Skip to content

Commit 5bd5893

Browse files
MoumoulsMoumouls
committed
Merge branch 'upstream/alpha' into moumouls/update-graphql
# Conflicts: # package-lock.json # package.json
2 parents f83b92e + e6d7d8f commit 5bd5893

File tree

6 files changed

+175
-95
lines changed

6 files changed

+175
-95
lines changed

changelogs/CHANGELOG_release.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
## [5.2.1](https://github.com/parse-community/parse-server/compare/5.2.0...5.2.1) (2022-05-01)
2+
3+
4+
### Bug Fixes
5+
6+
* authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) ([#7962](https://github.com/parse-community/parse-server/issues/7962)) ([af4a041](https://github.com/parse-community/parse-server/commit/af4a0417a9f3c1e99b3793806b4b18e04d9fa999))
7+
18
# [5.2.0](https://github.com/parse-community/parse-server/compare/5.1.1...5.2.0) (2022-03-24)
29

310

package-lock.json

Lines changed: 81 additions & 33 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
"@parse/fs-files-adapter": "1.2.2",
2727
"@parse/push-adapter": "4.1.2",
2828
"bcryptjs": "2.4.3",
29-
"body-parser": "1.19.2",
29+
"body-parser": "1.20.0",
3030
"commander": "5.1.0",
3131
"cors": "2.8.5",
3232
"deepcopy": "2.1.0",

spec/AuthenticationAdapters.spec.js

Lines changed: 35 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1652,7 +1652,8 @@ describe('apple signin auth adapter', () => {
16521652

16531653
describe('Apple Game Center Auth adapter', () => {
16541654
const gcenter = require('../lib/Adapters/Auth/gcenter');
1655-
1655+
const fs = require('fs');
1656+
const testCert = fs.readFileSync(__dirname + '/support/cert/game_center.pem');
16561657
it('validateAuthData should validate', async () => {
16571658
// real token is used
16581659
const authData = {
@@ -1664,68 +1665,51 @@ describe('Apple Game Center Auth adapter', () => {
16641665
salt: 'DzqqrQ==',
16651666
bundleId: 'cloud.xtralife.gamecenterauth',
16661667
};
1667-
1668-
try {
1669-
await gcenter.validateAuthData(authData);
1670-
} catch (e) {
1671-
fail();
1672-
}
1668+
gcenter.cache['https://static.gc.apple.com/public-key/gc-prod-4.cer'] = testCert;
1669+
await gcenter.validateAuthData(authData);
16731670
});
16741671

16751672
it('validateAuthData invalid signature id', async () => {
16761673
const authData = {
16771674
id: 'G:1965586982',
1678-
publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer',
1679-
timestamp: 1565257031287,
1680-
signature: '1234',
1681-
salt: 'DzqqrQ==',
1682-
bundleId: 'cloud.xtralife.gamecenterauth',
1683-
};
1684-
1685-
try {
1686-
await gcenter.validateAuthData(authData);
1687-
fail();
1688-
} catch (e) {
1689-
expect(e.message).toBe('Apple Game Center - invalid signature');
1690-
}
1691-
});
1692-
1693-
it('validateAuthData invalid public key url', async () => {
1694-
const authData = {
1695-
id: 'G:1965586982',
1696-
publicKeyUrl: 'invalid.com',
1675+
publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-6.cer',
16971676
timestamp: 1565257031287,
16981677
signature: '1234',
16991678
salt: 'DzqqrQ==',
1700-
bundleId: 'cloud.xtralife.gamecenterauth',
1679+
bundleId: 'com.example.com',
17011680
};
1702-
1703-
try {
1704-
await gcenter.validateAuthData(authData);
1705-
fail();
1706-
} catch (e) {
1707-
expect(e.message).toBe('Apple Game Center - invalid publicKeyUrl: invalid.com');
1708-
}
1681+
await expectAsync(gcenter.validateAuthData(authData)).toBeRejectedWith(
1682+
new Parse.Error(Parse.Error.SCRIPT_FAILED, 'Apple Game Center - invalid signature')
1683+
);
17091684
});
17101685

