fix: Security upgrade to parse 7.0.1 (#9877)

Author: Moumouls

package-lock.json

@@ -49,7 +49,7 @@
     "mongodb": "6.17.0",
     "mustache": "4.2.0",
     "otpauth": "9.4.0",
-    "parse": "6.1.1",
+    "parse": "7.0.1",
     "path-to-regexp": "6.3.0",
     "pg-monitor": "3.0.0",
     "pg-promise": "12.2.0",

package.json

@@ -89,12 +89,16 @@ describe('LinkedInAdapter', function () {
 
   describe('Test getUserFromAccessToken', function () {
     it('should fetch user successfully', async function () {
-      global.fetch = jasmine.createSpy().and.returnValue(
-        Promise.resolve({
-          ok: true,
-          json: () => Promise.resolve({ id: 'validUserId' }),
-        })
-      );
+      mockFetch([
+        {
+          url: 'https://api.linkedin.com/v2/me',
+          method: 'GET',
+          response: {
+            ok: true,
+            json: () => Promise.resolve({ id: 'validUserId' }),
+          },
+        },
+      ]);
 
       const user = await adapter.getUserFromAccessToken('validToken', false);
 
@@ -104,14 +108,21 @@ describe('LinkedInAdapter', function () {
           'x-li-format': 'json',
           'x-li-src': undefined,
         },
+        method: 'GET',
       });
       expect(user).toEqual({ id: 'validUserId' });
     });
 
     it('should throw error for invalid response', async function () {
-      global.fetch = jasmine.createSpy().and.returnValue(
-        Promise.resolve({ ok: false })
-      );
+      mockFetch([
+        {
+          url: 'https://api.linkedin.com/v2/me',
+          method: 'GET',
+          response: {
+            ok: false,
+          },
+        },
+      ]);
 
       await expectAsync(adapter.getUserFromAccessToken('invalidToken', false)).toBeRejectedWith(
         new Error('LinkedIn API request failed.')
@@ -121,12 +132,16 @@ describe('LinkedInAdapter', function () {
 
   describe('Test getAccessTokenFromCode', function () {
     it('should fetch token successfully', async function () {
-      global.fetch = jasmine.createSpy().and.returnValue(
-        Promise.resolve({
-          ok: true,
-          json: () => Promise.resolve({ access_token: 'validToken' }),
-        })
-      );
+      mockFetch([
+        {
+          url: 'https://www.linkedin.com/oauth/v2/accessToken',
+          method: 'POST',
+          response: {
+            ok: true,
+            json: () => Promise.resolve({ access_token: 'validToken' }),
+          },
+        },
+      ]);
 
       const tokenResponse = await adapter.getAccessTokenFromCode('validCode', 'http://example.com');
 
@@ -139,9 +154,15 @@ describe('LinkedInAdapter', function () {
     });
 
     it('should throw error for invalid response', async function () {
-      global.fetch = jasmine.createSpy().and.returnValue(
-        Promise.resolve({ ok: false })
-      );
+      mockFetch([
+        {
+          url: 'https://www.linkedin.com/oauth/v2/accessToken',
+          method: 'POST',
+          response: {
+            ok: false,
+          },
+        },
+      ]);
 
       await expectAsync(
         adapter.getAccessTokenFromCode('invalidCode', 'http://example.com')

spec/Adapters/Auth/linkedIn.spec.js

@@ -23,7 +23,8 @@ describe('WeChatAdapter', function () {
       const user = await adapter.getUserFromAccessToken('validToken', { id: 'validOpenId' });
 
       expect(global.fetch).toHaveBeenCalledWith(
-        'https://api.weixin.qq.com/sns/auth?access_token=validToken&openid=validOpenId'
+        'https://api.weixin.qq.com/sns/auth?access_token=validToken&openid=validOpenId',
+        jasmine.any(Object)
       );
       expect(user).toEqual({ errcode: 0, id: 'validUserId' });
     });
@@ -64,7 +65,8 @@ describe('WeChatAdapter', function () {
       const token = await adapter.getAccessTokenFromCode(authData);
 
