parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change
📋 Description
Impact
A Parse Server LiveQuery subscriber can receive object field values they are not authorized to read when a single save changes both an object field and the subscriber's ACL read access to that object. When such a save removes the subscriber's read access, the resulting leave event still carries the post-update object body, disclosing the new field values the subscriber is no longer permitted to read. The symmetric case applies to the enter event: when a save grants read access, the event includes the pre-grant object state the subscriber was not previously permitted to read. The disclosure is bounded to the single object affected by that save and is delivered only to the subscriber whose access changed. Applications that combine content changes with access-control changes in the same save on LiveQuery-enabled classes are affected.
Patches
Parse Server now verifies the subscriber's authorization for the specific object state included in leave and enter events. For a leave caused by the subscriber losing read access, the event delivers the last object state the subscriber was authorized to see instead of the post-update body. For an enter caused by the subscriber gaining read access, the previously unauthorized original object state is omitted. Events caused by a normal query-match change, where the subscriber keeps read access, are unaffected, as are master-key subscribers.
Workarounds
Do not change an object's field values and a subscriber's ACL read access in the same save on LiveQuery-enabled classes; perform the access-control change in a separate save before or after the content change. Alternatively, limit which classes are enabled for LiveQuery.
🎯 Affected products2
- npm/parse-server:>= 9.0.0, < 9.9.1-alpha.13
- npm/parse-server:<= 8.6.82