fix: Pre-authentication denial of service via client version header regex backtracking ([GHSA-38m6-82c8-4xfm](GHSA-38m6-82c8-4xfm)) (#10463)

Author: mtrezza

spec/ClientSDK.spec.js

@@ -113,7 +113,6 @@ describe('middlewares', () => {
   });
 
   const BodyParams = {
-    clientVersion: '_ClientVersion',
     installationId: '_InstallationId',
     sessionToken: '_SessionToken',
     masterKey: '_MasterKey',
@@ -468,12 +467,6 @@ describe('middlewares', () => {
       expect(fakeRes.status).toHaveBeenCalledWith(403);
     });
 
-    it('should reject non-string _ClientVersion in body', async () => {
-      fakeReq.body._ClientVersion = { toLowerCase: 'evil' };
-      await middlewares.handleParseHeaders(fakeReq, fakeRes);
-      expect(fakeRes.status).toHaveBeenCalledWith(403);
-    });
-
     it('should reject non-string _InstallationId in body', async () => {
       fakeReq.body._InstallationId = { toString: 'evil' };
       await middlewares.handleParseHeaders(fakeReq, fakeRes);
@@ -502,7 +495,6 @@ describe('middlewares', () => {
       // Each request should be handled independently without affecting server stability.
       const payloads = [
         { _SessionToken: { toString: 'evil' } },
-        { _ClientVersion: { toLowerCase: 'evil' } },
         { _InstallationId: [1, 2, 3] },
         { _ContentType: { toString: 'evil' } },
       ];
@@ -539,12 +531,10 @@ describe('middlewares', () => {
 
     it('should still accept valid string body fields', done => {
       fakeReq.body._SessionToken = 'r:validtoken';
-      fakeReq.body._ClientVersion = 'js1.0.0';
       fakeReq.body._InstallationId = 'install123';
       fakeReq.body._ContentType = 'application/json';
       middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
         expect(fakeReq.info.sessionToken).toEqual('r:validtoken');
-        expect(fakeReq.info.clientVersion).toEqual('js1.0.0');
         expect(fakeReq.info.installationId).toEqual('install123');
         expect(fakeReq.headers['content-type']).toEqual('application/json');
         done();

spec/Middlewares.spec.js

@@ -5885,4 +5885,102 @@ describe('Vulnerabilities', () => {
       expect(meResponse.data.sessionToken).toBe(sessionToken);
     });
   });
+
+  describe('(GHSA-38m6-82c8-4xfm) Pre-auth polynomial ReDoS via client version parsing', () => {
+    const middlewares = require('../lib/middlewares');
+    const AppCache = require('../lib/cache').AppCache;
+
+    const AppCachePut = (appId, config) =>
+      AppCache.put(appId, {
+        ...config,
+        maintenanceKeyIpsStore: new Map(),
+        masterKeyIpsStore: new Map(),
+        readOnlyMasterKeyIpsStore: new Map(),
+      });
+
+    const buildFakeReq = ({ headers = {}, body = {} } = {}) => {
+      const req = {
+        ip: '127.0.0.1',
+        originalUrl: 'http://example.com/parse/',
+        url: 'http://example.com/',
+        body: { _ApplicationId: 'FakeAppId', ...body },
+        headers,
+        get: key => req.headers[key.toLowerCase()],
+      };
+      return req;
+    };
+
+    beforeEach(() => {
+      AppCachePut('FakeAppId', {
+        masterKeyIps: ['0.0.0.0/0'],
+      });
+    });
+
+    afterEach(() => {
+      AppCache.del('FakeAppId');
+    });
+
+    it('does not capture client version from X-Parse-Client-Version header into req.info', async () => {
+      const req = buildFakeReq({ headers: { 'x-parse-client-version': 'js5.0.0' } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      let nextCalled = false;
+      await middlewares.handleParseHeaders(req, res, () => {
+        nextCalled = true;
+      });
+      expect(nextCalled).toBe(true);
+      expect(res.status).not.toHaveBeenCalled();
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+    });
+
+    it('does not capture client version from _ClientVersion body field into req.info', async () => {
+      const req = buildFakeReq({ body: { _ClientVersion: 'js5.0.0' } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      let nextCalled = false;
+      await middlewares.handleParseHeaders(req, res, () => {
+        nextCalled = true;
+      });
+      expect(nextCalled).toBe(true);
+      expect(res.status).not.toHaveBeenCalled();
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+      expect(req.body._ClientVersion).toBeUndefined();
+    });
+
+    it('does not invoke any regex on adversarial X-Parse-Client-Version header (16 KB of dashes)', async () => {
+      const adversarial = '-'.repeat(16000);
+      const req = buildFakeReq({ headers: { 'x-parse-client-version': adversarial } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      await middlewares.handleParseHeaders(req, res, () => {});
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+    });
+
+    it('does not invoke any regex on adversarial _ClientVersion body field (200 KB of dashes)', async () => {
+      const adversarial = '-'.repeat(200000);
+      const req = buildFakeReq({ body: { _ClientVersion: adversarial } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      const t0 = process.hrtime.bigint();
+      await middlewares.handleParseHeaders(req, res, () => {});
+      const elapsedMs = Number(process.hrtime.bigint() - t0) / 1e6;
+      expect(elapsedMs).toBeLessThan(3000);
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+      expect(req.body._ClientVersion).toBeUndefined();
+    });
+
+    it('strips _ClientVersion from req.body even when value is non-string (no rejection, no capture)', async () => {
+      const req = buildFakeReq({ body: { _ClientVersion: { toLowerCase: 'evil' } } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      let nextCalled = false;
+      await middlewares.handleParseHeaders(req, res, () => {
+        nextCalled = true;
+      });
+      expect(nextCalled).toBe(true);
+      expect(res.status).not.toHaveBeenCalled();
+      expect(req.body._ClientVersion).toBeUndefined();
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+    });
+  });
 });

