You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For some requests, Parse Server returns more information than necessary in the error response. For example:
unauthorized: master key is required
This is providing an outside attacker with more info than necessary.
Feature / Enhancement Description
Especially when it comes to access / permission errors, I suggest to make the error messages more ambiguous by generalizing them and removing any specific information. Instead of explaining why a request was unauthorized, the error should be only unauthorized without any further details. The detailed error message should only be logged server side.
The task would be:
identify error messages that should be generalized
ensure a detailed error message is logged server side
This should not be a breaking change, as long as the error code does not change. Changes of error messages are not considered breaking as logic that relies on parsing error messages is considered bad practice anyway.
The text was updated successfully, but these errors were encountered:
🎉 We are excited about your ideas for improvement!
mtrezza
added
type:feature
New feature or improvement of existing feature
state:breaking
Breaking change requires major version increment and `BREAKING CHANGE` commit message
bounty:$20
Bounty applies for fixing this issue (Parse Bounty Program)
and removed
state:breaking
Breaking change requires major version increment and `BREAKING CHANGE` commit message
labels
Feb 27, 2024
New Feature / Enhancement Checklist
Current Limitation
For some requests, Parse Server returns more information than necessary in the error response. For example:
This is providing an outside attacker with more info than necessary.
Feature / Enhancement Description
Especially when it comes to access / permission errors, I suggest to make the error messages more ambiguous by generalizing them and removing any specific information. Instead of explaining why a request was unauthorized, the error should be only
unauthorized
without any further details. The detailed error message should only be logged server side.The task would be:
This should not be a breaking change, as long as the error code does not change. Changes of error messages are not considered breaking as logic that relies on parsing error messages is considered bad practice anyway.
The text was updated successfully, but these errors were encountered: