Merge branch 'master' into ci-remove-node-15

Author: mtrezza

.github/workflows/ci.yml

@@ -103,17 +103,17 @@ jobs:
       matrix:
         include:
           - name: MongoDB 5.0, ReplicaSet, WiredTiger
-            MONGODB_VERSION: 5.0.2
+            MONGODB_VERSION: 5.0.3
             MONGODB_TOPOLOGY: replicaset
             MONGODB_STORAGE_ENGINE: wiredTiger
             NODE_VERSION: 16.9.0
           - name: MongoDB 4.4, ReplicaSet, WiredTiger
-            MONGODB_VERSION: 4.4.8
+            MONGODB_VERSION: 4.4.9
             MONGODB_TOPOLOGY: replicaset
             MONGODB_STORAGE_ENGINE: wiredTiger
             NODE_VERSION: 16.9.0
           - name: MongoDB 4.2, ReplicaSet, WiredTiger
-            MONGODB_VERSION: 4.2.16
+            MONGODB_VERSION: 4.2.17
             MONGODB_TOPOLOGY: replicaset
             MONGODB_STORAGE_ENGINE: wiredTiger
             NODE_VERSION: 16.9.0
@@ -129,20 +129,20 @@ jobs:
             NODE_VERSION: 16.9.0
           - name: Redis Cache
             PARSE_SERVER_TEST_CACHE: redis
-            MONGODB_VERSION: 4.4.8
+            MONGODB_VERSION: 4.4.9
             MONGODB_TOPOLOGY: standalone
             MONGODB_STORAGE_ENGINE: wiredTiger
             NODE_VERSION: 16.9.0
           - name: Node 12
-            MONGODB_VERSION: 4.4.8
+            MONGODB_VERSION: 4.4.9
             MONGODB_TOPOLOGY: standalone
             MONGODB_STORAGE_ENGINE: wiredTiger
             NODE_VERSION: 12.22.6
           - name: Node 14
-            MONGODB_VERSION: 4.4.8
+            MONGODB_VERSION: 4.4.9
             MONGODB_TOPOLOGY: standalone
             MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 14.17.6
+            NODE_VERSION: 14.18.0
       fail-fast: false
     name: ${{ matrix.name }}
     timeout-minutes: 15

.github/workflows/release-manual-docker.yml

@@ -0,0 +1,57 @@
+# Trigger this workflow only to manually create a Docker release; this should only be used
+# in extraordinary circumstances, as Docker releases are normally created automatically as
+# part of the automated release workflow.
+
+name: release-manual-docker
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        default: ''
+        description: 'Reference (tag / SHA):'  
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: parseplatform/parse-server
+jobs:
+  build:
+    runs-on: ubuntu-18.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Determine branch name
+        id: branch
+        run: echo "::set-output name=branch_name::${GITHUB_REF#refs/*/}"
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.inputs.ref }}
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Log into Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=${{ steps.branch.outputs.branch_name == 'master' && github.event.inputs.ref == '' }}
+          tags: |
+            type=semver,enable=true,pattern={{version}},value=${{ github.event.inputs.ref }}
+            type=raw,enable=${{ github.event.inputs.ref == '' }},value=latest
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64/v8
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

CHANGELOG.md

@@ -4,7 +4,8 @@ Jump directly to a version:
 
 | 4.x                                  |
 |--------------------------------------|
-| [**4.10.3 (latest release)**](#4103) |
+| [**4.10.4 (latest release)**](#4104) |
+| [4.10.3](#4103) |
 | [4.10.2](#4102)                      |
 | [4.10.1](#4101)                      |
 | [4.10.0](#4100)                      |
@@ -94,7 +95,7 @@ Jump directly to a version:
 ___
 
 ## Unreleased (Master Branch)
-[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.3...master)
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.4...master)
 
 ### Breaking Changes
 - Improved schema caching through database real-time hooks. Reduces DB queries, decreases Parse Query execution time and fixes a potential schema memory leak. If multiple Parse Server instances connect to the same DB (for example behind a load balancer), set the [Parse Server Option](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) `databaseOptions.enableSchemaHooks: true` to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options `enableSingleSchemaCache` and `schemaCacheTTL` have been removed. To use this feature with MongoDB, a replica set cluster with [change stream](https://docs.mongodb.com/manual/changeStreams/#availability) support is required. (Diamond Lewis, SebC) [#7214](https://github.com/parse-community/parse-server/issues/7214)
@@ -157,6 +158,12 @@ ___
 - Allow cloud string for ES modules (Daniel Blyth) [#7560](https://github.com/parse-community/parse-server/pull/7560)
 - docs: Introduce deprecation ID for reference in comments and online search (Manuel Trezza) [#7562](https://github.com/parse-community/parse-server/pull/7562)
 
