crashes on invalid Cloud Function or Cloud Job name; fixes security vulnerability [GHSA-6hh7-46r2-vf29](GHSA-6hh7-46r2-vf29) (#9024)

Author: mtrezza

spec/ParseHooks.spec.js

@@ -694,3 +694,36 @@ describe('triggers', () => {
     expect(req.context).toBeUndefined();
   });
 });
+
+describe('sanitizing names', () => {
+  const invalidNames = [
+    `test'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5cxxxxxxxxxxxxxxx.yyyyy'%2b'fy.com%5cxus'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20`,
+    `test.function.name`,
+  ];
+
+  it('should not crash server and return error on invalid Cloud Function name', async () => {
+    for (const invalidName of invalidNames) {
+      let error;
+      try {
+        await Parse.Cloud.run(invalidName);
+      } catch (err) {
+        error = err;
+      }
+      expect(error).toBeDefined();
+      expect(error.message).toMatch(/Invalid function/);
+    }
+  });
+
+  it('should not crash server and return error on invalid Cloud Job name', async () => {
+    for (const invalidName of invalidNames) {
+      let error;
+      try {
+        await Parse.Cloud.startJob(invalidName);
+      } catch (err) {
+        error = err;
+      }
+      expect(error).toBeDefined();
+      expect(error.message).toMatch(/Invalid job/);
+    }
+  });
+});

src/triggers.js

@@ -86,6 +86,12 @@ const Category = {
 };
 
 function getStore(category, name, applicationId) {
+  const invalidNameRegex = /['"`]/;
+  if (invalidNameRegex.test(name)) {
+    // Prevent a malicious user from injecting properties into the store
+    return {};
+  }
+
   const path = name.split('.');
   path.splice(-1); // remove last component
   applicationId = applicationId || Parse.applicationId;
@@ -94,7 +100,7 @@ function getStore(category, name, applicationId) {
   for (const component of path) {
     store = store[component];
     if (!store) {
-      return undefined;
+      return {};
     }
   }
   return store;