move to SecurityChecks

Author: dblythy

spec/ParseServer.Security.spec.js

@@ -47,7 +47,6 @@ describe('SecurityChecks', () => {
     request(options).then(res => {
       expect(res.data.CLP).not.toBeUndefined();
       expect(res.data.ServerConfiguration).not.toBeUndefined();
-      expect(res.data.Files).not.toBeUndefined();
       expect(res.data.Database).not.toBeUndefined();
       expect(res.data.Total).not.toBeUndefined();
       done();

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

@@ -18,7 +18,6 @@ import Parse from 'parse/node';
 import _ from 'lodash';
 import defaults from '../../../defaults';
 import logger from '../../../logger';
-import url from 'url';
 
 // @flow-disable-next
 const mongodb = require('mongodb');
@@ -132,7 +131,6 @@ export class MongoStorageAdapter implements StorageAdapter {
     this._maxTimeMS = mongoOptions.maxTimeMS;
     this.canSortOnJoinTables = true;
     delete mongoOptions.maxTimeMS;
-    registerSecurityChecks(this);
   }
 
   connect() {
@@ -1059,61 +1057,4 @@ export class MongoStorageAdapter implements StorageAdapter {
     });
   }
 }
-const registerSecurityChecks = database => {
-  let databaseURI = database._uri;
-  const databaseCheck = new Parse.SecurityCheck({
-    group: Parse.SecurityCheck.Category.Database,
-    title: `Weak Database Password`,
-    warning:
-      'The database password set lacks complexity and length. This could potentially allow an attacker to brute force their way into the database, exposing the database.',
-    success: `Strong Database Password`,
-  });
-  if (databaseURI.includes('@')) {
-    databaseURI = `mongodb://${databaseURI.split('@')[1]}`;
-    const pwd = database._uri.split('//')[1].split('@')[0].split(':')[1] || '';
-    if (!pwd.match('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*])(?=.{14,})')) {
-      databaseCheck.setFailed();
-    }
-  } else {
-    databaseCheck.setFailed();
-  }
-  let databaseAdmin = '' + databaseURI;
-  try {
-    const parsedURI = url.parse(databaseAdmin);
-    parsedURI.port = '27017';
-    databaseAdmin = url.format(parsedURI);
-  } catch (e) {
-    /* */
-  }
-  new Parse.SecurityCheck({
-    group: Parse.SecurityCheck.Category.Database,
-    title: `Unrestricted access to port 27017`,
-    warning:
-      'The database requires no authentication to the admin port. This could potentially allow an attacker to easily access the database, exposing all of the database.',
-    success: `Restricted port 27017`,
-    check: async () => {
-      try {
-        await MongoClient.connect(databaseAdmin.toString(), { useNewUrlParser: true });
-        return false;
-      } catch (e) {
-        console.log(e);
-      }
-    },
-  });
-  new Parse.SecurityCheck({
-    group: Parse.SecurityCheck.Category.Database,
-    title: `Unrestricted access to the database`,
-    warning:
-      'The database requires no authentication to connect. This could potentially allow an attacker to easily access the database, exposing all of the database.',
-    success: `Restricted access to the database`,
-    check: async () => {
-      try {
-        await MongoClient.connect(databaseURI, { useNewUrlParser: true });
-        return false;
-      } catch (e) {
-        console.log(e);
-      }
-    },
-  });
-};
 export default MongoStorageAdapter;

src/ParseServer.js

@@ -42,7 +42,7 @@ import { ParseServerRESTController } from './ParseServerRESTController';
 import * as controllers from './Controllers';
 import { ParseGraphQLServer } from './GraphQL/ParseGraphQLServer';
 import SecurityCheck from './SecurityCheck';
-import { registerServerSecurityChecks } from './ParseServerSecurityChecks';
+import { registerServerSecurityChecks } from './SecurityChecks';
 
 // Mutate the Parse object to add the Cloud Code handlers
 addParseCloud();
@@ -394,7 +394,6 @@ class ParseServer {
 function addParseCloud() {
   const ParseCloud = require('./cloud-code/Parse.Cloud');
   Object.assign(Parse.Cloud, ParseCloud);
-  Parse.SecurityCheck = SecurityCheck;
   global.Parse = Parse;
 }
 

src/Routers/CloudCodeRouter.js

@@ -1,6 +1,7 @@
 import PromiseRouter from '../PromiseRouter';
 import Parse from 'parse/node';
 import rest from '../rest';
+import SecurityCheck from '../SecurityCheck';
 const triggers = require('../triggers');
 const middleware = require('../middlewares');
 