       expect(global.fetch).toHaveBeenCalledWith(
-        'https://api.weixin.qq.com/sns/oauth2/access_token?appid=validAppId&secret=validAppSecret&code=validCode&grant_type=authorization_code'
+        'https://api.weixin.qq.com/sns/oauth2/access_token?appid=validAppId&secret=validAppSecret&code=validCode&grant_type=authorization_code',
+        jasmine.any(Object)
       );
       expect(token).toEqual('validToken');
     });

spec/Adapters/Auth/wechat.spec.js

@@ -189,7 +189,7 @@ describe('Cloud Code Logger', () => {
     });
   });
 
-  it_id('8088de8a-7cba-4035-8b05-4a903307e674')(it)('should log cloud function execution using the custom log level', async done => {
+  it_id('8088de8a-7cba-4035-8b05-4a903307e674')(it)('should log cloud function execution using the custom log level', async () => {
     Parse.Cloud.define('aFunction', () => {
       return 'it worked!';
     });
@@ -203,6 +203,7 @@ describe('Cloud Code Logger', () => {
       expect(log).toEqual('info');
     });
 
+    Parse.Cloud._removeAllHooks();
     await reconfigureServer({
       silent: true,
       logLevels: {
@@ -211,6 +212,10 @@ describe('Cloud Code Logger', () => {
       },
     });
 
+    Parse.Cloud.define('bFunction', () => {
+      throw new Error('Failed');
+    });
+
     spy = spyOn(Config.get('test').loggerController.adapter, 'log').and.callThrough();
 
     try {
@@ -221,15 +226,12 @@ describe('Cloud Code Logger', () => {
         .allArgs()
         .find(log => log[1].startsWith('Failed running cloud function bFunction for '))?.[0];
       expect(log).toEqual('info');
-      done();
     }
   });
 
   it('should log cloud function triggers using the custom log level', async () => {
-    Parse.Cloud.beforeSave('TestClass', () => {});
-    Parse.Cloud.afterSave('TestClass', () => {});
-
     const execTest = async (logLevel, triggerBeforeSuccess, triggerAfter) => {
+      Parse.Cloud._removeAllHooks();
       await reconfigureServer({
         silent: true,
         logLevel,
@@ -239,6 +241,9 @@ describe('Cloud Code Logger', () => {
         },
       });
 
+      Parse.Cloud.beforeSave('TestClass', () => { });
+      Parse.Cloud.afterSave('TestClass', () => { });
+
       spy = spyOn(Config.get('test').loggerController.adapter, 'log').and.callThrough();
       const obj = new Parse.Object('TestClass');
       await obj.save();
@@ -344,6 +349,7 @@ describe('Cloud Code Logger', () => {
   });
 
   it('should log cloud function execution using the silent log level', async () => {
+    Parse.Cloud._removeAllHooks();
     await reconfigureServer({
       logLevels: {
         cloudFunctionSuccess: 'silent',
@@ -367,6 +373,7 @@ describe('Cloud Code Logger', () => {
   });
 
   it('should log cloud function triggers using the silent log level', async () => {
+    Parse.Cloud._removeAllHooks();
     await reconfigureServer({
       logLevels: {
         triggerAfter: 'silent',

spec/CloudCodeLogger.spec.js

@@ -1395,10 +1395,10 @@ describe('Parse.Object testing', () => {
       .save()
       .then(function () {
         const query = new Parse.Query(TestObject);
-        return query.find(object.id);
+        return query.get(object.id);
       })
-      .then(function (results) {
-        updatedObject = results[0];
+      .then(function (result) {
+        updatedObject = result;
         updatedObject.set('x', 11);
         return updatedObject.save();
       })
@@ -1409,7 +1409,8 @@ describe('Parse.Object testing', () => {
         equal(object.createdAt.getTime(), updatedObject.createdAt.getTime());
         equal(object.updatedAt.getTime(), updatedObject.updatedAt.getTime());
         done();
-      });
+      })
+      .catch(done.fail);
   });
 
   xit('fetchAll backbone-style callbacks', function (done) {