Merge pull request from GHSA-wvh7-5p38-2qfc

dplewis · web-flow · commit d1106174571b · 2019-11-22T19:10:23.000-06:00
GHSA-wvh7-5p38-2qfc
diff --git a/integration/test/ParseUserTest.js b/integration/test/ParseUserTest.js
@@ -898,4 +898,22 @@ describe('Parse User', () => {
     expect(user.get('authData').twitter.id).toBe(authData.id);
     expect(user.get('authData').facebook.id).toBe('test');
   });
+
+  it('fix GHSA-wvh7-5p38-2qfc', async () => {
+    Parse.User.enableUnsafeCurrentUser();
+    const user = new Parse.User();
+    user.setUsername('username');
+    user.setPassword('password');
+    await user.signUp();
+
+    const path = Parse.Storage.generatePath('currentUser');
+    let userData = Parse.Storage.getItem(path);
+    expect(JSON.parse(userData).password).toBeUndefined();
+
+    user.setPassword('password');
+    await user.save(null, { useMasterKey: true });
+
+    userData = Parse.Storage.getItem(path);
+    expect(JSON.parse(userData).password).toBeUndefined();
+  });
 });
diff --git a/src/ParseUser.js b/src/ParseUser.js
@@ -869,6 +869,8 @@ const DefaultController = {
   updateUserOnDisk(user) {
     const path = Storage.generatePath(CURRENT_USER_KEY);
     const json = user.toJSON();
+    delete json.password;
+
     json.className = user.constructor.name === ParseUser.name ? '_User' : user.constructor.name;
     return Storage.setItemAsync(
       path, JSON.stringify(json)