+## 4.10.4
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.3...4.10.4)
+
+### Security Fixes
+- Strip out sessionToken when LiveQuery is used on Parse.User (Daniel Blyth) [GHSA-7pr3-p5fm-8r9x](https://github.com/parse-community/parse-server/security/advisories/GHSA-7pr3-p5fm-8r9x)
+
 ## 4.10.3
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.2...4.10.3)
 

README.md

@@ -115,7 +115,7 @@ Parse Server is continuously tested with the most recent releases of Node.js to
 | Version    | Latest Version | End-of-Life Date | Compatibility      |
 |------------|----------------|------------------|--------------------|
 | Node.js 12 | 12.22.6        | April 2022       | ✅ Fully compatible |
-| Node.js 14 | 14.17.6        | April 2023       | ✅ Fully compatible |
+| Node.js 14 | 14.18.0        | April 2023       | ✅ Fully compatible |
 | Node.js 16 | 16.9.0         | April 2024       | ✅ Fully compatible |
 
 #### MongoDB
@@ -124,9 +124,9 @@ Parse Server is continuously tested with the most recent releases of MongoDB to
 | Version     | Latest Version | End-of-Life Date | Compatibility      |
 |-------------|----------------|------------------|--------------------|
 | MongoDB 4.0 | 4.0.27         | April 2022       | ✅ Fully compatible |
-| MongoDB 4.2 | 4.2.16         | TBD              | ✅ Fully compatible |
-| MongoDB 4.4 | 4.4.8          | TBD              | ✅ Fully compatible |
-| MongoDB 5.0 | 5.0.2          | January 2024     | ✅ Fully compatible |
+| MongoDB 4.2 | 4.2.17         | TBD              | ✅ Fully compatible |
+| MongoDB 4.4 | 4.4.9          | TBD              | ✅ Fully compatible |
+| MongoDB 5.0 | 5.0.3          | January 2024     | ✅ Fully compatible |
 
 #### PostgreSQL
 Parse Server is continuously tested with the most recent releases of PostgreSQL and PostGIS to ensure compatibility, using [PostGIS docker images](https://registry.hub.docker.com/r/postgis/postgis/tags?page=1&ordering=last_updated). We follow the [PostgreSQL support schedule](https://www.postgresql.org/support/versioning) and [PostGIS support schedule](https://www.postgis.net/eol_policy/) and only test against versions that are officially supported and have not reached their end-of-life date. Due to the extensive PostgreSQL support duration of 5 years, Parse Server drops support if a version is older than 3.5 years and a newer version has been available for at least 2.5 years.

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "4.10.3",
+  "version": "4.10.4",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
@@ -33,7 +33,7 @@
     "deepcopy": "2.1.0",
     "express": "4.17.1",
     "follow-redirects": "1.14.1",
-    "graphql": "15.5.1",
+    "graphql": "15.5.3",
     "graphql-list-fields": "2.0.2",
     "graphql-relay": "0.8.0",
     "graphql-tag": "2.12.5",
@@ -113,14 +113,14 @@
     "test:mongodb:testonly": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=$npm_config_dbversion} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} TESTING=1 jasmine",
     "test:mongodb": "npm run test:mongodb:runnerstart --dbversion=$npm_config_dbversion && npm run test:mongodb:testonly --dbversion=$npm_config_dbversion",
     "test:mongodb:4.0.27": "npm run test:mongodb --dbversion=4.0.27",
-    "test:mongodb:4.2.16": "npm run test:mongodb --dbversion=4.2.16",
-    "test:mongodb:4.4.8": "npm run test:mongodb --dbversion=4.4.8",
+    "test:mongodb:4.2.17": "npm run test:mongodb --dbversion=4.2.17",
+    "test:mongodb:4.4.9": "npm run test:mongodb --dbversion=4.4.9",
     "posttest:mongodb": "mongodb-runner stop",
-    "pretest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.8} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} mongodb-runner start",
-    "testonly": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.8} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} TESTING=1 jasmine",
+    "pretest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.9} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} mongodb-runner start",
+    "testonly": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.9} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} TESTING=1 jasmine",
     "test": "npm run testonly",
-    "posttest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.8} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} mongodb-runner stop",
-    "coverage": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.8} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} TESTING=1 nyc jasmine",
+    "posttest": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.9} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} mongodb-runner stop",
+    "coverage": "cross-env MONGODB_VERSION=${MONGODB_VERSION:=4.4.9} MONGODB_TOPOLOGY=${MONGODB_TOPOLOGY:=standalone} MONGODB_STORAGE_ENGINE=${MONGODB_STORAGE_ENGINE:=wiredTiger} TESTING=1 nyc jasmine",
     "start": "node ./bin/parse-server",
     "prettier": "prettier --write {src,spec}/{**/*,*}.js",
     "prepare": "npm run build",

package.json

@@ -840,6 +840,52 @@ describe('ParseLiveQuery', function () {
     done();
   });
 
