Parse Server Cloud Function Validator Bypass Vulnerability

A vulnerability in Parse Server allows attackers to bypass access controls on Cloud Function validators. This issue affects Parse Server versions prior to 8.6.67 and 9.0.0 through 9.7.0-alpha.11. The vulnerability arises when a Cloud Function handler is defined using the 'function' keyword, and its validator is a plain object or arrow function. In such cases, the trigger store traversal can be manipulated to skip access control enforcement, enabling unauthenticated users to invoke protected Cloud Functions. This vulnerability has been addressed in the latest releases of Parse Server.

Impact

Exploitation of this vulnerability allows unauthenticated users to invoke Cloud Functions that should be restricted by validators, such as requireUser, requireMaster, or custom validation logic.

Reproduction

To reproduce this vulnerability, define a Cloud Function using the 'function' keyword and set a validator that is a plain object or arrow function. Then, append '.prototype.constructor' to the function name in the URL when making a request to invoke the function. The request will bypass the validator and execute the function without the required permissions.

Remediation

Users can upgrade to Parse Server versions 8.6.67 or 9.7.0-alpha.11, where this vulnerability has been patched. Alternatively, for those using an affected version, a workaround is to use arrow functions for Cloud Function handlers, as they do not have a prototype property and are not susceptible to this vulnerability.