Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4bTIteGoycS1xZ3Bq

receiving subscription objects with deleted session

Original Message:
Hi,

I create objects with one client with an ACL of all users with a specific column value. Thats working so far.

Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them.
The client with the deleted session cant create new objects, which Parse restricts right.

The LiveQueryServer doesnt detect deleted sessions after the websocket connection was established.
There should be a mechanism that checks in an specific interval if the session exists.
I dont know if its true with expired sessions.

Any solutions?

Parse version: 4.3.0
Parse js SDK version: 2.17

Solution:
Hi guys.

I've found and fixed the problem. It happens because there are two caches in place for the session token:

at Parse Server level, which, according with the docs, should be changed via cacheTTL option and defaults to 5 seconds;
at Parse Live Query level, which, according with the docs, should be changed via liveQueryServerOptions.cacheTimeout and defaults to 30 days.

But there are three problems:

cacheTTL has currently no effect over Live Query Server;
cacheTimeout also has currently no effect over Live Query Server;
cacheTimeout actually defaults to 1h.

So, currently, if you wait 1 hour after the session token was invalidated, the clients using the old session token are not able to receive the events.

What I did:

Added a test case for the problem;
Fixed cacheTTL for Live Query Server;
Fixed cacheTimeout for Live Query Server;
Changed the cacheTimeout to default 5s;
Changed the docs to reflect the actual 5s default for cacheTimeout.

Permalink: https://github.com/advisories/GHSA-2xm2-xj2q-qgpj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ4bTIteGoycS1xZ3Bq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: almost 2 years ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-2xm2-xj2q-qgpj, CVE-2020-15270
References:

Repository: https://github.com/parse-community/parse-server
Blast Radius: 13.3

Affected Packages

npm:parse-server

Dependent packages: 122
Dependent repositories: 1,211
Downloads: 114,580 last month
Affected Version Ranges: < 4.4.0
Fixed in: 4.4.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.1, 3.2.3, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 4.0.2, 4.1.0, 4.2.0, 4.3.0
All unaffected versions: 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.10.9, 4.10.10, 4.10.11, 4.10.12, 4.10.13, 4.10.14, 4.10.15, 4.10.16, 4.10.17, 4.10.18, 4.10.19, 4.10.20, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.5.11, 7.0.0, 7.1.0, 7.2.0, 7.3.0