proto

mtrezza · mtrezza · commit 4dc43492e200 · 2026-04-03T20:49:04.000+01:00
diff --git a/spec/CloudCodeMultipart.spec.js b/spec/CloudCodeMultipart.spec.js
@@ -281,4 +281,60 @@ describe('Cloud Code Multipart', () => {
 
     expect(result.data.code).toBe(Parse.Error.INVALID_JSON);
   });
+
+  it('should not allow prototype pollution via __proto__ field name', async () => {
+    Parse.Cloud.define('multipartProto', req => {
+      const obj = {};
+      return {
+        polluted: obj.polluted !== undefined,
+        paramsClean: Object.getPrototypeOf(req.params) === Object.prototype,
+      };
+    });
+
+    const boundary = '----TestBoundaryProto';
+    const body = buildMultipartBody(boundary, [
+      { name: '__proto__', value: '{"polluted":"yes"}' },
+    ]);
+
+    const result = await postMultipart(
+      `http://localhost:8378/1/functions/multipartProto`,
+      {
+        'Content-Type': `multipart/form-data; boundary=${boundary}`,
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      },
+      body
+    );
+
+    expect(result.status).toBe(200);
+    expect(result.data.result.polluted).toBe(false);
+    expect(result.data.result.paramsClean).toBe(true);
+  });
+
+  it('should not grant master key access via multipart fields', async () => {
+    const obj = new Parse.Object('SecretClass');
+    await obj.save(null, { useMasterKey: true });
+
+    Parse.Cloud.define('multipartAuthCheck', req => {
+      return { isMaster: req.master };
+    });
+
+    const boundary = '----TestBoundaryAuth';
+    const body = buildMultipartBody(boundary, [
+      { name: '_MasterKey', value: 'test' },
+    ]);
+
+    const result = await postMultipart(
+      `http://localhost:8378/1/functions/multipartAuthCheck`,
+      {
+        'Content-Type': `multipart/form-data; boundary=${boundary}`,
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      },
+      body
+    );
+
+    expect(result.status).toBe(200);
+    expect(result.data.result.isMaster).toBe(false);
+  });
 });
diff --git a/src/Routers/FunctionsRouter.js b/src/Routers/FunctionsRouter.js
@@ -185,7 +185,7 @@ export class FunctionsRouter extends PromiseRouter {
     }
     const maxBytes = Utils.parseSizeToBytes(req.config.maxUploadSize);
     return new Promise((resolve, reject) => {
-      const fields = {};
+      const fields = Object.create(null);
       let totalBytes = 0;
       let settled = false;
       let busboy;

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ export class FunctionsRouter extends PromiseRouter {`
`185`	`185`	`}`
`186`	`186`	`const maxBytes = Utils.parseSizeToBytes(req.config.maxUploadSize);`
`187`	`187`	`return new Promise((resolve, reject) => {`
`188`		`- const fields = {};`
	`188`	`+ const fields = Object.create(null);`
`189`	`189`	`let totalBytes = 0;`
`190`	`190`	`let settled = false;`
`191`	`191`	`let busboy;`