+  it('should strip out session token in LiveQuery', async () => {
+    await reconfigureServer({
+      liveQuery: { classNames: ['_User'] },
+      startLiveQueryServer: true,
+      verbose: false,
+      silent: true,
+    });
+
+    const user = new Parse.User();
+    user.setUsername('username');
+    user.setPassword('password');
+    user.set('foo', 'bar');
+
+    const query = new Parse.Query(Parse.User);
+    query.equalTo('foo', 'bar');
+    const subscription = await query.subscribe();
+
+    const events = ['create', 'update', 'enter', 'leave', 'delete'];
+    const response = (obj, prev) => {
+      expect(obj.get('sessionToken')).toBeUndefined();
+      expect(obj.sessionToken).toBeUndefined();
+      expect(prev && prev.sessionToken).toBeUndefined();
+      if (prev && prev.get) {
+        expect(prev.get('sessionToken')).toBeUndefined();
+      }
+    };
+    const calls = {};
+    for (const key of events) {
+      calls[key] = response;
+      spyOn(calls, key).and.callThrough();
+      subscription.on(key, calls[key]);
+    }
+    await user.signUp();
+    user.unset('foo');
+    await user.save();
+    user.set('foo', 'bar');
+    await user.save();
+    user.set('yolo', 'bar');
+    await user.save();
+    await user.destroy();
+    await new Promise(resolve => process.nextTick(resolve));
+    for (const key of events) {
+      expect(calls[key]).toHaveBeenCalled();
+    }
+  });
+
   afterEach(async function (done) {
     const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient();
     client.close();

spec/ParseLiveQuery.spec.js

@@ -3966,6 +3966,54 @@ describe('Parse.User testing', () => {
       ok(model._isLinked('facebook'), 'User should be linked to facebook');
     });
   });
+
+  it('should strip out authdata in LiveQuery', async () => {
+    const provider = getMockFacebookProvider();
+    Parse.User._registerAuthenticationProvider(provider);
+
+    await reconfigureServer({
+      liveQuery: { classNames: ['_User'] },
+      startLiveQueryServer: true,
+      verbose: false,
+      silent: true,
+    });
+
+    const query = new Parse.Query(Parse.User);
+    query.doesNotExist('foo');
+    const subscription = await query.subscribe();
+
+    const events = ['create', 'update', 'enter', 'leave', 'delete'];
+    const response = (obj, prev) => {
+      expect(obj.get('authData')).toBeUndefined();
+      expect(obj.authData).toBeUndefined();
+      expect(prev && prev.authData).toBeUndefined();
+      if (prev && prev.get) {
+        expect(prev.get('authData')).toBeUndefined();
+      }
+    };
+    const calls = {};
+    for (const key of events) {
+      calls[key] = response;
+      spyOn(calls, key).and.callThrough();
+      subscription.on(key, calls[key]);
+    }
+    const user = await Parse.User._logInWith('facebook');
+
+    user.set('foo', 'bar');
+    await user.save();
+    user.unset('foo');
+    await user.save();
+    user.set('yolo', 'bar');
+    await user.save();
+    await user.destroy();
+    await new Promise(resolve => process.nextTick(resolve));
+    for (const key of events) {
+      expect(calls[key]).toHaveBeenCalled();
+    }
+    const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient();
+    client.close();
+    await new Promise(resolve => process.nextTick(resolve));
+  });
 });
 
 describe('Security Advisory GHSA-8w3j-g983-8jh5', function () {

spec/ParseUser.spec.js

@@ -186,6 +186,14 @@ class ParseLiveQueryServer {
               deletedParseObject = res.object.toJSON();
               deletedParseObject.className = className;
             }
+            if (
+              (deletedParseObject.className === '_User' ||
+                deletedParseObject.className === '_Session') &&
+              !client.hasMasterKey
+            ) {
+              delete deletedParseObject.sessionToken;
+              delete deletedParseObject.authData;
+            }
             client.pushDelete(requestId, deletedParseObject);
           } catch (error) {
             Client.pushError(
@@ -337,6 +345,16 @@ class ParseLiveQueryServer {
               originalParseObject = res.original.toJSON();
               originalParseObject.className = res.original.className || className;
             }
+            if (
+              (currentParseObject.className === '_User' ||
+                currentParseObject.className === '_Session') &&
+              !client.hasMasterKey
+            ) {
+              delete currentParseObject.sessionToken;
+              delete originalParseObject?.sessionToken;
+              delete currentParseObject.authData;
+              delete originalParseObject?.authData;
+            }
             const functionName = 'push' + res.event.charAt(0).toUpperCase() + res.event.slice(1);
             if (client[functionName]) {
               client[functionName](requestId, currentParseObject, originalParseObject);