@@ -245,6 +245,53 @@ describe('Vulnerabilities', () => {
245245 } ) ;
246246 } ) ;
247247
248+ describe ( '(GHSA-3v4q-4q9g-x83q) Prototype pollution via application ID in trigger store' , ( ) => {
249+ const prototypeProperties = [ 'constructor' , 'toString' , 'valueOf' , 'hasOwnProperty' , '__proto__' ] ;
250+
251+ for ( const prop of prototypeProperties ) {
252+ it ( `rejects "${ prop } , async ( ) => {
253+ const response = await request ( {
254+ headers : {
255+ 'Content-Type' : 'application/json' ,
256+ 'X-Parse-Application-Id' : prop ,
257+ 'X-Parse-REST-API-Key' : 'rest' ,
258+ } ,
259+ method : 'POST' ,
260+ url : 'http://localhost:8378/1/functions/testFunction' ,
261+ body : JSON . stringify ( { } ) ,
262+ } ) . catch ( e => e ) ;
263+ expect ( response . status ) . toBe ( 403 ) ;
264+ } ) ;
265+
266+ it ( `rejects "${ prop } , async ( ) => {
267+ const response = await request ( {
268+ headers : {
269+ 'Content-Type' : 'application/json' ,
270+ 'X-Parse-Application-Id' : prop ,
271+ 'X-Parse-REST-API-Key' : 'ANY_KEY' ,
272+ } ,
273+ method : 'POST' ,
274+ url : 'http://localhost:8378/1/functions/testFunction' ,
275+ body : JSON . stringify ( { } ) ,
276+ } ) . catch ( e => e ) ;
277+ expect ( response . status ) . toBe ( 403 ) ;
278+ } ) ;
279+
280+ it ( `rejects "${ prop } , async ( ) => {
281+ const response = await request ( {
282+ headers : {
283+ 'Content-Type' : 'application/json' ,
284+ 'X-Parse-Application-Id' : prop ,
285+ 'X-Parse-REST-API-Key' : 'rest' ,
286+ } ,
287+ method : 'GET' ,
288+ url : 'http://localhost:8378/1/classes/TestClass' ,
289+ } ) . catch ( e => e ) ;
290+ expect ( response . status ) . toBe ( 403 ) ;
291+ } ) ;
292+ }
293+ } ) ;
294+
248295 describe ( 'Request denylist' , ( ) => {
249296 describe ( '(GHSA-q342-9w2p-57fp) Denylist bypass via sibling nested objects' , ( ) => {
250297 it ( 'denies _bsontype:Code after a sibling nested object' , async ( ) => {
0 commit comments