Skip to content

fix: Security upgrade jsonwebtoken to 9.0.0 #8420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Feb 7, 2023
Merged

fix: Security upgrade jsonwebtoken to 9.0.0 #8420

merged 5 commits into from
Feb 7, 2023

Conversation

dblythy
Copy link
Member

@dblythy dblythy commented Feb 2, 2023
edited by mtrezza
Loading

Pull Request

Issue

The latest JWT library prevents mocking of the decode property, which we use to determine a JWT's headers.

Closes: #8356
Closes: #8355

Approach

Add ability to mock decode

Tasks

  • Add tests

dependabot bot and others added 2 commits January 31, 2023 16:35
@dependabot
build(deps): bump jsonwebtoken from 8.5.1 to 9.0.0
6205ae0 
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0.
- [Release notes](https://github.com/auth0/node-jsonwebtoken/releases)
- [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.0)

---
updated-dependencies:
- dependency-name: jsonwebtoken
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dblythy
feat: bump jsonwebtoken to 9.0.0
bf48414
@parse-github-assistant
Copy link

parse-github-assistant bot commented Feb 2, 2023
edited
Loading

Thanks for opening this pull request!

  • ❌ Please edit your post and use the provided template when creating a new pull request. This helps everyone to understand your post better and asks for essential information to quicker review the pull request.

@dblythy dblythy changed the title Bump jwt feat: bump jsonwebtoken to 9.0.0 Feb 2, 2023
@parse-github-assistant
Copy link

I will reformat the title to use the proper commit message syntax.

@dblythy dblythy marked this pull request as ready for review February 2, 2023 03:56
@parse-github-assistant parse-github-assistant bot changed the title feat: bump jsonwebtoken to 9.0.0 feat: Bump jsonwebtoken to 9.0.0 Feb 2, 2023
@codecov
Copy link

codecov bot commented Feb 5, 2023
edited
Loading

Codecov Report

Base: 94.16% // Head: 94.33% // Increases project coverage by +0.16% 🎉

Coverage data is based on head (ee0a040) compared to base (4450ecb).
Patch coverage: 92.85% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha    #8420      +/-   ##
==========================================
+ Coverage   94.16%   94.33%   +0.16%     
==========================================
  Files         181      182       +1     
  Lines       14401    14398       -3     
==========================================
+ Hits        13561    13582      +21     
+ Misses        840      816      -24
Impacted Files Coverage Δ
src/Adapters/Auth/utils.js 87.50% <87.50%> (ø)
src/Adapters/Auth/apple.js 100.00% <100.00%> (ø)
src/Adapters/Auth/facebook.js 90.00% <100.00%> (-0.63%) ⬇️
src/Adapters/Auth/google.js 92.64% <100.00%> (-0.32%) ⬇️
src/RestWrite.js 94.91% <0.00%> (+0.29%) ⬆️
src/Adapters/Files/GridFSBucketAdapter.js 94.20% <0.00%> (+0.72%) ⬆️
src/GraphQL/transformers/mutation.js 97.19% <0.00%> (+9.34%) ⬆️
src/GraphQL/loaders/filesMutations.js 80.64% <0.00%> (+38.70%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@dblythy
Copy link
Member Author

dblythy commented Feb 5, 2023

Ready for review

mtrezza
mtrezza reviewed Feb 5, 2023
View reviewed changes
Copy link
Member

@mtrezza mtrezza left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really a feat PR? It seems that the auth adapter changes would be unnoticeable for the developer, in which case this would be a refactor.

@dblythy dblythy changed the title feat: Bump jsonwebtoken to 9.0.0 refactor: Bump jsonwebtoken to 9.0.0 Feb 5, 2023
@mtrezza mtrezza changed the title refactor: Bump jsonwebtoken to 9.0.0 fix: Security upgrade jsonwebtoken from 8.5.1 to 9.0.0 Feb 7, 2023
@mtrezza mtrezza changed the title fix: Security upgrade jsonwebtoken from 8.5.1 to 9.0.0 fix: Security upgrade jsonwebtoken to 9.0.0 Feb 7, 2023
@mtrezza mtrezza changed the title fix: Security upgrade jsonwebtoken to 9.0.0 refactor: Upgrade jsonwebtoken to 9.0.0 Feb 7, 2023
@mtrezza mtrezza changed the title refactor: Upgrade jsonwebtoken to 9.0.0 fix: Security upgrade jsonwebtoken to 9.0.0 Feb 7, 2023
@mtrezza
Copy link
Member

mtrezza commented Feb 7, 2023

Sorry, I figured it should probably be a fix to trigger a new release with the upgrade; otherwise the fix will only be released with the next fix or feat commit.