@@ -131,7 +132,7 @@ export class CloudCodeRouter extends PromiseRouter {
     if (!req.config.securityChecks || !req.config.securityChecks.enableSecurityChecks) {
       throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Unauthorized');
     }
-    const response = await Parse.SecurityCheck.getChecks();
+    const response = await SecurityCheck.getChecks();
     return {
       response,
     };

src/SecurityCheck.js

@@ -1,4 +1,3 @@
-import { _registerCheck, _getChecks } from './SecurityCheckStore';
 import logger from './logger';
 class SecurityCheck {
   constructor(data) {
@@ -8,7 +7,7 @@ class SecurityCheck {
         throw 'Security checks must have a group, title, and a warning.';
       }
       if (typeof group !== 'string') {
-        throw '"group" of the security check must be a string, e.g Parse.SecurityCheck.Category.Database';
+        throw '"group" of the security check must be a string, e.g SecurityCheck.Category.Database';
       }
       if (typeof success !== 'string') {
         throw '"success" message of the security check must be a string.';
@@ -68,7 +67,6 @@ SecurityCheck.Category = {
   ServerConfiguration: 'ServerConfiguration',
 };
 SecurityCheck.getChecks = async () => {
-  const checks = _getChecks();
   const resultsByGroup = {};
   let total = 0;
   const resolveSecurityCheck = async check => {
@@ -87,8 +85,18 @@ SecurityCheck.getChecks = async () => {
       total++;
     }
   };
-  await Promise.all(checks.map(check => resolveSecurityCheck(check)));
+  await Promise.all(securityCheckStore.map(check => resolveSecurityCheck(check)));
   resultsByGroup.Total = total;
   return resultsByGroup;
 };
+const securityCheckStore = [];
+function _registerCheck(securityCheck) {
+  for (const [i, check] of securityCheckStore.entries()) {
+    if (check.title == securityCheck.title && check.warning == securityCheck.warning) {
+      securityCheckStore[i] = securityCheck;
+      return;
+    }
+  }
+  securityCheckStore.push(securityCheck);
+}
 module.exports = SecurityCheck;

