Skip to content

CLP objectId size validation fix #6332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jan 14, 2020
Merged

CLP objectId size validation fix #6332

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ccf123a
Relax regex for customId ; allow varying id length
BufferUnderflower Jan 10, 2020
637370f
test
BufferUnderflower Jan 10, 2020
e48a7fc
remove trycatch, fix typo
BufferUnderflower Jan 11, 2020
073637b
de-duplicate test names; test pointer targetclass
BufferUnderflower Jan 12, 2020
5a62097
fixed early return; detailed errors for protected
BufferUnderflower Jan 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 35 additions & 8 deletions spec/PointerPermissions.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ describe('Pointer Permissions', () => {
});
});

it('should prevent creating pointer permission on bad field', done => {
it('should prevent creating pointer permission on bad field (of wrong type)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
Expand All @@ -426,7 +426,34 @@ describe('Pointer Permissions', () => {
});
});

it('should prevent creating pointer permission on bad field', done => {
it('should prevent creating pointer permission on bad field (non-user pointer)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
.then(schema => {
return schema.addClassIfNotExists(
'AnObject',
{ owner: { type: 'Pointer', targetClass: '_Session' } },
{
create: {},
writeUserFields: ['owner'],
readUserFields: ['owner'],
}
);
})
.then(() => {
fail('should not succeed');
})
.catch(err => {
expect(err.code).toBe(107);
expect(err.message).toBe(
"'owner' is not a valid column for class level pointer permissions writeUserFields"
);
done();
});
});

it('should prevent creating pointer permission on bad field (non-existing)', done => {
const config = Config.get(Parse.applicationId);
const object = new Parse.Object('AnObject');
object.set('owner', 'value');
Expand Down Expand Up @@ -984,7 +1011,7 @@ describe('Pointer Permissions', () => {
);
});

it('should fail with invalid pointer perms', done => {
it('should fail with invalid pointer perms (not array)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
Expand All @@ -1002,7 +1029,7 @@ describe('Pointer Permissions', () => {
});
});

it('should fail with invalid pointer perms', done => {
it('should fail with invalid pointer perms (non-existing field)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
Expand Down Expand Up @@ -1398,7 +1425,7 @@ describe('Pointer Permissions', () => {
}
});

it('should prevent creating pointer permission on bad field', async done => {
it('should prevent creating pointer permission on bad field (of wrong type)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
Expand All @@ -1421,7 +1448,7 @@ describe('Pointer Permissions', () => {
}
});

it('should prevent creating pointer permission on bad field', async done => {
it('should prevent creating pointer permission on bad field (non-existing)', async done => {
const config = Config.get(Parse.applicationId);
const object = new Parse.Object('AnObject');
object.set('owners', 'value');
Expand Down Expand Up @@ -1955,7 +1982,7 @@ describe('Pointer Permissions', () => {
}
});

it('should fail with invalid pointer perms', async done => {
it('should fail with invalid pointer perms (not array)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
Expand All @@ -1971,7 +1998,7 @@ describe('Pointer Permissions', () => {
}
});

it('should fail with invalid pointer perms', async done => {
it('should fail with invalid pointer perms (non-existing field)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
Expand Down
16 changes: 2 additions & 14 deletions spec/Schema.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1665,7 +1665,7 @@ describe('Class Level Permissions for requiredAuth', () => {
);
});

it('required auth test create/get/update/delete not authenitcated', done => {
it('required auth test get not authenitcated', done => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'authenticated' search file as other places too.

config.database
.loadSchema()
.then(schema => {
Expand All @@ -1677,12 +1677,6 @@ describe('Class Level Permissions for requiredAuth', () => {
get: {
requiresAuthentication: true,
},
delete: {
requiresAuthentication: true,
},
update: {
requiresAuthentication: true,
},
create: {
'*': true,
},
Expand Down Expand Up @@ -1710,7 +1704,7 @@ describe('Class Level Permissions for requiredAuth', () => {
);
});

it('required auth test create/get/update/delete not authenitcated', done => {
it('required auth test find not authenitcated', done => {
config.database
.loadSchema()
.then(schema => {
Expand All @@ -1722,12 +1716,6 @@ describe('Class Level Permissions for requiredAuth', () => {
find: {
requiresAuthentication: true,
},
delete: {
requiresAuthentication: true,
},
update: {
requiresAuthentication: true,
},
create: {
'*': true,
},
Expand Down
80 changes: 64 additions & 16 deletions spec/schemas.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1835,46 +1835,94 @@ describe('schemas', () => {
});
});

it('should throw with invalid userId (>10 chars)', done => {
request({
it('should aceept class-level permission with userid of any length', async done => {
await global.reconfigureServer({
customIdSize: 11,
});

const id = 'e1evenChars';

const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
json: true,
body: {
classLevelPermissions: {
find: {
'1234567890A': true,
[id]: true,
},
},
},
}).then(fail, response => {
expect(response.data.error).toEqual(
"'1234567890A' is not a valid key for class level permissions"
);
done();
});

expect(data.classLevelPermissions.find[id]).toBe(true);

done();
});

it('should throw with invalid userId (<10 chars)', done => {
request({
it('should allow set class-level permission for custom userid of any length and chars', async done => {
await global.reconfigureServer({
allowCustomObjectId: true,
});

const symbolsId = 'set:ID+symbol$=@llowed';
const shortId = '1';
const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
json: true,
body: {
classLevelPermissions: {
find: {
a12345678: true,
[symbolsId]: true,
[shortId]: true,
},
},
},
}).then(fail, response => {
expect(response.data.error).toEqual(
"'a12345678' is not a valid key for class level permissions"
);
done();
});

expect(data.classLevelPermissions.find[symbolsId]).toBe(true);
expect(data.classLevelPermissions.find[shortId]).toBe(true);

done();
});

it('should allow set ACL for custom userid', async done => {
await global.reconfigureServer({
allowCustomObjectId: true,
});

const symbolsId = 'symbols:id@allowed=';
const shortId = '1';
const normalId = 'tensymbols';

const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/classes/AClass',
headers: masterKeyHeaders,
json: true,
body: {
ACL: {
[symbolsId]: { read: true, write: true },
[shortId]: { read: true, write: true },
[normalId]: { read: true, write: true },
},
},
});

const { data: created } = await request({
method: 'GET',
url: `http://localhost:8378/1/classes/AClass/${data.objectId}`,
headers: masterKeyHeaders,
json: true,
});

expect(created.ACL[normalId].write).toBe(true);
expect(created.ACL[symbolsId].write).toBe(true);
expect(created.ACL[shortId].write).toBe(true);
done();
});

it('should throw with invalid userId (invalid char)', done => {
Expand Down
Loading