Merge branch 'alpha' into moumouls/fixGraphIQL

Author: mtrezza

.github/workflows/ci.yml

@@ -1,9 +1,9 @@
 name: ci
 on:
   push:
-    branches: [ release, alpha, beta ]
+    branches: [ release*, alpha, beta ]
   pull_request:
-    branches: [ release, alpha, beta ]
+    branches: [ release*, alpha, beta ]
 env:
   NODE_VERSION: 18.12.1
   PARSE_SERVER_TEST_TIMEOUT: 20000

DEPRECATIONS.md

@@ -4,7 +4,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 
 | ID     | Change                                          | Issue                                                                | Deprecation [ℹ️][i_deprecation] | Planned Removal [ℹ️][i_removal] | Status [ℹ️][i_status] | Notes |
 |--------|-------------------------------------------------|----------------------------------------------------------------------|---------------------------------|---------------------------------|-----------------------|-------|
-| DEPPS1 | Native MongoDB syntax in aggregation pipeline   | [#7338](https://github.com/parse-community/parse-server/issues/7338) | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
+| DEPPS1 | Native MongoDB syntax in aggregation pipeline   | [#7338](https://github.com/parse-community/parse-server/issues/7338) | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS2 | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS4 | Remove convenience method for http request `Parse.Cloud.httpRequest` | [#7589](https://github.com/parse-community/parse-server/pull/7589)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,27 @@
+# [6.0.0-alpha.19](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.18...6.0.0-alpha.19) (2023-01-05)
+
+
+### Features
+
+* Remove deprecation `DEPPS1`: Native MongoDB syntax in aggregation pipeline ([#8362](https://github.com/parse-community/parse-server/issues/8362)) ([d0d30c4](https://github.com/parse-community/parse-server/commit/d0d30c4f1394f563724644a8fc81734be538a2c0))
+
+
+### BREAKING CHANGES
+
+* The MongoDB aggregation pipeline requires native MongoDB syntax instead of the custom Parse Server syntax; for example pipeline stage names require a leading dollar sign like `$match` and the MongoDB document ID is referenced using `_id` instead of `objectId` (#8362) ([d0d30c4](d0d30c4))
+
+# [6.0.0-alpha.18](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.17...6.0.0-alpha.18) (2023-01-05)
+
+
+### Bug Fixes
+
+* The client IP address may be determined incorrectly in some cases; this fixes a security vulnerability in which the Parse Server option `masterKeyIps` may be circumvented, see [GHSA-vm5r-c87r-pf6x](https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x) ([#8372](https://github.com/parse-community/parse-server/issues/8372)) ([892040d](https://github.com/parse-community/parse-server/commit/892040dc2f82a3e2abe2824e4b553521b6f894de))
+
+
+### BREAKING CHANGES
+
+* The mechanism to determine the client IP address has been rewritten; to correctly determine the IP address it is now required to set the Parse Server option `trustProxy` accordingly if Parse Server runs behind a proxy server, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting (#8372) ([892040d](892040d))
+
 # [6.0.0-alpha.17](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.16...6.0.0-alpha.17) (2022-12-22)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "6.0.0-alpha.17",
+  "version": "6.0.0-alpha.19",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

package.json

@@ -1,34 +1,31 @@
 const AggregateRouter = require('../lib/Routers/AggregateRouter').AggregateRouter;
 
 describe('AggregateRouter', () => {
-  // TODO: update pipeline syntax. See [#7339](https://bit.ly/3incnWx)
   it('get pipeline from Array', () => {
     const body = [
       {
-        group: { objectId: {} },
+        $group: { _id: {} },
       },
     ];
     const expected = [{ $group: { _id: {} } }];
     const result = AggregateRouter.getPipeline(body);
     expect(result).toEqual(expected);
   });
 
-  // TODO: update pipeline syntax. See [#7339](https://bit.ly/3incnWx)
   it('get pipeline from Object', () => {
     const body = {
-      group: { objectId: {} },
+      $group: { _id: {} },
     };
     const expected = [{ $group: { _id: {} } }];
     const result = AggregateRouter.getPipeline(body);
     expect(result).toEqual(expected);
   });
 
