parse-server 4.10.2 → 5.0.0-alpha.2

package/lib/Security/Check.js

@@ -0,0 +1,118 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = void 0;
+
+var _Utils = _interopRequireDefault(require("../Utils"));
+
+var _lodash = require("lodash");
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+/**
+ * @module SecurityCheck
+ */
+
+/**
+ * A security check.
+ * @class Check
+ */
+class Check {
+  /**
+   * Constructs a new security check.
+   * @param {Object} params The parameters.
+   * @param {String} params.title The title.
+   * @param {String} params.warning The warning message if the check fails.
+   * @param {String} params.solution The solution to fix the check.
+   * @param {Promise} params.check The check as synchronous or asynchronous function.
+   */
+  constructor(params) {
+    this._validateParams(params);
+
+    const {
+      title,
+      warning,
+      solution,
+      check
+    } = params;
+    this.title = title;
+    this.warning = warning;
+    this.solution = solution;
+    this.check = check; // Set default properties
+
+    this._checkState = CheckState.none;
+    this.error;
+  }
+  /**
+   * Returns the current check state.
+   * @return {CheckState} The check state.
+   */
+
+
+  checkState() {
+    return this._checkState;
+  }
+
+  async run() {
+    // Get check as synchronous or asynchronous function
+    const check = this.check instanceof Promise ? await this.check : this.check; // Run check
+
+    try {
+      check();
+      this._checkState = CheckState.success;
+    } catch (e) {
+      this.stateFailError = e;
+      this._checkState = CheckState.fail;
+    }
+  }
+  /**
+   * Validates the constructor parameters.
+   * @param {Object} params The parameters to validate.
+   */
+
+
+  _validateParams(params) {
+    _Utils.default.validateParams(params, {
+      group: {
+        t: 'string',
+        v: _lodash.isString
+      },
+      title: {
+        t: 'string',
+        v: _lodash.isString
+      },
+      warning: {
+        t: 'string',
+        v: _lodash.isString
+      },
+      solution: {
+        t: 'string',
+        v: _lodash.isString
+      },
+      check: {
+        t: 'function',
+        v: _lodash.isFunction
+      }
+    });
+  }
+
+}
+/**
+ * The check state.
