fix: Validate authData provider values in challenge endpoint (#10224)

mtrezza · web-flow · commit e5e1f5bbc008 · 2026-03-16T19:22:45.000Z
diff --git a/spec/AuthenticationAdaptersV2.spec.js b/spec/AuthenticationAdaptersV2.spec.js
@@ -1,5 +1,6 @@
 const request = require('../lib/request');
 const Auth = require('../lib/Auth');
+const Config = require('../lib/Config');
 const requestWithExpectedError = async params => {
   try {
     return await request(params);
@@ -1613,4 +1614,92 @@ describe('Auth Adapter features', () => {
     expect(authData.simpleAdapter && authData.simpleAdapter.id).toBe('simple1');
     expect(authData.codeBasedAdapter && authData.codeBasedAdapter.id).toBe('user1');
   });
+
+  describe('authData dot-notation injection and login crash', () => {
+    it('rejects dotted update key that targets authData sub-field', async () => {
+      const user = new Parse.User();
+      user.setUsername('dotuser');
+      user.setPassword('pass1234');
+      await user.signUp();
+
+      const res = await request({
+        method: 'PUT',
+        url: `http://localhost:8378/1/users/${user.id}`,
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': user.getSessionToken(),
+        },
+        body: JSON.stringify({ 'authData.anonymous".id': 'injected' }),
+      }).catch(e => e);
+      expect(res.status).toBe(400);
+    });
+
+    it('login does not crash when stored authData has unknown provider', async () => {
+      const user = new Parse.User();
+      user.setUsername('dotuser2');
+      user.setPassword('pass1234');
+      await user.signUp();
+      await Parse.User.logOut();
+
+      // Inject unknown provider directly in database to simulate corrupted data
+      const config = Config.get('test');
+      await config.database.update(
+        '_User',
+        { objectId: user.id },
+        { authData: { unknown_provider: { id: 'bad' } } }
+      );
+
+      // Login should not crash with 500
+      const login = await request({
+        method: 'GET',
+        url: `http://localhost:8378/1/login?username=dotuser2&password=pass1234`,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+      }).catch(e => e);
+      expect(login.status).toBe(200);
+      expect(login.data.sessionToken).toBeDefined();
+    });
+  });
+
+  describe('challenge endpoint authData provider value validation', () => {
+    it('rejects challenge request with null provider value without 500', async () => {
+      const res = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/challenge',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: JSON.stringify({
+          authData: { anonymous: null },
+          challengeData: { anonymous: { token: '123456' } },
+        }),
+      }).catch(e => e);
+      expect(res.status).toBeGreaterThanOrEqual(400);
+      expect(res.status).toBeLessThan(500);
+    });
+
+    it('rejects challenge request with non-object provider value without 500', async () => {
+      const res = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/challenge',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: JSON.stringify({
+          authData: { anonymous: 'string_value' },
+          challengeData: { anonymous: { token: '123456' } },
+        }),
+      }).catch(e => e);
+      expect(res.status).toBeGreaterThanOrEqual(400);
+      expect(res.status).toBeLessThan(500);
+    });
+  });
 });
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -3010,56 +3010,6 @@ describe('(GHSA-fjxm-vhvc-gcmj) LiveQuery Operator Type Confusion', () => {
     });
   });
 
-  describe('authData dot-notation injection and login crash', () => {
-    it('rejects dotted update key that targets authData sub-field', async () => {
-      const user = new Parse.User();
-      user.setUsername('dotuser');
-      user.setPassword('pass1234');
-      await user.signUp();
-
-      const res = await request({
-        method: 'PUT',
-        url: `http://localhost:8378/1/users/${user.id}`,
-        headers: {
-          'Content-Type': 'application/json',
-          'X-Parse-Application-Id': 'test',
-          'X-Parse-REST-API-Key': 'rest',
-          'X-Parse-Session-Token': user.getSessionToken(),
-        },
-        body: JSON.stringify({ 'authData.anonymous".id': 'injected' }),
-      }).catch(e => e);
-      expect(res.status).toBe(400);
-    });
-
-    it('login does not crash when stored authData has unknown provider', async () => {
-      const user = new Parse.User();
-      user.setUsername('dotuser2');
-      user.setPassword('pass1234');
-      await user.signUp();
-      await Parse.User.logOut();
-
-      // Inject unknown provider directly in database to simulate corrupted data
-      const config = Config.get('test');
-      await config.database.update(
-        '_User',
-        { objectId: user.id },
-        { authData: { unknown_provider: { id: 'bad' } } }
-      );
-
-      // Login should not crash with 500
-      const login = await request({
-        method: 'GET',
-        url: `http://localhost:8378/1/login?username=dotuser2&password=pass1234`,
-        headers: {
-          'X-Parse-Application-Id': 'test',
-          'X-Parse-REST-API-Key': 'rest',
-        },
-      }).catch(e => e);
-      expect(login.status).toBe(200);
-      expect(login.data.sessionToken).toBeDefined();
-    });
-  });
-
   describe('(GHSA-r3xq-68wh-gwvh) Password reset single-use token bypass via concurrent requests', () => {
     let sendPasswordResetEmail;
 
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -614,7 +614,16 @@ export class UsersRouter extends ClassesRouter {
         );
       }
 
-      if (Object.keys(authData).filter(key => authData[key].id).length > 1) {
+      for (const key of Object.keys(authData)) {
+        if (authData[key] !== null && (typeof authData[key] !== 'object' || Array.isArray(authData[key]))) {
+          throw new Parse.Error(
+            Parse.Error.OTHER_CAUSE,
+            `authData.${key} should be an object.`
+          );
+        }
+      }
+
+      if (Object.keys(authData).filter(key => authData[key] && authData[key].id).length > 1) {
         throw new Parse.Error(
           Parse.Error.OTHER_CAUSE,
           'You cannot provide more than one authData provider with an id.'
@@ -628,7 +637,7 @@ export class UsersRouter extends ClassesRouter {
           throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'User not found.');
         }
         // Find the provider used to find the user
-        const provider = Object.keys(authData).find(key => authData[key].id);
+        const provider = Object.keys(authData).find(key => authData[key] && authData[key].id);
 
         parseUser = Parse.User.fromJSON({ className: '_User', ...results[0] });
         request = getRequestObject(undefined, req.auth, parseUser, parseUser, req.config);