spec/vulnerabilities.spec.js

@@ -5,18 +5,15 @@ const createObject = async (className, fields, config, auth, info) => {
     fields = {};
   }
 
-  return (await rest.create(config, auth, className, fields, info.clientSDK, info.context))
-    .response;
+  return (await rest.create(config, auth, className, fields, info.context)).response;
 };
 
 const updateObject = async (className, objectId, fields, config, auth, info) => {
   if (!fields) {
     fields = {};
   }
 
-  return (
-    await rest.update(config, auth, className, { objectId }, fields, info.clientSDK, info.context)
-  ).response;
+  return (await rest.update(config, auth, className, { objectId }, fields, info.context)).response;
 };
 
 const deleteObject = async (className, objectId, config, auth, info) => {

src/ClientSDK.js

@@ -69,7 +69,6 @@ const getObject = async (
     className,
     objectId,
     options,
-    info.clientSDK,
     info.context
   );
 
@@ -131,9 +130,8 @@ const findObjects = async (
     if (Object.keys(where).length > 0 && subqueryReadPreference) {
       preCountOptions.subqueryReadPreference = subqueryReadPreference;
     }
-    preCount = (
-      await rest.find(config, auth, className, where, preCountOptions, info.clientSDK, info.context)
-    ).count;
+    preCount = (await rest.find(config, auth, className, where, preCountOptions, info.context))
+      .count;
     if ((skip || 0) + limit < preCount) {
       skip = preCount - limit;
     }
@@ -199,7 +197,6 @@ const findObjects = async (
       className,
       where,
       options,
-      info.clientSDK,
       info.context
     );
     results = findResult.results;

src/GraphQL/helpers/objectsMutations.js

@@ -59,7 +59,6 @@ const getUserFromSessionToken = async (context, queryInfo, keysPrefix, userId) =
     // Get the user it self from auth object
     { objectId: context.auth.user.id },
     options,
-    info.clientVersion,
     info.context
   );
   if (!response.results || response.results.length == 0) {

src/GraphQL/helpers/objectsQueries.js

@@ -31,7 +31,6 @@ const { createSanitizedError } = require('./Error');
  * @param options.className {string} The name of the class to query
  * @param options.restWhere {object} The where object for the query
  * @param options.restOptions {object} The options object for the query
- * @param options.clientSDK {string} The client SDK that is performing the query
  * @param options.runAfterFind {boolean} Whether to run the afterFind trigger
  * @param options.runBeforeFind {boolean} Whether to run the beforeFind trigger
  * @param options.context {object} The context object for the query
@@ -44,7 +43,6 @@ async function RestQuery({
   className,
   restWhere = {},
   restOptions = {},
-  clientSDK,
   runAfterFind = true,
   runBeforeFind = true,
   context,
@@ -73,7 +71,6 @@ async function RestQuery({
     className,
     result.restWhere || restWhere,
     result.restOptions || restOptions,
-    clientSDK,
     runAfterFind,
     context,
     isGet
@@ -93,7 +90,6 @@ RestQuery.Method = Object.freeze({
  * @param className
  * @param restWhere
  * @param restOptions
- * @param clientSDK
  * @param runAfterFind
  * @param context
  */
@@ -103,7 +99,6 @@ function _UnsafeRestQuery(
   className,
   restWhere = {},
   restOptions = {},
-  clientSDK,
   runAfterFind = true,
   context,
   isGet
@@ -113,7 +108,6 @@ function _UnsafeRestQuery(
   this.className = className;
   this.restWhere = restWhere;
   this.restOptions = restOptions;
-  this.clientSDK = clientSDK;
   this.runAfterFind = runAfterFind;
   this.response = null;
   this.findOptions = {};
@@ -322,7 +316,7 @@ _UnsafeRestQuery.prototype.execute = function (executeOptions) {
 };
 
 _UnsafeRestQuery.prototype.each = function (callback) {
-  const { config, auth, className, restWhere, restOptions, clientSDK } = this;
+  const { config, auth, className, restWhere, restOptions } = this;
   // if the limit is set, use it
   restOptions.limit = restOptions.limit || 100;
   restOptions.order = 'objectId';
@@ -341,7 +335,6 @@ _UnsafeRestQuery.prototype.each = function (callback) {
         className,
         restWhere,
         restOptions,
-        clientSDK,
         this.runAfterFind,
         this.context
       );