+ */
+
+
+const CheckState = Object.freeze({
+  none: 'none',
+  fail: 'fail',
+  success: 'success'
+});
+var _default = Check;
+exports.default = _default;
+module.exports = {
+  Check,
+  CheckState
+};
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9TZWN1cml0eS9DaGVjay5qcyJdLCJuYW1lcyI6WyJDaGVjayIsImNvbnN0cnVjdG9yIiwicGFyYW1zIiwiX3ZhbGlkYXRlUGFyYW1zIiwidGl0bGUiLCJ3YXJuaW5nIiwic29sdXRpb24iLCJjaGVjayIsIl9jaGVja1N0YXRlIiwiQ2hlY2tTdGF0ZSIsIm5vbmUiLCJlcnJvciIsImNoZWNrU3RhdGUiLCJydW4iLCJQcm9taXNlIiwic3VjY2VzcyIsImUiLCJzdGF0ZUZhaWxFcnJvciIsImZhaWwiLCJVdGlscyIsInZhbGlkYXRlUGFyYW1zIiwiZ3JvdXAiLCJ0IiwidiIsImlzU3RyaW5nIiwiaXNGdW5jdGlvbiIsIk9iamVjdCIsImZyZWV6ZSIsIm1vZHVsZSIsImV4cG9ydHMiXSwibWFwcGluZ3MiOiI7Ozs7Ozs7QUFJQTs7QUFDQTs7OztBQUxBO0FBQ0E7QUFDQTs7QUFLQTtBQUNBO0FBQ0E7QUFDQTtBQUNBLE1BQU1BLEtBQU4sQ0FBWTtBQUNWO0FBQ0Y7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDRUMsRUFBQUEsV0FBVyxDQUFDQyxNQUFELEVBQVM7QUFDbEIsU0FBS0MsZUFBTCxDQUFxQkQsTUFBckI7O0FBQ0EsVUFBTTtBQUFFRSxNQUFBQSxLQUFGO0FBQVNDLE1BQUFBLE9BQVQ7QUFBa0JDLE1BQUFBLFFBQWxCO0FBQTRCQyxNQUFBQTtBQUE1QixRQUFzQ0wsTUFBNUM7QUFFQSxTQUFLRSxLQUFMLEdBQWFBLEtBQWI7QUFDQSxTQUFLQyxPQUFMLEdBQWVBLE9BQWY7QUFDQSxTQUFLQyxRQUFMLEdBQWdCQSxRQUFoQjtBQUNBLFNBQUtDLEtBQUwsR0FBYUEsS0FBYixDQVBrQixDQVNsQjs7QUFDQSxTQUFLQyxXQUFMLEdBQW1CQyxVQUFVLENBQUNDLElBQTlCO0FBQ0EsU0FBS0MsS0FBTDtBQUNEO0FBRUQ7QUFDRjtBQUNBO0FBQ0E7OztBQUNFQyxFQUFBQSxVQUFVLEdBQUc7QUFDWCxXQUFPLEtBQUtKLFdBQVo7QUFDRDs7QUFFUSxRQUFISyxHQUFHLEdBQUc7QUFDVjtBQUNBLFVBQU1OLEtBQUssR0FBRyxLQUFLQSxLQUFMLFlBQXNCTyxPQUF0QixHQUFnQyxNQUFNLEtBQUtQLEtBQTNDLEdBQW1ELEtBQUtBLEtBQXRFLENBRlUsQ0FJVjs7QUFDQSxRQUFJO0FBQ0ZBLE1BQUFBLEtBQUs7QUFDTCxXQUFLQyxXQUFMLEdBQW1CQyxVQUFVLENBQUNNLE9BQTlCO0FBQ0QsS0FIRCxDQUdFLE9BQU9DLENBQVAsRUFBVTtBQUNWLFdBQUtDLGNBQUwsR0FBc0JELENBQXRCO0FBQ0EsV0FBS1IsV0FBTCxHQUFtQkMsVUFBVSxDQUFDUyxJQUE5QjtBQUNEO0FBQ0Y7QUFFRDtBQUNGO0FBQ0E7QUFDQTs7O0FBQ0VmLEVBQUFBLGVBQWUsQ0FBQ0QsTUFBRCxFQUFTO0FBQ3RCaUIsbUJBQU1DLGNBQU4sQ0FBcUJsQixNQUFyQixFQUE2QjtBQUMzQm1CLE1BQUFBLEtBQUssRUFBRTtBQUFFQyxRQUFBQSxDQUFDLEVBQUUsUUFBTDtBQUFlQyxRQUFBQSxDQUFDLEVBQUVDO0FBQWxCLE9BRG9CO0FBRTNCcEIsTUFBQUEsS0FBSyxFQUFFO0FBQUVrQixRQUFBQSxDQUFDLEVBQUUsUUFBTDtBQUFlQyxRQUFBQSxDQUFDLEVBQUVDO0FBQWxCLE9BRm9CO0FBRzNCbkIsTUFBQUEsT0FBTyxFQUFFO0FBQUVpQixRQUFBQSxDQUFDLEVBQUUsUUFBTDtBQUFlQyxRQUFBQSxDQUFDLEVBQUVDO0FBQWxCLE9BSGtCO0FBSTNCbEIsTUFBQUEsUUFBUSxFQUFFO0FBQUVnQixRQUFBQSxDQUFDLEVBQUUsUUFBTDtBQUFlQyxRQUFBQSxDQUFDLEVBQUVDO0FBQWxCLE9BSmlCO0FBSzNCakIsTUFBQUEsS0FBSyxFQUFFO0FBQUVlLFFBQUFBLENBQUMsRUFBRSxVQUFMO0FBQWlCQyxRQUFBQSxDQUFDLEVBQUVFO0FBQXBCO0FBTG9CLEtBQTdCO0FBT0Q7O0FBekRTO0FBNERaO0FBQ0E7QUFDQTs7O0FBQ0EsTUFBTWhCLFVBQVUsR0FBR2lCLE1BQU0sQ0FBQ0MsTUFBUCxDQUFjO0FBQy9CakIsRUFBQUEsSUFBSSxFQUFFLE1BRHlCO0FBRS9CUSxFQUFBQSxJQUFJLEVBQUUsTUFGeUI7QUFHL0JILEVBQUFBLE9BQU8sRUFBRTtBQUhzQixDQUFkLENBQW5CO2VBTWVmLEs7O0FBQ2Y0QixNQUFNLENBQUNDLE9BQVAsR0FBaUI7QUFDZjdCLEVBQUFBLEtBRGU7QUFFZlMsRUFBQUE7QUFGZSxDQUFqQiIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQG1vZHVsZSBTZWN1cml0eUNoZWNrXG4gKi9cblxuaW1wb3J0IFV0aWxzIGZyb20gJy4uL1V0aWxzJztcbmltcG9ydCB7IGlzRnVuY3Rpb24sIGlzU3RyaW5nIH0gZnJvbSAnbG9kYXNoJztcblxuLyoqXG4gKiBBIHNlY3VyaXR5IGNoZWNrLlxuICogQGNsYXNzIENoZWNrXG4gKi9cbmNsYXNzIENoZWNrIHtcbiAgLyoqXG4gICAqIENvbnN0cnVjdHMgYSBuZXcgc2VjdXJpdHkgY2hlY2suXG4gICAqIEBwYXJhbSB7T2JqZWN0fSBwYXJhbXMgVGhlIHBhcmFtZXRlcnMuXG4gICAqIEBwYXJhbSB7U3RyaW5nfSBwYXJhbXMudGl0bGUgVGhlIHRpdGxlLlxuICAgKiBAcGFyYW0ge1N0cmluZ30gcGFyYW1zLndhcm5pbmcgVGhlIHdhcm5pbmcgbWVzc2FnZSBpZiB0aGUgY2hlY2sgZmFpbHMuXG4gICAqIEBwYXJhbSB7U3RyaW5nfSBwYXJhbXMuc29sdXRpb24gVGhlIHNvbHV0aW9uIHRvIGZpeCB0aGUgY2hlY2suXG4gICAqIEBwYXJhbSB7UHJvbWlzZX0gcGFyYW1zLmNoZWNrIFRoZSBjaGVjayBhcyBzeW5jaHJvbm91cyBvciBhc3luY2hyb25vdXMgZnVuY3Rpb24uXG4gICAqL1xuICBjb25zdHJ1Y3RvcihwYXJhbXMpIHtcbiAgICB0aGlzLl92YWxpZGF0ZVBhcmFtcyhwYXJhbXMpO1xuICAgIGNvbnN0IHsgdGl0bGUsIHdhcm5pbmcsIHNvbHV0aW9uLCBjaGVjayB9ID0gcGFyYW1zO1xuXG4gICAgdGhpcy50aXRsZSA9IHRpdGxlO1xuICAgIHRoaXMud2FybmluZyA9IHdhcm5pbmc7XG4gICAgdGhpcy5zb2x1dGlvbiA9IHNvbHV0aW9uO1xuICAgIHRoaXMuY2hlY2sgPSBjaGVjaztcblxuICAgIC8vIFNldCBkZWZhdWx0IHByb3BlcnRpZXNcbiAgICB0aGlzLl9jaGVja1N0YXRlID0gQ2hlY2tTdGF0ZS5ub25lO1xuICAgIHRoaXMuZXJyb3I7XG4gIH1cblxuICAvKipcbiAgICogUmV0dXJucyB0aGUgY3VycmVudCBjaGVjayBzdGF0ZS5cbiAgICogQHJldHVybiB7Q2hlY2tTdGF0ZX0gVGhlIGNoZWNrIHN0YXRlLlxuICAgKi9cbiAgY2hlY2tTdGF0ZSgpIHtcbiAgICByZXR1cm4gdGhpcy5fY2hlY2tTdGF0ZTtcbiAgfVxuXG4gIGFzeW5jIHJ1bigpIHtcbiAgICAvLyBHZXQgY2hlY2sgYXMgc3luY2hyb25vdXMgb3IgYXN5bmNocm9ub3VzIGZ1bmN0aW9uXG4gICAgY29uc3QgY2hlY2sgPSB0aGlzLmNoZWNrIGluc3RhbmNlb2YgUHJvbWlzZSA/IGF3YWl0IHRoaXMuY2hlY2sgOiB0aGlzLmNoZWNrO1xuXG4gICAgLy8gUnVuIGNoZWNrXG4gICAgdHJ5IHtcbiAgICAgIGNoZWNrKCk7XG4gICAgICB0aGlzLl9jaGVja1N0YXRlID0gQ2hlY2tTdGF0ZS5zdWNjZXNzO1xuICAgIH0gY2F0Y2ggKGUpIHtcbiAgICAgIHRoaXMuc3RhdGVGYWlsRXJyb3IgPSBlO1xuICAgICAgdGhpcy5fY2hlY2tTdGF0ZSA9IENoZWNrU3RhdGUuZmFpbDtcbiAgICB9XG4gIH1cblxuICAvKipcbiAgICogVmFsaWRhdGVzIHRoZSBjb25zdHJ1Y3RvciBwYXJhbWV0ZXJzLlxuICAgKiBAcGFyYW0ge09iamVjdH0gcGFyYW1zIFRoZSBwYXJhbWV0ZXJzIHRvIHZhbGlkYXRlLlxuICAgKi9cbiAgX3ZhbGlkYXRlUGFyYW1zKHBhcmFtcykge1xuICAgIFV0aWxzLnZhbGlkYXRlUGFyYW1zKHBhcmFtcywge1xuICAgICAgZ3JvdXA6IHsgdDogJ3N0cmluZycsIHY6IGlzU3RyaW5nIH0sXG4gICAgICB0aXRsZTogeyB0OiAnc3RyaW5nJywgdjogaXNTdHJpbmcgfSxcbiAgICAgIHdhcm5pbmc6IHsgdDogJ3N0cmluZycsIHY6IGlzU3RyaW5nIH0sXG4gICAgICBzb2x1dGlvbjogeyB0OiAnc3RyaW5nJywgdjogaXNTdHJpbmcgfSxcbiAgICAgIGNoZWNrOiB7IHQ6ICdmdW5jdGlvbicsIHY6IGlzRnVuY3Rpb24gfSxcbiAgICB9KTtcbiAgfVxufVxuXG4vKipcbiAqIFRoZSBjaGVjayBzdGF0ZS5cbiAqL1xuY29uc3QgQ2hlY2tTdGF0ZSA9IE9iamVjdC5mcmVlemUoe1xuICBub25lOiAnbm9uZScsXG4gIGZhaWw6ICdmYWlsJyxcbiAgc3VjY2VzczogJ3N1Y2Nlc3MnLFxufSk7XG5cbmV4cG9ydCBkZWZhdWx0IENoZWNrO1xubW9kdWxlLmV4cG9ydHMgPSB7XG4gIENoZWNrLFxuICBDaGVja1N0YXRlLFxufTtcbiJdfQ==

package/lib/Security/CheckGroup.js

@@ -0,0 +1,54 @@
+"use strict";
+
+/**
+ * @module SecurityCheck
+ */
+
+/**
+ * A group of security checks.
+ * @interface CheckGroup
+ */
+class CheckGroup {
+  constructor() {
+    this._name = this.setName();
+    this._checks = this.setChecks();
+  }
+  /**
+   * The security check group name; to be overridden by child class.
+   */
+
+
+  setName() {
+    throw `Check group has no name.`;
+  }
+
+  name() {
+    return this._name;
+  }
+  /**
+   * The security checks; to be overridden by child class.
+   */
+
+
+  setChecks() {
+    throw `Check group has no checks.`;
+  }
+
+  checks() {
+    return this._checks;
+  }
+  /**
+   * Runs all checks.
+   */
+
+
+  async run() {
+    for (const check of this._checks) {
+      check.run();
+    }
+  }
+
+}
+
+module.exports = CheckGroup;
