Merge remote-tracking branch 'upstream/alpha' into alpha

mtrezza · mtrezza · commit df5ac7d589b3 · 2026-03-06T01:48:58.000Z
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -47,6 +47,35 @@ describe('Vulnerabilities', () => {
         ).toBeRejectedWith(new Parse.Error(Parse.Error.INTERNAL_SERVER_ERROR, 'Invalid object ID.'));
         await new Parse.Query(Parse.User).find({ sessionToken: innocentUser.getSessionToken() });
       });
+
+    });
+
+    describe('legacy session upgrade for user with poisoned object ID', () => {
+      // Legacy session tokens (_session_token on _User) are a MongoDB-only legacy feature
+      it_only_db('mongo')('refuses legacy session upgrade for user with poisoned object ID', async () => {
+        const parseServer = await global.reconfigureServer();
+        const databaseController = parseServer.config.databaseController;
+        const poisonedId = 'role:legacy';
+        const legacyToken = 'legacy-poisoned-token';
+        // Create user with poisoned ID and legacy session token directly in DB
+        await databaseController.create('_User', {
+          objectId: poisonedId,
+          _session_token: legacyToken,
+        });
+        await expectAsync(
+          request({
+            method: 'POST',
+            url: 'http://localhost:8378/1/upgradeToRevocableSession',
+            headers: {
+              'Content-Type': 'application/json',
+              'X-Parse-Application-Id': 'test',
+              'X-Parse-REST-API-Key': 'rest',
+              'X-Parse-Session-Token': legacyToken,
+            },
+            body: JSON.stringify({}),
+          })
+        ).toBeRejected();
+      });
     });
   });
 
diff --git a/src/Auth.js b/src/Auth.js
@@ -228,6 +228,11 @@ var getAuthForLegacySessionToken = async function ({ config, sessionToken, insta
       throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid legacy session token');
     }
     const obj = results[0];
+
+    if (typeof obj['objectId'] === 'string' && obj['objectId'].startsWith('role:')) {
+      throw new Parse.Error(Parse.Error.INTERNAL_SERVER_ERROR, 'Invalid object ID.');
+    }
+
     obj.className = '_User';
     const userObject = Parse.Object.fromJSON(obj);
     return new Auth({