-  // TODO: update pipeline syntax. See [#7339](https://bit.ly/3incnWx)
   it('get pipeline from Pipeline Operator (Array)', () => {
     const body = {
       pipeline: [
         {
-          group: { objectId: {} },
+          $group: { _id: {} },
         },
       ],
     };
@@ -37,55 +34,53 @@ describe('AggregateRouter', () => {
     expect(result).toEqual(expected);
   });
 
-  // TODO: update pipeline syntax. See [#7339](https://bit.ly/3incnWx)
   it('get pipeline from Pipeline Operator (Object)', () => {
     const body = {
       pipeline: {
-        group: { objectId: {} },
+        $group: { _id: {} },
       },
     };
     const expected = [{ $group: { _id: {} } }];
     const result = AggregateRouter.getPipeline(body);
     expect(result).toEqual(expected);
   });
 
-  // TODO: update pipeline syntax. See [#7339](https://bit.ly/3incnWx)
   it('get pipeline fails multiple keys in Array stage ', () => {
     const body = [
       {
-        group: { objectId: {} },
-        match: { name: 'Test' },
+        $group: { _id: {} },
+        $match: { name: 'Test' },
       },
     ];
-    try {
-      AggregateRouter.getPipeline(body);
-    } catch (e) {
-      expect(e.message).toBe('Pipeline stages should only have one key found group, match');
-    }
+    expect(() => AggregateRouter.getPipeline(body)).toThrow(
+      new Parse.Error(
+        Parse.Error.INVALID_QUERY,
+        'Pipeline stages should only have one key but found $group, $match.'
+      )
+    );
   });
 
-  // TODO: update pipeline syntax. See [#7339](https://bit.ly/3incnWx)
   it('get pipeline fails multiple keys in Pipeline Operator Array stage ', () => {
     const body = {
       pipeline: [
         {
-          group: { objectId: {} },
-          match: { name: 'Test' },
+          $group: { _id: {} },
+          $match: { name: 'Test' },
         },
       ],
     };
-    try {
-      AggregateRouter.getPipeline(body);
-    } catch (e) {
-      expect(e.message).toBe('Pipeline stages should only have one key found group, match');
-    }
+    expect(() => AggregateRouter.getPipeline(body)).toThrow(
+      new Parse.Error(
+        Parse.Error.INVALID_QUERY,
+        'Pipeline stages should only have one key but found $group, $match.'
+      )
+    );
   });
 
-  // TODO: update pipeline syntax. See [#7339](https://bit.ly/3incnWx)
   it('get search pipeline from Pipeline Operator (Array)', () => {
     const body = {
       pipeline: {
-        search: {},
+        $search: {},
       },
     };
     const expected = [{ $search: {} }];
@@ -105,7 +100,7 @@ describe('AggregateRouter', () => {
   it('support nested stage names starting with `$`', () => {
     const body = [
       {
-        lookup: {
+        $lookup: {
           from: 'ACollection',
           let: { id: '_id' },
           as: 'results',
@@ -145,11 +140,11 @@ describe('AggregateRouter', () => {
 
   it('support the use of `_id` in stages', () => {
     const body = [
-      { match: { _id: 'randomId' } },
-      { sort: { _id: -1 } },
-      { addFields: { _id: 1 } },
-      { group: { _id: {} } },
-      { project: { _id: 0 } },
+      { $match: { _id: 'randomId' } },
+      { $sort: { _id: -1 } },
+      { $addFields: { _id: 1 } },
+      { $group: { _id: {} } },
+      { $project: { _id: 0 } },
     ];
     const expected = [
       { $match: { _id: 'randomId' } },
@@ -161,4 +156,19 @@ describe('AggregateRouter', () => {
     const result = AggregateRouter.getPipeline(body);
     expect(result).toEqual(expected);
   });
+
+  it('should throw with invalid stage', () => {
+    expect(() => AggregateRouter.getPipeline([{ foo: 'bar' }])).toThrow(
+      new Parse.Error(Parse.Error.INVALID_QUERY, `Invalid aggregate stage 'foo'.`)
+    );
+  });
+
+  it('should throw with invalid group', () => {
+    expect(() => AggregateRouter.getPipeline([{ $group: { objectId: 'bar' } }])).toThrow(
+      new Parse.Error(
+        Parse.Error.INVALID_QUERY,
+        `Cannot use 'objectId' in aggregation stage $group.`
+      )
+    );
+  });
 });