src/SecurityCheckStore.js

@@ -1,16 +1,16 @@
-import Parse from 'parse/node';
+import SecurityCheck from './SecurityCheck';
 import url from 'url';
-const registerServerSecurityChecks = async req => {
-  const options = req.config || req;
-  await Promise.all([registerCLP(options), checkServerConfig(options), checkFiles(options)]);
-};
-async function registerCLP(options) {
+const ServerChecks = {};
+const mongodb = require('mongodb');
+const MongoClient = mongodb.MongoClient;
+
+ServerChecks.registerCLP = async options => {
   const schema = await options.databaseController.loadSchema();
   const all = await schema.getAllClasses();
   for (const field of all) {
     const { className, clp } = field;
-    const clpCheck = new Parse.SecurityCheck({
-      group: Parse.SecurityCheck.Category.CLP,
+    const clpCheck = new SecurityCheck({
+      group: SecurityCheck.Category.CLP,
       title: `No Class Level Permissions on ${className}`,
       warning: `Any client can create, find, count, get, update, delete, or add field on ${className}. This allows an attacker to create new objects or fieldNames without restriction and potentially flood the database. Set CLPs using Parse Dashboard.`,
       success: `Class Level Permissions on ${className}`,
@@ -25,14 +25,14 @@ async function registerCLP(options) {
       if (className === '_User' && key === 'create') {
         continue;
       }
-      const optionCheck = new Parse.SecurityCheck({
-        group: Parse.SecurityCheck.Category.CLP,
+      const optionCheck = new SecurityCheck({
+        group: SecurityCheck.Category.CLP,
         title: `Unrestricted access to ${key}.`,
         warning: `Any client can ${key} on ${className}.`,
         success: `${key} is restricted on ${className}`,
       });
-      const addFileCheck = new Parse.SecurityCheck({
-        group: Parse.SecurityCheck.Category.CLP,
+      const addFileCheck = new SecurityCheck({
+        group: SecurityCheck.Category.CLP,
         title: `Certain users can add fields.`,
         warning: `Certain users can add fields on ${className}. This allows these users to create new fieldNames and potentially flood the schema. Set CLPs using Parse Dashboard.`,
         success: `AddField is restricted on ${className}`,
@@ -44,10 +44,10 @@ async function registerCLP(options) {
       }
     }
   }
-}
-function checkServerConfig(options) {
-  new Parse.SecurityCheck({
-    group: Parse.SecurityCheck.Category.ServerConfiguration,
+};
+ServerChecks.checkServerConfig = async options => {
+  new SecurityCheck({
+    group: SecurityCheck.Category.ServerConfiguration,
     title: 'Client class creation allowed',
     warning:
       'Clients are currently allowed to create new classes. This allows an attacker to create new classes without restriction and potentially flood the database. Change the Parse Server configuration to allowClientClassCreation: false.',
@@ -56,8 +56,8 @@ function checkServerConfig(options) {
       return !options.allowClientClassCreation;
     },
   });
-  new Parse.SecurityCheck({
-    group: Parse.SecurityCheck.Category.ServerConfiguration,
+  new SecurityCheck({
+    group: SecurityCheck.Category.ServerConfiguration,
     title: 'Weak masterKey.',
     warning:
       'The masterKey set to your configuration lacks complexity and length. This could potentially allow an attacker to brute force the masterKey, exposing all the entire Parse Server.',
@@ -76,8 +76,8 @@ function checkServerConfig(options) {
   } catch (e) {
     /* */
   }
-  new Parse.SecurityCheck({
-    group: Parse.SecurityCheck.Category.ServerConfiguration,
+  new SecurityCheck({
+    group: SecurityCheck.Category.ServerConfiguration,
     title: `Parse Server served over HTTP`,
     warning:
       'The server url is currently HTTP. This allows an attacker to listen to all traffic in-between the server and the client. Change the Parse Server configuration serverURL to HTTPS.',
@@ -86,10 +86,10 @@ function checkServerConfig(options) {
       return https;
     },
   });
-}
-function checkFiles(options) {
-  new Parse.SecurityCheck({
-    group: Parse.SecurityCheck.Category.ServerConfiguration,
+};
+ServerChecks.checkFiles = options => {
+  new SecurityCheck({
+    group: SecurityCheck.Category.ServerConfiguration,
     title: `Public File Upload Enabled`,
     warning:
       'Public file upload is currently enabled. This allows a client to upload files without requiring login or authentication. Remove enableForPublic from fileUpload in the Parse Server configuration.',
@@ -98,7 +98,74 @@ function checkFiles(options) {
       return !(options.fileUpload && options.fileUpload.enableForPublic);
     },
   });
-}
+};
+ServerChecks.checkDatabase = options => {
+  let databaseURI = options.databaseURI;
+  if (options.databaseAdapter && options.databaseAdapter._uri) {
+    databaseURI = options.databaseAdapter._uri;
+  }
+  const databaseCheck = new SecurityCheck({
+    group: SecurityCheck.Category.Database,
+    title: `Weak Database Password`,
+    warning:
+      'The database password set lacks complexity and length. This could potentially allow an attacker to brute force their way into the database, exposing the database.',
+    success: `Strong Database Password`,
+  });
+  if (databaseURI.includes('@')) {
+    const copyURI = `${databaseURI}`;
+    databaseURI = `mongodb://${databaseURI.split('@')[1]}`;
+    const pwd = copyURI.split('//')[1].split('@')[0].split(':')[1] || '';
+    if (!pwd.match('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*])(?=.{14,})')) {
+      databaseCheck.setFailed();
+    }
+  } else {
+    databaseCheck.setFailed();
+  }
+  let databaseAdmin = '' + databaseURI;
+  try {
+    const parsedURI = url.parse(databaseAdmin);
+    parsedURI.port = '27017';
+    databaseAdmin = url.format(parsedURI);
+  } catch (e) {
+    /* */
+  }
+  new SecurityCheck({
+    group: SecurityCheck.Category.Database,
+    title: `Unrestricted access to port 27017`,
+    warning:
+      'The database requires no authentication to the admin port. This could potentially allow an attacker to easily access the database, exposing all of the database.',
+    success: `Restricted port 27017`,
+    check: async () => {
+      try {
+        await MongoClient.connect(databaseAdmin.toString(), { useNewUrlParser: true });
+        return false;
+      } catch (e) {
+        console.log(e);
+      }
+    },
+  });
+  new SecurityCheck({
+    group: SecurityCheck.Category.Database,
+    title: `Unrestricted access to the database`,
+    warning:
+      'The database requires no authentication to connect. This could potentially allow an attacker to easily access the database, exposing all of the database.',
+    success: `Restricted access to the database`,
+    check: async () => {
+      try {
+        await MongoClient.connect(databaseURI, { useNewUrlParser: true });
+        return false;
+      } catch (e) {
+        console.log(e);
+      }
+    },
+  });
+};
+
+const registerServerSecurityChecks = async req => {
+  const options = req.config || req;
+  const serverFuncs = Object.values(ServerChecks);
+  await Promise.all(serverFuncs.map(func => func(options)));
+};
 module.exports = {
   registerServerSecurityChecks,
 };