src/Security/CheckGroups/CheckGroupServerConfig.js

/**
 * @module SecurityCheck
 */

import { Check } from '../Check';
import CheckGroup from '../CheckGroup';
import Config from '../../Config';
import Parse from 'parse/node';

/**
* The security checks group for Parse Server configuration.
* Checks common Parse Server parameters such as access keys.
*/
class CheckGroupServerConfig extends CheckGroup {
  setName() {
    return 'Parse Server Configuration';
  }
  setChecks() {
    const config = Config.get(Parse.applicationId);
    return [
      new Check({
        title: 'Secure master key',
        warning: 'The Parse Server master key is insecure and vulnerable to brute force attacks.',
        solution: 'Choose a longer and/or more complex master key with a combination of upper- and lowercase characters, numbers and special characters.',
        check: () => {
          const masterKey = config.masterKey;
          const hasUpperCase = /[A-Z]/.test(masterKey);
          const hasLowerCase = /[a-z]/.test(masterKey);
          const hasNumbers = /\d/.test(masterKey);
          const hasNonAlphasNumerics = /\W/.test(masterKey);
          // Ensure length
          if (masterKey.length < 14) {
            throw 1;
          }
          // Ensure at least 3 out of 4 requirements passed
          if (hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphasNumerics < 3) {
            throw 1;
          }
        },
      }),
      new Check({
        title: 'Security log disabled',
        warning: 'Security checks in logs may expose vulnerabilities to anyone access to logs.',
        solution: 'Change Parse Server configuration to \'security.enableCheckLog: false\'.',
        check: () => {
          if (config.security && config.security.enableCheckLog) {
            throw 1;
          }
        },
      }),
      new Check({
        title: 'Client class creation disabled',
        warning: 'Attackers are allowed to create new classes without restriction and flood the database.',
        solution: 'Change Parse Server configuration to \'allowClientClassCreation: false\'.',
        check: () => {
          if (config.allowClientClassCreation || config.allowClientClassCreation == null) {
            throw 1;
          }
        },
      }),
    ];
  }
}

module.exports = CheckGroupServerConfig;
Add security check (#7247) * added Parse Server security option * added SecurityRouter * added Check class * added CheckGroup class * moved parameter validation to Utils * added CheckRunner class * added auto-run on server start * added custom security checks as Parse Server option * renamed script to check * reformat log output * added server config check * improved contributing guideline * improved contribution guide * added check security log * improved log format * added checks * fixed log fomat typo * added database checks * fixed database check * removed database auth check in initial version * improved contribution guide * added security check tests * fixed typo * improved wording guidelines * improved wording guidelines 2021-03-10 20:19:28 +01:00			`/**`
			`* @module SecurityCheck`
			`*/`

			`import { Check } from '../Check';`
			`import CheckGroup from '../CheckGroup';`
			`import Config from '../../Config';`
			`import Parse from 'parse/node';`

			`/**`
			`* The security checks group for Parse Server configuration.`
			`* Checks common Parse Server parameters such as access keys.`
			`*/`
			`class CheckGroupServerConfig extends CheckGroup {`
			`setName() {`
			`return 'Parse Server Configuration';`
			`}`
			`setChecks() {`
			`const config = Config.get(Parse.applicationId);`
			`return [`
			`new Check({`
			`title: 'Secure master key',`
			`warning: 'The Parse Server master key is insecure and vulnerable to brute force attacks.',`
			`solution: 'Choose a longer and/or more complex master key with a combination of upper- and lowercase characters, numbers and special characters.',`
			`check: () => {`
			`const masterKey = config.masterKey;`
			`const hasUpperCase = /[A-Z]/.test(masterKey);`
			`const hasLowerCase = /[a-z]/.test(masterKey);`
			`const hasNumbers = /\d/.test(masterKey);`
			`const hasNonAlphasNumerics = /\W/.test(masterKey);`
			`// Ensure length`
			`if (masterKey.length < 14) {`
			`throw 1;`
			`}`
			`// Ensure at least 3 out of 4 requirements passed`
			`if (hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphasNumerics < 3) {`
			`throw 1;`
			`}`
			`},`
			`}),`
			`new Check({`
			`title: 'Security log disabled',`
			`warning: 'Security checks in logs may expose vulnerabilities to anyone access to logs.',`
			`solution: 'Change Parse Server configuration to \'security.enableCheckLog: false\'.',`
			`check: () => {`
			`if (config.security && config.security.enableCheckLog) {`
			`throw 1;`
			`}`
			`},`
			`}),`
			`new Check({`
			`title: 'Client class creation disabled',`
			`warning: 'Attackers are allowed to create new classes without restriction and flood the database.',`
			`solution: 'Change Parse Server configuration to \'allowClientClassCreation: false\'.',`
			`check: () => {`
			`if (config.allowClientClassCreation \|\| config.allowClientClassCreation == null) {`
			`throw 1;`
			`}`
			`},`
			`}),`
			`];`
			`}`
			`}`

			`module.exports = CheckGroupServerConfig;`