This was referenced Feb 7, 2023
Closed
Closed
mtrezza
mtrezza approved these changes Feb 7, 2023
View reviewed changes
Copy link
Member

@mtrezza mtrezza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@mtrezza mtrezza merged commit f5bfe45 into parse-community:alpha Feb 7, 2023
parseplatformorg pushed a commit that referenced this pull request Feb 7, 2023
@semantic-release-bot
chore(release): 6.0.0-alpha.32 [skip ci]
e76123b 
# [6.0.0-alpha.32](6.0.0-alpha.31...6.0.0-alpha.32) (2023-02-07)

### Bug Fixes

* Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0-alpha.32

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Feb 7, 2023
@mtrezza mtrezza mentioned this pull request Feb 19, 2023
Closed
3 tasks
parseplatformorg pushed a commit that referenced this pull request Mar 2, 2023
@semantic-release-bot
chore(release): 6.1.0-beta.1 [skip ci]
656bca6 
# [6.1.0-beta.1](6.0.0...6.1.0-beta.1) (2023-03-02)

### Bug Fixes

* Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45))

### Features

* Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([#8436](#8436)) ([b3b76de](b3b76de))
* Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([#7551](#7551)) ([e5d610e](e5d610e))
* Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([#8388](#8388)) ([a49e323](a49e323))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.1.0-beta.1

@parseplatformorg parseplatformorg added the state:released-beta Released as beta version label Mar 2, 2023
parseplatformorg pushed a commit that referenced this pull request Mar 3, 2023
@semantic-release-bot
chore(release): 6.1.0-alpha.1 [skip ci]
3f5b290 
# [6.1.0-alpha.1](6.0.0...6.1.0-alpha.1) (2023-03-03)

### Bug Fixes

* Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45))

### Features

* Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([#8436](#8436)) ([b3b76de](b3b76de))
* Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([#7551](#7551)) ([e5d610e](e5d610e))
* Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([#8388](#8388)) ([a49e323](a49e323))
* Export `AuthAdapter` to make it available for extension with custom authentication adapters ([#8443](#8443)) ([40c1961](40c1961))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.1.0-alpha.1

parseplatformorg pushed a commit that referenced this pull request May 1, 2023
@semantic-release-bot
chore(release): 6.1.0 [skip ci]
832702d 
# [6.1.0](6.0.0...6.1.0) (2023-05-01)

### Bug Fixes

* LiveQuery can return incorrectly formatted date ([#8456](#8456)) ([4ce135a](4ce135a))
* Nested date is incorrectly decoded as empty object `{}` when fetching a Parse Object ([#8446](#8446)) ([22d2446](22d2446))
* Parameters missing in `afterFind` trigger of authentication adapters ([#8458](#8458)) ([ce34747](ce34747))
* Rate limiting across multiple servers via Redis not working ([#8469](#8469)) ([d9e347d](d9e347d))
* Security upgrade jsonwebtoken to 9.0.0 ([#8420](#8420)) ([f5bfe45](f5bfe45))

### Features

* Add `afterFind` trigger to authentication adapters ([#8444](#8444)) ([c793bb8](c793bb8))
* Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([#8436](#8436)) ([b3b76de](b3b76de))
* Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([#7551](#7551)) ([e5d610e](e5d610e))
* Add rate limiting across multiple servers via Redis ([#8394](#8394)) ([34833e4](34833e4))
* Allow multiple origins for header `Access-Control-Allow-Origin` ([#8517](#8517)) ([4f15539](4f15539))
* Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([#8388](#8388)) ([a49e323](a49e323))
* Export `AuthAdapter` to make it available for extension with custom authentication adapters ([#8443](#8443)) ([40c1961](40c1961))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.1.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label May 1, 2023
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jun 10, 2023
@mtrezza
Squashed commit of the following:
ef75726 
commit 1506273
Author: semantic-release-bot <[email protected]>
Date:   Sat May 20 23:24:03 2023 +0000

    chore(release): 6.2.0 [skip ci]

    # [6.2.0](parse-community/parse-server@6.1.0...6.2.0) (2023-05-20)

    ### Features

    * Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` ([parse-community#8538](parse-community#8538)) ([a318e7b](parse-community@a318e7b))

commit a318e7b
Author: Manuel <[email protected]>
Date:   Sun May 21 01:23:00 2023 +0200

    feat: Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` (parse-community#8538)

commit 832702d
Author: semantic-release-bot <[email protected]>
Date:   Mon May 1 21:50:23 2023 +0000

    chore(release): 6.1.0 [skip ci]

    # [6.1.0](parse-community/parse-server@6.0.0...6.1.0) (2023-05-01)

    ### Bug Fixes

    * LiveQuery can return incorrectly formatted date ([parse-community#8456](parse-community#8456)) ([4ce135a](parse-community@4ce135a))
    * Nested date is incorrectly decoded as empty object `{}` when fetching a Parse Object ([parse-community#8446](parse-community#8446)) ([22d2446](parse-community@22d2446))
    * Parameters missing in `afterFind` trigger of authentication adapters ([parse-community#8458](parse-community#8458)) ([ce34747](parse-community@ce34747))
    * Rate limiting across multiple servers via Redis not working ([parse-community#8469](parse-community#8469)) ([d9e347d](parse-community@d9e347d))
    * Security upgrade jsonwebtoken to 9.0.0 ([parse-community#8420](parse-community#8420)) ([f5bfe45](parse-community@f5bfe45))

