Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict use of masterKey to localhost by default #8245

Closed
3 tasks done
Tracked by #8225
mtrezza opened this issue Oct 17, 2022 · 5 comments · Fixed by #8281
Closed
3 tasks done
Tracked by #8225

Restrict use of masterKey to localhost by default #8245

mtrezza opened this issue Oct 17, 2022 · 5 comments · Fixed by #8281
Labels
state:breaking Breaking change requires major version increment and `BREAKING CHANGE` commit message state:released Released as stable version state:released-beta Released as beta version type:feature New feature or improvement of existing feature

Comments

@mtrezza
Copy link
Member

mtrezza commented Oct 17, 2022
edited
Loading

New Feature / Enhancement Checklist

Current Limitation

By default, Parse Server allows to use the master key with remote access. This creates a security risk because an exposed master key allows to access Parse Server with highest privileges via remote network requests against the public Parse Server API.

Parse Server already recommends in the documentation that the master key should never be used client side. Having the master key usable via remote access by default is contradictory to that advice.

Feature / Enhancement Description

To improve the default security of Parse Server, default the existing Parse Server option masterKeyIPs to 127.0.0.1, i.e. localhost.

The most common use case for master key being used remotely may be Parse Dashboard, which unfortunately still requires the master key, but that will hopefully change soon.

The feature must consider dynamic IP addresses, so it must be possible to not set any IP address restriction. That is currently the default, by not setting masterKeyIPs. If the new default is 127.0.0.1, it's unclear how to set no restriction, because masterKeyIPs: [] currently means "don't allow any IP address".

A suggested solution is to allow using CIDR notation in masterKeyIPs. If the string misses the CIDR range, it should be interpreted as using the range of /32. This also causes the least adoption effort for developers.

  • don't allow any IP address: masterKeyIPs: []
  • allow any IP address: masterKeyIPs: ['0.0.0.0/0']
  • allow only a single IP address: masterKeyIPs: ['10.0.0.1/32'] or masterKeyIPs: ['10.0.0.1']
  • allow only a specific IP address range: masterKeyIPs: ['10.0.0.1/16']

Example Use Case

n/a

Alternatives / Workarounds

n/a
@parse-github-assistant
Copy link

parse-github-assistant bot commented Oct 17, 2022
edited
Loading

Thanks for opening this issue!

  • 🎉 We are excited about your ideas for improvement!

@mtrezza mtrezza added the type:feature New feature or improvement of existing feature label Oct 17, 2022
@mtrezza mtrezza mentioned this issue Oct 23, 2022
Closed
31 tasks
@mtrezza mtrezza added the state:breaking Breaking change requires major version increment and `BREAKING CHANGE` commit message label Nov 2, 2022
@dblythy dblythy mentioned this issue Nov 3, 2022
Merged
4 tasks
@mtrezza mtrezza changed the title Limit masterKeyIPs to localhost by default Restrict masterKeyIPs to localhost by default Nov 11, 2022
@mtrezza mtrezza changed the title Restrict masterKeyIPs to localhost by default Restrict use of masterKey to localhost by default Nov 11, 2022
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0-alpha.8

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Nov 11, 2022
@parse-github-assistant
Copy link

The label state:released-alpha cannot be used in combination with state:breaking.

@parse-github-assistant parse-github-assistant bot removed the state:released-alpha Released as alpha version label Nov 11, 2022
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0-beta.1

@parseplatformorg parseplatformorg added the state:released-beta Released as beta version label Jan 31, 2023
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 6.0.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Jan 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state:breaking Breaking change requires major version increment and `BREAKING CHANGE` commit message state:released Released as stable version state:released-beta Released as beta version type:feature New feature or improvement of existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Restrict use of masterKey to localhost by default dblythy/parse-server
2 participants
@mtrezza @parseplatformorg