Using Parse SDK on the web, after sign up but user not authenticated - as the service required email verification - I issued a request to update the user from async storage by calling Parse.User.currentAsync(). This call crashes my parse server backend with process.exit(0).
I find this strange and a pricey vulnerability since anyone can issue a similar request to the server crashing the server each time.
Steps to reproduce
Enable sign up with user verification on parse server backend.
Sign up a user from the front end and immediate issue a Parse.User.currentAsync() call to update the user.
The backend server crashes with exit code 1.
Actual Outcome
Parse server crashes with exit code 1.
Expected Outcome
I expected an invalid session error to be reported back to the caller without crashing the server.
Environment
Node LTS on Docker Debian Bookworm on Docker, Parse Server 7.2.0 Node JS module, Ubuntu 22.04 as host OS.
Server
Parse Server version: 7.2.0
Operating system: Node LTS on Docker Debian Bookworm
Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local on Docker
Database
System (MongoDB or Postgres): MongoDB
Database version: 6.0.14
Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Local on Docker
🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.
New Issue Checklist
Issue Description
Using Parse SDK on the web, after sign up but user not authenticated - as the service required email verification - I issued a request to update the user from async storage by calling Parse.User.currentAsync(). This call crashes my parse server backend with process.exit(0).
I find this strange and a pricey vulnerability since anyone can issue a similar request to the server crashing the server each time.
Steps to reproduce
Enable sign up with user verification on parse server backend. Sign up a user from the front end and immediate issue a Parse.User.currentAsync() call to update the user. The backend server crashes with exit code 1.
Actual Outcome
Parse server crashes with exit code 1.
Expected Outcome
I expected an invalid session error to be reported back to the caller without crashing the server.
Environment
Node LTS on Docker Debian Bookworm on Docker, Parse Server 7.2.0 Node JS module, Ubuntu 22.04 as host OS.
Server
7.2.0
Node LTS on Docker Debian Bookworm
Local on Docker
Database
MongoDB
6.0.14
Local on Docker
Client
JavaScript
5.3.0