sc

mtrezza · mtrezza · commit e94448b3bd27 · 2026-03-10T12:03:10.000Z
diff --git a/spec/SecurityCheckGroups.spec.js b/spec/SecurityCheckGroups.spec.js
@@ -49,6 +49,8 @@ describe('Security Check Groups', () => {
       expect(group.checks()[6].checkState()).toBe(CheckState.success);
       expect(group.checks()[8].checkState()).toBe(CheckState.success);
       expect(group.checks()[9].checkState()).toBe(CheckState.success);
+      expect(group.checks()[10].checkState()).toBe(CheckState.success);
+      expect(group.checks()[11].checkState()).toBe(CheckState.success);
     });
 
     it('checks fail correctly', async () => {
@@ -67,6 +69,10 @@ describe('Security Check Groups', () => {
         graphQLDepth: -1,
         graphQLFields: -1,
       };
+      config.passwordPolicy = {
+        resetPasswordSuccessOnInvalidEmail: false,
+      };
+      config.emailVerifySuccessOnInvalidEmail = false;
       await reconfigureServer(config);
 
       const group = new CheckGroupServerConfig();
@@ -79,6 +85,8 @@ describe('Security Check Groups', () => {
       expect(group.checks()[6].checkState()).toBe(CheckState.fail);
       expect(group.checks()[8].checkState()).toBe(CheckState.fail);
       expect(group.checks()[9].checkState()).toBe(CheckState.fail);
+      expect(group.checks()[10].checkState()).toBe(CheckState.fail);
+      expect(group.checks()[11].checkState()).toBe(CheckState.fail);
     });
 
     it_only_db('mongo')('checks succeed correctly (MongoDB specific)', async () => {
diff --git a/src/Security/CheckGroups/CheckGroupServerConfig.js b/src/Security/CheckGroups/CheckGroupServerConfig.js
@@ -151,6 +151,30 @@ class CheckGroupServerConfig extends CheckGroup {
           }
         },
       }),
+      new Check({
+        title: 'Password reset endpoint user enumeration mitigated',
+        warning:
+          'The password reset endpoint returns distinct error responses for invalid email addresses, which allows attackers to enumerate registered users.',
+        solution:
+          "Change Parse Server configuration to 'passwordPolicy.resetPasswordSuccessOnInvalidEmail: true'.",
+        check: () => {
+          if (config.passwordPolicy?.resetPasswordSuccessOnInvalidEmail === false) {
+            throw 1;
+          }
+        },
+      }),
+      new Check({
+        title: 'Email verification endpoint user enumeration mitigated',
+        warning:
+          'The email verification endpoint returns distinct error responses for invalid email addresses, which allows attackers to enumerate registered users.',
+        solution:
+          "Change Parse Server configuration to 'emailVerifySuccessOnInvalidEmail: true'.",
+        check: () => {
+          if (config.emailVerifySuccessOnInvalidEmail === false) {
+            throw 1;
+          }
+        },
+      }),
       new Check({
         title: 'LiveQuery regex timeout enabled',
         warning:
