Skip to content

Remove hidden properties from aggregate responses#4351

Merged
montymxb merged 4 commits intoparse-community:masterfrom
montymxb:aggregate-field-leak-fix
Nov 23, 2017
Merged

Remove hidden properties from aggregate responses#4351
montymxb merged 4 commits intoparse-community:masterfrom
montymxb:aggregate-field-leak-fix

Conversation

@montymxb
Copy link
Contributor

@montymxb montymxb commented Nov 15, 2017

Noticed that the newly added aggregate endpoint leaks hidden properties. This could be particularly problematic if this endpoint is used with the _User class, where particularly sensitive information is leaked.

This utilizes the same screening function that's used in the UsersRouter (removeHiddenProperties) to remove any hidden properties as the last step before the response is sent. That feels like it should be factored out into a separate utils file, but the priority is in making sure this issue is addressed first.

We'll want this (or an equivalent solution) in place before we create any releases containing the aggregate code.

@codecov
Copy link

codecov bot commented Nov 15, 2017
edited
Loading

Codecov Report

Merging #4351 into master will decrease coverage by 0.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #4351      +/-   ##
==========================================
- Coverage   92.74%   92.73%   -0.02%     
==========================================
  Files         119      119              
  Lines        8438     8448      +10     
==========================================
+ Hits         7826     7834       +8     
- Misses        612      614       +2
Impacted Files Coverage Δ
src/Controllers/DatabaseController.js 94.84% <100%> (ø) ⬆️
...dapters/Storage/Postgres/PostgresStorageAdapter.js 96.76% <100%> (+0.01%) ⬆️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js 95.17% <100%> (+0.04%) ⬆️
src/Routers/AggregateRouter.js 100% <100%> (ø) ⬆️
src/RestWrite.js 93.14% <0%> (-0.55%) ⬇️
src/Adapters/Storage/Mongo/MongoTransform.js 85.5% <0%> (+0.16%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 37ceae0...85d94c5. Read the comment docs.

flovilmart
flovilmart suggested changes Nov 15, 2017
View reviewed changes
spec/ParseQuery.Aggregate.spec.js

expect(result.objectId).not.toBe(undefined);
expect(result.username).toBe(username);
expect(result.score).toBe(score);
Copy link
Contributor

@flovilmart flovilmart Nov 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we check that result.updatedAt and result.createdAt are set, as well as ACL?

Copy link
Member

@dplewis dplewis Nov 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think they are set. Should they be set?

Copy link
Contributor

@flovilmart flovilmart Nov 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should transform transform the results to the proper parse format otherwise the clients ain't gonna like it .

Copy link
Contributor Author

@montymxb montymxb Nov 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@flovilmart , all 3 of those are actually returned, but in their direct mongodb forms under their original keys _acl, _created_at and _updated_at. Now that I think of it there should be a transform function somewhere in the mongodb transform or adapter that would move them to the expected keys. I'll look for that and add it into the PR here.

@dplewis dplewis mentioned this pull request Nov 15, 2017
Merged
@montymxb
Copy link
Contributor Author

montymxb commented Nov 22, 2017

@flovilmart changes have been made. Just utilized the standard transforms for results returned in both mongodb's & postgres's adapters.

@flovilmart
Copy link
Contributor

flovilmart commented Nov 22, 2017

Looking good!

@montymxb montymxb merged commit 7944e2b into parse-community:master Nov 23, 2017
@montymxb montymxb deleted the aggregate-field-leak-fix branch November 23, 2017 07:07
UnderratedDev pushed a commit to UnderratedDev/parse-server that referenced this pull request Mar 21, 2020
@montymxb
Remove hidden properties from aggregate responses (parse-community#4351)
b1a1140 
* Remove hidden properties from aggregrate responses

* transform results from mongo & postgres

* Adjust ordering to comply with tests
@dplewis dplewis mentioned this pull request May 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@flovilmart flovilmart flovilmart approved these changes

@dplewis dplewis dplewis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@montymxb @flovilmart @dplewis