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9TZWN1cml0eS9DaGVja0dyb3VwLmpzIl0sIm5hbWVzIjpbIkNoZWNrR3JvdXAiLCJjb25zdHJ1Y3RvciIsIl9uYW1lIiwic2V0TmFtZSIsIl9jaGVja3MiLCJzZXRDaGVja3MiLCJuYW1lIiwiY2hlY2tzIiwicnVuIiwiY2hlY2siLCJtb2R1bGUiLCJleHBvcnRzIl0sIm1hcHBpbmdzIjoiOztBQUFBO0FBQ0E7QUFDQTs7QUFFQTtBQUNBO0FBQ0E7QUFDQTtBQUNBLE1BQU1BLFVBQU4sQ0FBaUI7QUFDZkMsRUFBQUEsV0FBVyxHQUFHO0FBQ1osU0FBS0MsS0FBTCxHQUFhLEtBQUtDLE9BQUwsRUFBYjtBQUNBLFNBQUtDLE9BQUwsR0FBZSxLQUFLQyxTQUFMLEVBQWY7QUFDRDtBQUVEO0FBQ0Y7QUFDQTs7O0FBQ0VGLEVBQUFBLE9BQU8sR0FBRztBQUNSLFVBQU8sMEJBQVA7QUFDRDs7QUFDREcsRUFBQUEsSUFBSSxHQUFHO0FBQ0wsV0FBTyxLQUFLSixLQUFaO0FBQ0Q7QUFFRDtBQUNGO0FBQ0E7OztBQUNFRyxFQUFBQSxTQUFTLEdBQUc7QUFDVixVQUFPLDRCQUFQO0FBQ0Q7O0FBQ0RFLEVBQUFBLE1BQU0sR0FBRztBQUNQLFdBQU8sS0FBS0gsT0FBWjtBQUNEO0FBRUQ7QUFDRjtBQUNBOzs7QUFDVyxRQUFISSxHQUFHLEdBQUc7QUFDVixTQUFLLE1BQU1DLEtBQVgsSUFBb0IsS0FBS0wsT0FBekIsRUFBa0M7QUFDaENLLE1BQUFBLEtBQUssQ0FBQ0QsR0FBTjtBQUNEO0FBQ0Y7O0FBakNjOztBQW9DakJFLE1BQU0sQ0FBQ0MsT0FBUCxHQUFpQlgsVUFBakIiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIEBtb2R1bGUgU2VjdXJpdHlDaGVja1xuICovXG5cbi8qKlxuICogQSBncm91cCBvZiBzZWN1cml0eSBjaGVja3MuXG4gKiBAaW50ZXJmYWNlIENoZWNrR3JvdXBcbiAqL1xuY2xhc3MgQ2hlY2tHcm91cCB7XG4gIGNvbnN0cnVjdG9yKCkge1xuICAgIHRoaXMuX25hbWUgPSB0aGlzLnNldE5hbWUoKTtcbiAgICB0aGlzLl9jaGVja3MgPSB0aGlzLnNldENoZWNrcygpO1xuICB9XG5cbiAgLyoqXG4gICAqIFRoZSBzZWN1cml0eSBjaGVjayBncm91cCBuYW1lOyB0byBiZSBvdmVycmlkZGVuIGJ5IGNoaWxkIGNsYXNzLlxuICAgKi9cbiAgc2V0TmFtZSgpIHtcbiAgICB0aHJvdyBgQ2hlY2sgZ3JvdXAgaGFzIG5vIG5hbWUuYDtcbiAgfVxuICBuYW1lKCkge1xuICAgIHJldHVybiB0aGlzLl9uYW1lO1xuICB9XG5cbiAgLyoqXG4gICAqIFRoZSBzZWN1cml0eSBjaGVja3M7IHRvIGJlIG92ZXJyaWRkZW4gYnkgY2hpbGQgY2xhc3MuXG4gICAqL1xuICBzZXRDaGVja3MoKSB7XG4gICAgdGhyb3cgYENoZWNrIGdyb3VwIGhhcyBubyBjaGVja3MuYDtcbiAgfVxuICBjaGVja3MoKSB7XG4gICAgcmV0dXJuIHRoaXMuX2NoZWNrcztcbiAgfVxuXG4gIC8qKlxuICAgKiBSdW5zIGFsbCBjaGVja3MuXG4gICAqL1xuICBhc3luYyBydW4oKSB7XG4gICAgZm9yIChjb25zdCBjaGVjayBvZiB0aGlzLl9jaGVja3MpIHtcbiAgICAgIGNoZWNrLnJ1bigpO1xuICAgIH1cbiAgfVxufVxuXG5tb2R1bGUuZXhwb3J0cyA9IENoZWNrR3JvdXA7XG4iXX0=

package/lib/Security/CheckGroups/CheckGroupDatabase.js

@@ -0,0 +1,57 @@
+"use strict";
+
+var _Check = require("../Check");
+
+var _CheckGroup = _interopRequireDefault(require("../CheckGroup"));
+
+var _Config = _interopRequireDefault(require("../../Config"));
+
+var _node = _interopRequireDefault(require("parse/node"));
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+/**
+ * @module SecurityCheck
+ */
+
+/**
+* The security checks group for Parse Server configuration.
+* Checks common Parse Server parameters such as access keys.
