CLP (Read only) and write request using master key:

[neophob]

Issue Description

• set READ Only CLP (Simple Config)
• try to update an entry / create a new entry

According to the Parse Docs, using the master key for an action should bypass all security checks:

The master key, on the other hand, is definitely a security mechanism. Using the master key allows you to bypass all of your app's security mechanisms, such as class-level permissions and ACLs. Having the master key is like having root access to your app's servers, and you should guard your master key with the same zeal with which you would guard your production machines' root password.

Steps to reproduce

1. Create a Custom Table, set CLP to read only
2. Use this code to create a new entry:

exports.createNewEntry = function(param) {
  const ParseEntry = Parse.Object.extend('Yourname');
  let parseEntry = new ParseEntry();
  parseEntry.set('param', param);

  let acl = new Parse.ACL();
  acl.setPublicReadAccess(true);
  acl.setPublicWriteAccess(false);
  parseEntry.setACL(acl);

  return parseEntry.save({}, { useMasterKey: true })
    .then(parseEntry => {
       ...
    });
};

1. Result: ERROR: ParseError { code: 119, message: 'Permission denied for this action.' }

When I edit the CLP and allow write permission (or only the Create in the advanced section) this code works.

Expected Results

Bypass CLP/ACL Permission when using Master Key

Actual Outcome

No Permission

Environment Setup

• Server
  • parse-server version: 2.2.11
  • Operating System: Linux (Ubuntu)

[steven-supersolid]

Where are you calling createNewEntry - in Cloud Code or client side JS? Cloud Code is trusted so the master key will be set when the SDK is initialized. You can also pass this to the JS SDK if initializing yourself but must only do so if the code is in a trusted environment.

Might be worth testing the same code with the ACL modification removed so you can see if there is a problem with just CLP and standard saving using the master key.

You could also try passing null as the first parameter to save instead of {}. I think either should work but have only tested null.

[neophob]

I call this function from client side js. i initialized the sdk with the mater key. I also tried the null param instead the {} variant with the same result.

when i change the clp permission and add write permission it works.

[flovilmart]

I'll have a look tomorrow. Do you confirm the behavior is different than on parse.com?

[flovilmart]

Something is sure, that should pass with the masterKey

[flovilmart]

I call this function from client side js. i initialized the sdk with the mater key.

This is plain wrong... You should not let your masterKey in the client SDK!

[flovilmart]

I just ran some tests, and this behaves correctly, the masterKey is correctly processed when running from the server.

Again, the masterKey SHOULD NEVER EVER EVER been sent to the client.

Also, if you look at the code here: https://github.com/ParsePlatform/Parse-SDK-JS/blob/master/src/Parse.js#L32

The masterKey is completely ignored when Parse is used in the Client SDK.

[neophob]

hi. i dont deploy rhe master key with my app. i only use it for admin tasks. but I think When Im using cloud code and do security checks there it should work aswell.

thanks

[flovilmart]

Can you provide the logs when running parse-server with VERBOSE=1

[neophob]

sure, clientcode:

const ParseMyClass = Parse.Object.extend('MyClass');
let myClassEntry = new ParseMyClass();
myClassEntry.set('param1', 'CC');
myClassEntry.set('param2', 'BB');
myClassEntry.set('param3', 'AA');

let acl = new Parse.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(false);
myClassEntry.setACL(acl);

return myClassEntry.save({}, { useMasterKey: true })
  .then(entry => {
    console.log('done');
  });

server code (hint: log direction is upside down):

verbose�: error: code=119, message=Permission denied for this action. 
} 
"param1": "CC" 
"param2": "BB", 
"param3": "AA", 
}, 
} 
"read": true 
"*": { 
"ACL": { 
'x-forwarded-port': '80' } { 
'content-type': 'text/plain', 
accept: '*/*', 
'user-agent': 'node-XMLHttpRequest, Parse/js1.8.5 (NodeJS 4.3.2)', 
'x-forwarded-proto': 'http', 
'content-length': '249', 
'x-forwarded-for': '-removed-, -removed-', 
'accept-encoding': 'gzip', 
connection: 'Close', 
�verbose�: POST /parse/classes/MyClass { host: '-removed-',

[flovilmart]

When you say client code, from where is that code run from?

[neophob]

from my workstation (aka. NOT cloud code and NOT on the same device as the server runns)

[flovilmart]

How do you require parse? With require("parse/node") ?

[neophob]

correct yes:

const Parse = require('parse/node');
const PARSE_MASTER_KEY = process.env.XXX_MASTERKEY;
const PARSE_SERVER = process.env.XXX_SERVER;
const PARSE_APPID = process.env.XXX_APPID;
Parse.initialize(PARSE_APPID, '', PARSE_MASTER_KEY);
Parse.serverURL = PARSE_SERVER;

(the master key is obsolete but doesn't hurt)