Skip to content

fix: Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v) #10219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mtrezza merged 3 commits into from
Mar 16, 2026
Merged

fix: Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v) #10219

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
96c6670
fix: GHSA-wjqw-r9x4-j59v v9
mtrezza Mar 16, 2026
41d6355
fix: address review feedback
mtrezza Mar 16, 2026
3074910
test: add regression test for non-object authData provider validation
mtrezza Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions spec/vulnerabilities.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2934,6 +2934,85 @@ describe('(GHSA-fjxm-vhvc-gcmj) LiveQuery Operator Type Confusion', () => {
});
});

describe('(GHSA-wjqw-r9x4-j59v) Empty authData session issuance bypass', () => {
it('rejects signup with empty authData and no credentials', async () => {
await reconfigureServer({ enableAnonymousUsers: false });
await expectAsync(
request({
method: 'POST',
url: 'http://localhost:8378/1/users',
headers: {
'Content-Type': 'application/json',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
},
body: JSON.stringify({ authData: {} }),
})
).toBeRejected();
});

it('rejects signup with empty authData and no credentials when anonymous users enabled', async () => {
await reconfigureServer({ enableAnonymousUsers: true });
await expectAsync(
request({
method: 'POST',
url: 'http://localhost:8378/1/users',
headers: {
'Content-Type': 'application/json',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
},
body: JSON.stringify({ authData: {} }),
})
).toBeRejected();
});

it('rejects signup with authData containing only empty provider data and no credentials', async () => {
await expectAsync(
request({
method: 'POST',
url: 'http://localhost:8378/1/users',
headers: {
'Content-Type': 'application/json',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
},
body: JSON.stringify({ authData: { bogus: {} } }),
})
).toBeRejected();
});

it('rejects signup with authData containing null provider data and no credentials', async () => {
await expectAsync(
request({
method: 'POST',
url: 'http://localhost:8378/1/users',
headers: {
'Content-Type': 'application/json',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
},
body: JSON.stringify({ authData: { bogus: null } }),
})
).toBeRejected();
});

it('allows signup with empty authData when username and password are provided', async () => {
const res = await request({
method: 'POST',
url: 'http://localhost:8378/1/users',
headers: {
'Content-Type': 'application/json',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
},
body: JSON.stringify({ username: 'emptyauth', password: 'pass1234', authData: {} }),
});
expect(res.data.objectId).toBeDefined();
expect(res.data.sessionToken).toBeDefined();
});
});

describe('(GHSA-r3xq-68wh-gwvh) Password reset single-use token bypass via concurrent requests', () => {
let sendPasswordResetEmail;

Expand Down
10 changes: 8 additions & 2 deletions src/RestWrite.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -452,8 +452,14 @@ RestWrite.prototype.validateAuthData = function () {
const authData = this.data.authData;
const hasUsernameAndPassword =
typeof this.data.username === 'string' && typeof this.data.password === 'string';
const hasAuthData =
authData &&
Object.keys(authData).some(provider => {
const providerData = authData[provider];
return providerData && typeof providerData === 'object' && Object.keys(providerData).length;
});

if (!this.query && !authData) {
if (!this.query && !hasAuthData) {
if (typeof this.data.username !== 'string' || _.isEmpty(this.data.username)) {
throw new Parse.Error(Parse.Error.USERNAME_MISSING, 'bad or missing username');
}
Expand All @@ -463,7 +469,7 @@ RestWrite.prototype.validateAuthData = function () {
}

if (
(authData && !Object.keys(authData).length) ||
!hasAuthData ||
!Object.prototype.hasOwnProperty.call(this.data, 'authData')
) {
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
// Nothing to validate here
Expand Down
Loading