+*/
+class CheckGroupDatabase extends _CheckGroup.default {
+  setName() {
+    return 'Database';
+  }
+
+  setChecks() {
+    const config = _Config.default.get(_node.default.applicationId);
+
+    const databaseAdapter = config.database.adapter;
+    const databaseUrl = databaseAdapter._uri;
+    return [new _Check.Check({
+      title: 'Secure database password',
+      warning: 'The database password is insecure and vulnerable to brute force attacks.',
+      solution: 'Choose a longer and/or more complex password with a combination of upper- and lowercase characters, numbers and special characters.',
+      check: () => {
+        const password = databaseUrl.match(/\/\/\S+:(\S+)@/)[1];
+        const hasUpperCase = /[A-Z]/.test(password);
+        const hasLowerCase = /[a-z]/.test(password);
+        const hasNumbers = /\d/.test(password);
+        const hasNonAlphasNumerics = /\W/.test(password); // Ensure length
+
+        if (password.length < 14) {
+          throw 1;
+        } // Ensure at least 3 out of 4 requirements passed
+
+
+        if (hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphasNumerics < 3) {
+          throw 1;
+        }
+      }
+    })];
+  }
+
+}
+
+module.exports = CheckGroupDatabase;
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9TZWN1cml0eS9DaGVja0dyb3Vwcy9DaGVja0dyb3VwRGF0YWJhc2UuanMiXSwibmFtZXMiOlsiQ2hlY2tHcm91cERhdGFiYXNlIiwiQ2hlY2tHcm91cCIsInNldE5hbWUiLCJzZXRDaGVja3MiLCJjb25maWciLCJDb25maWciLCJnZXQiLCJQYXJzZSIsImFwcGxpY2F0aW9uSWQiLCJkYXRhYmFzZUFkYXB0ZXIiLCJkYXRhYmFzZSIsImFkYXB0ZXIiLCJkYXRhYmFzZVVybCIsIl91cmkiLCJDaGVjayIsInRpdGxlIiwid2FybmluZyIsInNvbHV0aW9uIiwiY2hlY2siLCJwYXNzd29yZCIsIm1hdGNoIiwiaGFzVXBwZXJDYXNlIiwidGVzdCIsImhhc0xvd2VyQ2FzZSIsImhhc051bWJlcnMiLCJoYXNOb25BbHBoYXNOdW1lcmljcyIsImxlbmd0aCIsIm1vZHVsZSIsImV4cG9ydHMiXSwibWFwcGluZ3MiOiI7O0FBSUE7O0FBQ0E7O0FBQ0E7O0FBQ0E7Ozs7QUFQQTtBQUNBO0FBQ0E7O0FBT0E7QUFDQTtBQUNBO0FBQ0E7QUFDQSxNQUFNQSxrQkFBTixTQUFpQ0MsbUJBQWpDLENBQTRDO0FBQzFDQyxFQUFBQSxPQUFPLEdBQUc7QUFDUixXQUFPLFVBQVA7QUFDRDs7QUFDREMsRUFBQUEsU0FBUyxHQUFHO0FBQ1YsVUFBTUMsTUFBTSxHQUFHQyxnQkFBT0MsR0FBUCxDQUFXQyxjQUFNQyxhQUFqQixDQUFmOztBQUNBLFVBQU1DLGVBQWUsR0FBR0wsTUFBTSxDQUFDTSxRQUFQLENBQWdCQyxPQUF4QztBQUNBLFVBQU1DLFdBQVcsR0FBR0gsZUFBZSxDQUFDSSxJQUFwQztBQUNBLFdBQU8sQ0FDTCxJQUFJQyxZQUFKLENBQVU7QUFDUkMsTUFBQUEsS0FBSyxFQUFFLDBCQURDO0FBRVJDLE1BQUFBLE9BQU8sRUFBRSwwRUFGRDtBQUdSQyxNQUFBQSxRQUFRLEVBQUUscUlBSEY7QUFJUkMsTUFBQUEsS0FBSyxFQUFFLE1BQU07QUFDWCxjQUFNQyxRQUFRLEdBQUdQLFdBQVcsQ0FBQ1EsS0FBWixDQUFrQixnQkFBbEIsRUFBb0MsQ0FBcEMsQ0FBakI7QUFDQSxjQUFNQyxZQUFZLEdBQUcsUUFBUUMsSUFBUixDQUFhSCxRQUFiLENBQXJCO0FBQ0EsY0FBTUksWUFBWSxHQUFHLFFBQVFELElBQVIsQ0FBYUgsUUFBYixDQUFyQjtBQUNBLGNBQU1LLFVBQVUsR0FBRyxLQUFLRixJQUFMLENBQVVILFFBQVYsQ0FBbkI7QUFDQSxjQUFNTSxvQkFBb0IsR0FBRyxLQUFLSCxJQUFMLENBQVVILFFBQVYsQ0FBN0IsQ0FMVyxDQU1YOztBQUNBLFlBQUlBLFFBQVEsQ0FBQ08sTUFBVCxHQUFrQixFQUF0QixFQUEwQjtBQUN4QixnQkFBTSxDQUFOO0FBQ0QsU0FUVSxDQVVYOzs7QUFDQSxZQUFJTCxZQUFZLEdBQUdFLFlBQWYsR0FBOEJDLFVBQTlCLEdBQTJDQyxvQkFBM0MsR0FBa0UsQ0FBdEUsRUFBeUU7QUFDdkUsZ0JBQU0sQ0FBTjtBQUNEO0FBQ0Y7QUFsQk8sS0FBVixDQURLLENBQVA7QUFzQkQ7O0FBOUJ5Qzs7QUFpQzVDRSxNQUFNLENBQUNDLE9BQVAsR0FBaUI1QixrQkFBakIiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIEBtb2R1bGUgU2VjdXJpdHlDaGVja1xuICovXG5cbmltcG9ydCB7IENoZWNrIH0gZnJvbSAnLi4vQ2hlY2snO1xuaW1wb3J0IENoZWNrR3JvdXAgZnJvbSAnLi4vQ2hlY2tHcm91cCc7XG5pbXBvcnQgQ29uZmlnIGZyb20gJy4uLy4uL0NvbmZpZyc7XG5pbXBvcnQgUGFyc2UgZnJvbSAncGFyc2Uvbm9kZSc7XG5cbi8qKlxuKiBUaGUgc2VjdXJpdHkgY2hlY2tzIGdyb3VwIGZvciBQYXJzZSBTZXJ2ZXIgY29uZmlndXJhdGlvbi5cbiogQ2hlY2tzIGNvbW1vbiBQYXJzZSBTZXJ2ZXIgcGFyYW1ldGVycyBzdWNoIGFzIGFjY2VzcyBrZXlzLlxuKi9cbmNsYXNzIENoZWNrR3JvdXBEYXRhYmFzZSBleHRlbmRzIENoZWNrR3JvdXAge1xuICBzZXROYW1lKCkge1xuICAgIHJldHVybiAnRGF0YWJhc2UnO1xuICB9XG4gIHNldENoZWNrcygpIHtcbiAgICBjb25zdCBjb25maWcgPSBDb25maWcuZ2V0KFBhcnNlLmFwcGxpY2F0aW9uSWQpO1xuICAgIGNvbnN0IGRhdGFiYXNlQWRhcHRlciA9IGNvbmZpZy5kYXRhYmFzZS5hZGFwdGVyO1xuICAgIGNvbnN0IGRhdGFiYXNlVXJsID0gZGF0YWJhc2VBZGFwdGVyLl91cmk7XG4gICAgcmV0dXJuIFtcbiAgICAgIG5ldyBDaGVjayh7XG4gICAgICAgIHRpdGxlOiAnU2VjdXJlIGRhdGFiYXNlIHBhc3N3b3JkJyxcbiAgICAgICAgd2FybmluZzogJ1RoZSBkYXRhYmFzZSBwYXNzd29yZCBpcyBpbnNlY3VyZSBhbmQgdnVsbmVyYWJsZSB0byBicnV0ZSBmb3JjZSBhdHRhY2tzLicsXG4gICAgICAgIHNvbHV0aW9uOiAnQ2hvb3NlIGEgbG9uZ2VyIGFuZC9vciBtb3JlIGNvbXBsZXggcGFzc3dvcmQgd2l0aCBhIGNvbWJpbmF0aW9uIG9mIHVwcGVyLSBhbmQgbG93ZXJjYXNlIGNoYXJhY3RlcnMsIG51bWJlcnMgYW5kIHNwZWNpYWwgY2hhcmFjdGVycy4nLFxuICAgICAgICBjaGVjazogKCkgPT4ge1xuICAgICAgICAgIGNvbnN0IHBhc3N3b3JkID0gZGF0YWJhc2VVcmwubWF0Y2goL1xcL1xcL1xcUys6KFxcUyspQC8pWzFdO1xuICAgICAgICAgIGNvbnN0IGhhc1VwcGVyQ2FzZSA9IC9bQS1aXS8udGVzdChwYXNzd29yZCk7XG4gICAgICAgICAgY29uc3QgaGFzTG93ZXJDYXNlID0gL1thLXpdLy50ZXN0KHBhc3N3b3JkKTtcbiAgICAgICAgICBjb25zdCBoYXNOdW1iZXJzID0gL1xcZC8udGVzdChwYXNzd29yZCk7XG4gICAgICAgICAgY29uc3QgaGFzTm9uQWxwaGFzTnVtZXJpY3MgPSAvXFxXLy50ZXN0KHBhc3N3b3JkKTtcbiAgICAgICAgICAvLyBFbnN1cmUgbGVuZ3RoXG4gICAgICAgICAgaWYgKHBhc3N3b3JkLmxlbmd0aCA8IDE0KSB7XG4gICAgICAgICAgICB0aHJvdyAxO1xuICAgICAgICAgIH1cbiAgICAgICAgICAvLyBFbnN1cmUgYXQgbGVhc3QgMyBvdXQgb2YgNCByZXF1aXJlbWVudHMgcGFzc2VkXG4gICAgICAgICAgaWYgKGhhc1VwcGVyQ2FzZSArIGhhc0xvd2VyQ2FzZSArIGhhc051bWJlcnMgKyBoYXNOb25BbHBoYXNOdW1lcmljcyA8IDMpIHtcbiAgICAgICAgICAgIHRocm93IDE7XG4gICAgICAgICAgfVxuICAgICAgICB9LFxuICAgICAgfSksXG4gICAgXTtcbiAgfVxufVxuXG5tb2R1bGUuZXhwb3J0cyA9IENoZWNrR3JvdXBEYXRhYmFzZTtcbiJdfQ==

package/lib/Security/CheckGroups/CheckGroupServerConfig.js

@@ -0,0 +1,82 @@
+"use strict";
+
+var _Check = require("../Check");
+
+var _CheckGroup = _interopRequireDefault(require("../CheckGroup"));
+
+var _Config = _interopRequireDefault(require("../../Config"));
+
+var _node = _interopRequireDefault(require("parse/node"));
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+/**
+ * @module SecurityCheck
+ */
+
+/**
+ * The security checks group for Parse Server configuration.
