Skip to content

Commit b29cf4b

Browse files
mtrezzamtrezza
committed
security check
1 parent 7ca29fc commit b29cf4b

2 files changed

Lines changed: 21 additions & 0 deletions

File tree

spec/SecurityCheckGroups.spec.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ describe('Security Check Groups', () => {
3434
config.allowClientClassCreation = false;
3535
config.enableInsecureAuthAdapters = false;
3636
config.graphQLPublicIntrospection = false;
37+
config.databaseAdapter = undefined;
38+
config.databaseOptions = { allowPublicExplain: false };
3739
await reconfigureServer(config);
3840

3941
const group = new CheckGroupServerConfig();
@@ -43,13 +45,16 @@ describe('Security Check Groups', () => {
4345
expect(group.checks()[2].checkState()).toBe(CheckState.success);
4446
expect(group.checks()[4].checkState()).toBe(CheckState.success);
4547
expect(group.checks()[5].checkState()).toBe(CheckState.success);
48+
expect(group.checks()[6].checkState()).toBe(CheckState.success);
4649
});
4750

4851
it('checks fail correctly', async () => {
4952
config.masterKey = 'insecure';
5053
config.security.enableCheckLog = true;
5154
config.allowClientClassCreation = true;
5255
config.graphQLPublicIntrospection = true;
56+
config.databaseAdapter = undefined;
57+
config.databaseOptions = { allowPublicExplain: true };
5358
await reconfigureServer(config);
5459

5560
const group = new CheckGroupServerConfig();
@@ -59,6 +64,7 @@ describe('Security Check Groups', () => {
5964
expect(group.checks()[2].checkState()).toBe(CheckState.fail);
6065
expect(group.checks()[4].checkState()).toBe(CheckState.fail);
6166
expect(group.checks()[5].checkState()).toBe(CheckState.fail);
67+
expect(group.checks()[6].checkState()).toBe(CheckState.fail);
6268
});
6369
});
6470

src/Security/CheckGroups/CheckGroupServerConfig.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,21 @@ class CheckGroupServerConfig extends CheckGroup {
9090
}
9191
},
9292
}),
93+
new Check({
94+
title: 'Public database explain disabled',
95+
warning:
96+
'Database explain queries are publicly accessible, which may expose sensitive database performance information and schema details.',
97+
solution:
98+
"Change Parse Server configuration to 'databaseOptions.allowPublicExplain: false'. You will need to use master key to run explain queries.",
99+
check: () => {
100+
if (
101+
config.databaseOptions?.allowPublicExplain === true ||
102+
config.databaseOptions?.allowPublicExplain == null
103+
) {
104+
throw 1;
105+
}
106+
},
107+
}),
93108
];
94109
}
95110
}

0 commit comments

Comments
 (0)