17111686
it('validateAuthData invalid public key http url', async () => {
1712-
const authData = {
1713-
id: 'G:1965586982',
1714-
publicKeyUrl: 'http://static.gc.apple.com/public-key/gc-prod-4.cer',
1715-
timestamp: 1565257031287,
1716-
signature: '1234',
1717-
salt: 'DzqqrQ==',
1718-
bundleId: 'cloud.xtralife.gamecenterauth',
1719-
};
1720-
1721-
try {
1722-
await gcenter.validateAuthData(authData);
1723-
fail();
1724-
} catch (e) {
1725-
expect(e.message).toBe(
1726-
'Apple Game Center - invalid publicKeyUrl: http://static.gc.apple.com/public-key/gc-prod-4.cer'
1727-
);
1728-
}
1687+
const publicKeyUrls = [
1688+
'example.com',
1689+
'http://static.gc.apple.com/public-key/gc-prod-4.cer',
1690+
'https://developer.apple.com/assets/elements/badges/download-on-the-app-store.svg',
1691+
'https://example.com/ \\.apple.com/public_key.cer',
1692+
'https://example.com/ &.apple.com/public_key.cer',
1693+
];
1694+
await Promise.all(
1695+
publicKeyUrls.map(publicKeyUrl =>
1696+
expectAsync(
1697+
gcenter.validateAuthData({
1698+
id: 'G:1965586982',
1699+
timestamp: 1565257031287,
1700+
publicKeyUrl,
1701+
signature: '1234',
1702+
salt: 'DzqqrQ==',
1703+
bundleId: 'com.example.com',
1704+
})
1705+
).toBeRejectedWith(
1706+
new Parse.Error(
1707+
Parse.Error.SCRIPT_FAILED,
1708+
`Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}`
1709+
)
1710+
)
1711+
)
1712+
);
17291713
});
17301714
});
17311715

spec/support/cert/game_center.pem

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIEvDCCA6SgAwIBAgIQXRHxNXkw1L9z5/3EZ/T/hDANBgkqhkiG9w0BAQsFADB/
3+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
4+
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxMDAuBgNVBAMTJ1N5bWFudGVj
5+
IENsYXNzIDMgU0hBMjU2IENvZGUgU2lnbmluZyBDQTAeFw0xODA5MTcwMDAwMDBa
6+
Fw0xOTA5MTcyMzU5NTlaMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
7+
bmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8xFDASBgNVBAoMC0FwcGxlLCBJbmMuMQ8w
8+
DQYDVQQLDAZHQyBTUkUxFDASBgNVBAMMC0FwcGxlLCBJbmMuMIIBIjANBgkqhkiG
9+
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA06fwIi8fgKrTQu7cBcFkJVF6+Tqvkg7MKJTM
10+
IOYPPQtPF3AZYPsbUoRKAD7/JXrxxOSVJ7vU1mP77tYG8TcUteZ3sAwvt2dkRbm7
11+
ZO6DcmSggv1Dg4k3goNw4GYyCY4Z2/8JSmsQ80Iv/UOOwynpBziEeZmJ4uck6zlA
12+
17cDkH48LBpKylaqthym5bFs9gj11pto7mvyb5BTcVuohwi6qosvbs/4VGbC2Nsz
13+
ie416nUZfv+xxoXH995gxR2mw5cDdeCew7pSKxEhvYjT2nVdQF0q/hnPMFnOaEyT
14+
q79n3gwFXyt0dy8eP6KBF7EW9J6b7ubu/j7h+tQfxPM+gTXOBQIDAQABo4IBPjCC
15+
ATowCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH
16+
AwMwYQYDVR0gBFowWDBWBgZngQwBBAEwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9k
17+
LnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNv
18+
bS9ycGEwHwYDVR0jBBgwFoAUljtT8Hkzl699g+8uK8zKt4YecmYwKwYDVR0fBCQw
19+
IjAgoB6gHIYaaHR0cDovL3N2LnN5bWNiLmNvbS9zdi5jcmwwVwYIKwYBBQUHAQEE
20+
SzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Yuc3ltY2QuY29tMCYGCCsGAQUFBzAC
21+
hhpodHRwOi8vc3Yuc3ltY2IuY29tL3N2LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA
22+
I/j/PcCNPebSAGrcqSFBSa2mmbusOX01eVBg8X0G/z8Z+ZWUfGFzDG0GQf89MPxV
23+
woec+nZuqui7o9Bg8s8JbHV0TC52X14CbTj9w/qBF748WbH9gAaTkrJYPm+MlNhu
24+
tjEuQdNl/YXVMvQW4O8UMHTi09GyJQ0NC4q92Wxvx1m/qzjvTLvrXHGQ9pEHhPyz
25+
vfBLxQkWpNoCNKU7UeESyH06XOrGc9MsII9deeKsDJp9a0jtx+pP4MFVtFME9SSQ
26+
tMBs0It7WwEf7qcRLpialxKwY2EzQ9g4WnANHqo18PrDBE10TFpZPzUh7JhMViVr
27+
EEbl0YdElmF8Hlamah/yNw==
28+
-----END CERTIFICATE-----

0 commit comments

Comments
 (0)