spec/AggregateRouter.spec.js

@@ -2774,7 +2774,7 @@ describe('afterFind hooks', () => {
     const obj = new Parse.Object('MyObject');
     const pipeline = [
       {
-        group: { objectId: {} },
+        $group: { _id: {} },
       },
     ];
     obj

spec/CloudCode.spec.js

@@ -173,72 +173,6 @@ describe('middlewares', () => {
     expect(fakeReq.auth.isMaster).toBe(true);
   });
 
-  it('should not succeed if the connection.remoteAddress does not belong to masterKeyIps list', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1', '10.0.0.2'],
-    });
-    fakeReq.connection = { remoteAddress: '127.0.0.1' };
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(false);
-  });
-
-  it('should succeed if the connection.remoteAddress does belong to masterKeyIps list', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1', '10.0.0.2'],
-    });
-    fakeReq.connection = { remoteAddress: '10.0.0.1' };
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(true);
-  });
-
-  it('should not succeed if the socket.remoteAddress does not belong to masterKeyIps list', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1', '10.0.0.2'],
-    });
-    fakeReq.socket = { remoteAddress: '127.0.0.1' };
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(false);
-  });
-
-  it('should succeed if the socket.remoteAddress does belong to masterKeyIps list', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1', '10.0.0.2'],
-    });
-    fakeReq.socket = { remoteAddress: '10.0.0.1' };
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(true);
-  });
-
-  it('should not succeed if the connection.socket.remoteAddress does not belong to masterKeyIps list', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1', '10.0.0.2'],
-    });
-    fakeReq.connection = { socket: { remoteAddress: 'ip3' } };
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(false);
-  });
-
-  it('should succeed if the connection.socket.remoteAddress does belong to masterKeyIps list', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1', '10.0.0.2'],
-    });
-    fakeReq.connection = { socket: { remoteAddress: '10.0.0.1' } };
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(true);
-  });
-
   it('should allow any ip to use masterKey if masterKeyIps is empty', async () => {
     AppCache.put(fakeReq.body._ApplicationId, {
       masterKey: 'masterKey',
@@ -250,48 +184,9 @@ describe('middlewares', () => {
     expect(fakeReq.auth.isMaster).toBe(true);
   });
 
-  it('should succeed if xff header does belong to masterKeyIps', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1'],
-    });
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    fakeReq.headers['x-forwarded-for'] = '10.0.0.1, 10.0.0.2, ip3';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(true);
-  });
-
-  it('should succeed if xff header with one ip does belong to masterKeyIps', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1'],
-    });
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    fakeReq.headers['x-forwarded-for'] = '10.0.0.1';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(true);
-  });
-
-  it('should not succeed if xff header does not belong to masterKeyIps', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['ip4'],
-    });
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    fakeReq.headers['x-forwarded-for'] = '10.0.0.1, 10.0.0.2, ip3';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(false);
-  });
-
-  it('should not succeed if xff header is empty and masterKeyIps is set', async () => {
-    AppCache.put(fakeReq.body._ApplicationId, {
-      masterKey: 'masterKey',
-      masterKeyIps: ['10.0.0.1'],
-    });
-    fakeReq.headers['x-parse-master-key'] = 'masterKey';
-    fakeReq.headers['x-forwarded-for'] = '';
-    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
-    expect(fakeReq.auth.isMaster).toBe(false);
+  it('can set trust proxy', async () => {
+    const server = await reconfigureServer({ trustProxy: 1 });
+    expect(server.app.parent.settings['trust proxy']).toBe(1);
   });
 
   it('should properly expose the headers', () => {