fix: Improve PostgreSQL injection detection; fixes security vulnerability [GHSA-6927-3vr9-fxf2](GHSA-6927-3vr9-fxf2) which affects Parse Server deployments using a Postgres database (#8960)

mtrezza · web-flow · commit a6e654943536 · 2024-03-01T16:51:02.000+01:00
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -459,3 +459,28 @@ describe('Vulnerabilities', () => {
     });
   });
 });
+
+describe('Postgres regex sanitizater', () => {
+  it('sanitizes the regex correctly to prevent Injection', async () => {
+    const user = new Parse.User();
+    user.set('username', 'username');
+    user.set('password', 'password');
+    user.set('email', 'email@example.com');
+    await user.signUp();
+
+    const response = await request({
+      method: 'GET',
+      url:
+        "http://localhost:8378/1/classes/_User?where[username][$regex]=A'B'%3BSELECT+PG_SLEEP(3)%3B--",
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      },
+    });
+
+    expect(response.status).toBe(200);
+    expect(response.data.results).toEqual(jasmine.any(Array));
+    expect(response.data.results.length).toBe(0);
+  });
+});
diff --git a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
@@ -2656,7 +2656,7 @@ function literalizeRegexPart(s: string) {
     .replace(/([^\\])(\\Q)/, '$1')
     .replace(/^\\E/, '')
     .replace(/^\\Q/, '')
-    .replace(/([^'])'/, `$1''`)
+    .replace(/([^'])'/g, `$1''`)
     .replace(/^'([^'])/, `''$1`);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2656,7 +2656,7 @@ function literalizeRegexPart(s: string) {`
`2656`	`2656`	`.replace(/([^\\])(\\Q)/, '$1')`
`2657`	`2657`	`.replace(/^\\E/, '')`
`2658`	`2658`	`.replace(/^\\Q/, '')`
`2659`		- .replace(/([^'])'/, `$1''`)
	`2659`	+ .replace(/([^'])'/g, `$1''`)
`2660`	`2660`	.replace(/^'([^'])/, `''$1`);
`2661`	`2661`	`}`
`2662`	`2662`