-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using /sessions endpoint not creating restricted session tokens #6612
Comments
@flovilmart @dplewis Yes, this is a major issue here among other related issues I will not disclose here |
@stevestencil Let us know which version of parse-server you are running? |
@EricNetsch I updated my description with the versions |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi guys. I've searched all the code base and also this issue and I believe that the restricted flag existed in parse.com but was never implemented in the Parse Server open source. It means that setting restricted to true or false has no effect. And that's why the guide steps are also not working. So, we have three options here: |
This issue and the linked issue seem to be a vulnerability disclosure, should we redact it? I think it makes sense to remove the feature of restricted sessions, because:
Use restricted sessions in a "less-trusted physical environment" but use them in a "safe physical environment" doesn't make much sense to me. The more effective approach seems to be to store tokens on the IoT device in a secure storage and recommend a distinct user/role for the IoT. Unless there is another use case (maybe we can hear from someone using the IoT SDK?) I would go for:
|
Technically yes, but, since the other issue is public for 2 years, I believe that it is better to keep it public for reference and we use this current thread to discuss the future of the feature. |
Hi, I am contacting you on behalf of Snyk Security team. We would like to ask if you have a timeline for fixing this issue. Best, |
I was just looking at this new Snyk open source health report. Unfortunately we're being pulled down due to a couple outstanding vulnerabilities, this being one of them.
I think we should remove the feature from the docs immediately, and then remove the feature from the codebase asap so we can close this one out. |
hi, this issue has been fixed right? i see multiple PRs being referenced |
@snoopysecurity Thanks for bringing this up. I will look into whether this has been fixed and whether this is even an issue. |
@snoopysecurity This has never been a vulnerability of this repository. The I went back to the initial Parse Server 2.0.0 release and I did not find any logic depending on the The Snky vulnerability Improper Authorization can therefore be removed for all versions of this repository. |
@ggkitsas Could you remove/resolve this vulnerability as per the explanation above? |
I contacted Snyk about this; it seems that only Snky picked this up by mistake an added it to their internal list. |
Hey @mtrezza - thanks for the clarifications and sorry for the inconvenience, we (Snyk) will revoke this and that should take affect after tomorrow. |
Thanks @benjifin, it seems that it should have been "deactivated" by setting the |
This would look to be a caching issue of some sort of the package page -
but the data itself will not show up in any scan and even that link will
report back to the vulnerability page which has been updated accordingly:
https://snyk.io/vuln/SNYK-JS-PARSESERVER-590116.
The package pages and there data updates are not owned by our group, but
I'll drop a line in to the relevant team to ask them to see if they can
have a look at it so that it's removed faster :)
…On Fri, Sep 10, 2021 at 3:59 AM Manuel ***@***.***> wrote:
Thanks @benjifin <https://github.com/benjifin>, it seems that it should
have been "deactivated" by setting the versions <0.0.0. However, it still
appears for the parse-server 4.10.3 package as an active vulnerability:
[image: image]
<https://user-images.githubusercontent.com/5673677/132792342-a76357f5-d491-4741-954e-602961d2a1fe.png>
https://snyk.io/test/npm/parse-server/4.10.3
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6612 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKPDUP5BGKXDFUYKXFAHLDDUBFYAFANCNFSM4MICQCDA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Closing, as the issue is not a bug. |
Issue Description
When using the REST api to create a new session token as documented here the tokens are not set as restricted.
Steps to reproduce
Follow the instructions in the REST API Guide to create a restricted session token
Expected Results
A new session token should be created with restricted = true
Actual Outcome
A new session token is created with restricted = false
Versions
Parse-Server - 4.2.0
Parse-SDK-JS - 2.13.0
The text was updated successfully, but these errors were encountered: