Merge branch 'master' into dependabot/npm_and_yarn/http-cache-semantics-4.1.1

Author: mtrezza

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
     branches: [ '**' ]
 jobs:
   test:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
       - name: Checkout repository

CHANGELOG.md

@@ -1,3 +1,24 @@
+## [4.2.1](https://github.com/parse-community/parse-server-push-adapter/compare/4.2.0...4.2.1) (2023-10-02)
+
+
+### Bug Fixes
+
+* Upgrade @parse/node-apn from 5.2.1 to 5.2.3 ([#221](https://github.com/parse-community/parse-server-push-adapter/issues/221)) ([7aaab38](https://github.com/parse-community/parse-server-push-adapter/commit/7aaab38b8c97215ea9e63f87fc627450646c714e))
+
+# [4.2.0](https://github.com/parse-community/parse-server-push-adapter/compare/4.1.3...4.2.0) (2023-08-06)
+
+
+### Features
+
+* Upgrade @parse/node-apn from 5.1.3 to 5.2.1 ([#220](https://github.com/parse-community/parse-server-push-adapter/issues/220)) ([3b932d1](https://github.com/parse-community/parse-server-push-adapter/commit/3b932d1e40ddf81d38fcd7f3bbb71bbdcf848978))
+
+## [4.1.3](https://github.com/parse-community/parse-server-push-adapter/compare/4.1.2...4.1.3) (2023-05-20)
+
+
+### Bug Fixes
+
+* Validate push notification payload; fixes a security vulnerability in which the adapter can crash Parse Server due to an invalid push notification payload ([#217](https://github.com/parse-community/parse-server-push-adapter/issues/217)) ([598cb84](https://github.com/parse-community/parse-server-push-adapter/commit/598cb84d0866b7c5850ca96af920e8cb5ba243ec))
+
 ## [4.1.2](https://github.com/parse-community/parse-server-push-adapter/compare/4.1.1...4.1.2) (2022-03-27)
 
 

README.md

@@ -19,8 +19,6 @@ The official Push Notification adapter for Parse Server. See [Parse Server Push
   - [Install Push Adapter](#install-push-adapter)
   - [Configure Parse Server](#configure-parse-server)
 
-
-
 # Silent Notifications
 
 If you have migrated from parse.com and you are seeing situations where silent (newsstand-like presentless) notifications are failing to deliver please ensure that your payload is setting the content-available attribute to Int(1) and not "1" This value will be explicitly checked.
@@ -44,30 +42,26 @@ This will produce a more verbose output for all the push sending attempts
 ## Install Push Adapter
 
 ```
-npm install --save @parse/push-adapter@VERSION
+npm install --save @parse/push-adapter@<VERSION>
 ```
 
-Replace VERSION with the version you want to install.
+Replace `<VERSION>` with the version you want to install.
 
 ## Configure Parse Server
 
 ```js
 const PushAdapter = require('@parse/push-adapter').default;
-const pushOptions = {
-  ios: { /* iOS push options */ } ,
-  android: { /* android push options */ }   
-}
-// starting 3.0.0
-const options = {
-  appId: "****",
-  masterKey: "****",
+const parseServerOptions = {
   push: {
-    adapter: new PushAdapter(pushOptions),
+    adapter: new PushAdapter({
+      ios: {
+        /* Apple push notification options */
+      },
+      android: {
+        /* Android push options */
+      }
+    })
   },
-  /* ... */ 
+  /* Other Parse Server options */
 }
-
-const server = new ParseServer(options);
-
-/* continue with the initialization of parse-server */
 ```

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@parse/push-adapter",
-  "version": "4.1.2",
+  "version": "4.2.1",
   "description": "Base parse-server-push-adapter",
   "main": "lib/index.js",
   "files": [
@@ -40,7 +40,7 @@
     "semantic-release": "17.4.6"
   },
   "dependencies": {
-    "@parse/node-apn": "5.1.3",
+    "@parse/node-apn": "5.2.3",
     "@parse/node-gcm": "1.0.2",
     "npmlog": "4.1.2",
     "parse": "3.4.0"

package.json

@@ -104,7 +104,7 @@ describe('APNS', () => {
 
     var prodApnsConnection = apns.providers[0];
     expect(prodApnsConnection.index).toBe(0);
-    
+
     // TODO: Remove this checking onec we inject APNS
     var prodApnsOptions = prodApnsConnection.client.config;
     expect(prodApnsOptions.cert).toBe(args[1].cert);
@@ -239,7 +239,7 @@ describe('APNS', () => {
     expect(notification.pushType).toEqual('alert');
     done();
   });
-  
+
   it('can generate APNS notification from raw data', (done) => {
       //Mock request data
       let data = {
@@ -259,17 +259,17 @@ describe('APNS', () => {
       let collapseId = "collapseIdentifier";
       let pushType = "background";
       let priority = 5;
-  
+
       let notification = APNS._generateNotification(data, { expirationTime: expirationTime, collapseId: collapseId, pushType: pushType, priority: priority });
-  
+
       expect(notification.expiry).toEqual(Math.round(expirationTime / 1000));
       expect(notification.collapseId).toEqual(collapseId);
       expect(notification.pushType).toEqual(pushType);
       expect(notification.priority).toEqual(priority);
-  
+
       let stringifiedJSON = notification.compile();
       let jsonObject = JSON.parse(stringifiedJSON);
-  
+
       expect(jsonObject.aps.alert).toEqual({ "loc-key" : "GAME_PLAY_REQUEST_FORMAT", "loc-args" : [ "Jenna", "Frank"] });
       expect(jsonObject.aps.badge).toEqual(100);
       expect(jsonObject.aps.sound).toEqual('test');
@@ -315,6 +315,20 @@ describe('APNS', () => {
     done();
   });
 
+  it('does log on invalid APNS notification', async () => {
+    const args = {
+      cert: new Buffer('testCert'),
+      key: new Buffer('testKey'),
+      production: true,
+      topic: 'topic'
+    };
+    const log = require('npmlog');
+    const spy = spyOn(log, 'warn');
+    const apns = new APNS(args);
+    apns.send();
+    expect(spy).toHaveBeenCalled();
+  });
+
   it('can send APNS notification', (done) => {
     let args = {
       cert: new Buffer('testCert'),

spec/APNS.spec.js

@@ -10,7 +10,7 @@ function mockSender(gcm) {
         {"error":"InvalidRegistration"},
         {"error":"InvalidRegistration"},
         {"error":"InvalidRegistration"}] }*/
-    
+
     let tokens = options.registrationTokens;
     const response = {
       multicast_id: 7680139367771848000,
@@ -58,6 +58,14 @@ describe('GCM', () => {
     done();
   });
 
+  it('does log on invalid APNS notification', async () => {
+    const log = require('npmlog');
+    const spy = spyOn(log, 'warn');
+    const gcm = new GCM({apiKey: 'apiKey'});
+    gcm.send();
+    expect(spy).toHaveBeenCalled();
+  });
+
   it('can generate GCM Payload without expiration time', (done) => {
     //Mock request data
     var requestData = {

spec/GCM.spec.js

@@ -70,7 +70,11 @@ export class APNS {
    * @returns {Object} A promise which is resolved immediately
    */
   send(data, allDevices) {
-    let coreData = data.data;
+    let coreData = data && data.data;
+    if (!coreData || !allDevices || !Array.isArray(allDevices)) {
+      log.warn(LOG_PREFIX, 'invalid push payload');
+      return;
+    }
     let expirationTime = data['expiration_time'] || coreData['expiration_time'];
     let collapseId = data['collapse_id'] || coreData['collapse_id'];
     let pushType = data['push_type'] || coreData['push_type'];

src/APNS.js

@@ -26,6 +26,10 @@ GCM.GCMRegistrationTokensMax = GCMRegistrationTokensMax;
  * @returns {Object} A promise which is resolved after we get results from gcm
  */
 GCM.prototype.send = function(data, devices) {
+  if (!data || !devices || !Array.isArray(devices)) {
+    log.warn(LOG_PREFIX, 'invalid push payload');
+    return;
+  }
   let pushId = randomString(10);
   // Make a new array
   devices=devices.slice(0);