    ### Features

    * Add `afterFind` trigger to authentication adapters ([parse-community#8444](parse-community#8444)) ([c793bb8](parse-community@c793bb8))
    * Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([parse-community#8436](parse-community#8436)) ([b3b76de](parse-community@b3b76de))
    * Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([parse-community#7551](parse-community#7551)) ([e5d610e](parse-community@e5d610e))
    * Add rate limiting across multiple servers via Redis ([parse-community#8394](parse-community#8394)) ([34833e4](parse-community@34833e4))
    * Allow multiple origins for header `Access-Control-Allow-Origin` ([parse-community#8517](parse-community#8517)) ([4f15539](parse-community@4f15539))
    * Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([parse-community#8388](parse-community#8388)) ([a49e323](parse-community@a49e323))
    * Export `AuthAdapter` to make it available for extension with custom authentication adapters ([parse-community#8443](parse-community#8443)) ([40c1961](parse-community@40c1961))

commit 18b63d1
Merge: f7eee19 f59d46c
Author: Manuel <[email protected]>
Date:   Mon May 1 23:49:22 2023 +0200

    build: Release (parse-community#8526)
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Jun 10, 2023
@mtrezza
Squashed commit of the following:
24c0b03 
commit 1506273
Author: semantic-release-bot <[email protected]>
Date:   Sat May 20 23:24:03 2023 +0000

    chore(release): 6.2.0 [skip ci]

    # [6.2.0](parse-community/parse-server@6.1.0...6.2.0) (2023-05-20)

    ### Features

    * Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` ([parse-community#8538](parse-community#8538)) ([a318e7b](parse-community@a318e7b))

commit a318e7b
Author: Manuel <[email protected]>
Date:   Sun May 21 01:23:00 2023 +0200

    feat: Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` (parse-community#8538)

commit 832702d
Author: semantic-release-bot <[email protected]>
Date:   Mon May 1 21:50:23 2023 +0000

    chore(release): 6.1.0 [skip ci]

    # [6.1.0](parse-community/parse-server@6.0.0...6.1.0) (2023-05-01)

    ### Bug Fixes

    * LiveQuery can return incorrectly formatted date ([parse-community#8456](parse-community#8456)) ([4ce135a](parse-community@4ce135a))
    * Nested date is incorrectly decoded as empty object `{}` when fetching a Parse Object ([parse-community#8446](parse-community#8446)) ([22d2446](parse-community@22d2446))
    * Parameters missing in `afterFind` trigger of authentication adapters ([parse-community#8458](parse-community#8458)) ([ce34747](parse-community@ce34747))
    * Rate limiting across multiple servers via Redis not working ([parse-community#8469](parse-community#8469)) ([d9e347d](parse-community@d9e347d))
    * Security upgrade jsonwebtoken to 9.0.0 ([parse-community#8420](parse-community#8420)) ([f5bfe45](parse-community@f5bfe45))

    ### Features

    * Add `afterFind` trigger to authentication adapters ([parse-community#8444](parse-community#8444)) ([c793bb8](parse-community@c793bb8))
    * Add option `schemaCacheTtl` for schema cache pulling as alternative to `enableSchemaHooks` ([parse-community#8436](parse-community#8436)) ([b3b76de](parse-community@b3b76de))
    * Add Parse Server option `resetPasswordSuccessOnInvalidEmail` to choose success or error response on password reset with invalid email ([parse-community#7551](parse-community#7551)) ([e5d610e](parse-community@e5d610e))
    * Add rate limiting across multiple servers via Redis ([parse-community#8394](parse-community#8394)) ([34833e4](parse-community@34833e4))
    * Allow multiple origins for header `Access-Control-Allow-Origin` ([parse-community#8517](parse-community#8517)) ([4f15539](parse-community@4f15539))
    * Deprecate LiveQuery `fields` option in favor of `keys` for semantic consistency ([parse-community#8388](parse-community#8388)) ([a49e323](parse-community@a49e323))
    * Export `AuthAdapter` to make it available for extension with custom authentication adapters ([parse-community#8443](parse-community#8443)) ([40c1961](parse-community@40c1961))

commit 18b63d1
Merge: f7eee19 f59d46c
Author: Manuel <[email protected]>
Date:   Mon May 1 23:49:22 2023 +0200

    build: Release (parse-community#8526)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtrezza mtrezza mtrezza approved these changes

Assignees
No one assigned
Labels
state:released Released as stable version state:released-alpha Released as alpha version state:released-beta Released as beta version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bump jsonwebtoken to 9.0.0
3 participants
@dblythy @mtrezza @parseplatformorg