+ * Checks common Parse Server parameters such as access keys.
+ */
+class CheckGroupServerConfig extends _CheckGroup.default {
+  setName() {
+    return 'Parse Server Configuration';
+  }
+
+  setChecks() {
+    const config = _Config.default.get(_node.default.applicationId);
+
+    return [new _Check.Check({
+      title: 'Secure master key',
+      warning: 'The Parse Server master key is insecure and vulnerable to brute force attacks.',
+      solution: 'Choose a longer and/or more complex master key with a combination of upper- and lowercase characters, numbers and special characters.',
+      check: () => {
+        const masterKey = config.masterKey;
+        const hasUpperCase = /[A-Z]/.test(masterKey);
+        const hasLowerCase = /[a-z]/.test(masterKey);
+        const hasNumbers = /\d/.test(masterKey);
+        const hasNonAlphasNumerics = /\W/.test(masterKey); // Ensure length
+
+        if (masterKey.length < 14) {
+          throw 1;
+        } // Ensure at least 3 out of 4 requirements passed
+
+
+        if (hasUpperCase + hasLowerCase + hasNumbers + hasNonAlphasNumerics < 3) {
+          throw 1;
+        }
+      }
+    }), new _Check.Check({
+      title: 'Security log disabled',
+      warning: 'Security checks in logs may expose vulnerabilities to anyone with access to logs.',
+      solution: "Change Parse Server configuration to 'security.enableCheckLog: false'.",
+      check: () => {
+        if (config.security && config.security.enableCheckLog) {
+          throw 1;
+        }
+      }
+    }), new _Check.Check({
+      title: 'Client class creation disabled',
+      warning: 'Attackers are allowed to create new classes without restriction and flood the database.',
+      solution: "Change Parse Server configuration to 'allowClientClassCreation: false'.",
+      check: () => {
+        if (config.allowClientClassCreation || config.allowClientClassCreation == null) {
+          throw 1;
+        }
+      }
+    }), new _Check.Check({
+      title: 'Users are created without public access',
+      warning: 'Users with public read access are exposed to anyone who knows their object IDs, or to anyone who can query the Parse.User class.',
+      solution: "Change Parse Server configuration to 'enforcePrivateUsers: true'.",
+      check: () => {
+        if (!config.enforcePrivateUsers) {
+          throw 1;
+        }
+      }
+    })];
+  }
+
+}
+
+module.exports = CheckGroupServerConfig;
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9TZWN1cml0eS9DaGVja0dyb3Vwcy9DaGVja0dyb3VwU2VydmVyQ29uZmlnLmpzIl0sIm5hbWVzIjpbIkNoZWNrR3JvdXBTZXJ2ZXJDb25maWciLCJDaGVja0dyb3VwIiwic2V0TmFtZSIsInNldENoZWNrcyIsImNvbmZpZyIsIkNvbmZpZyIsImdldCIsIlBhcnNlIiwiYXBwbGljYXRpb25JZCIsIkNoZWNrIiwidGl0bGUiLCJ3YXJuaW5nIiwic29sdXRpb24iLCJjaGVjayIsIm1hc3RlcktleSIsImhhc1VwcGVyQ2FzZSIsInRlc3QiLCJoYXNMb3dlckNhc2UiLCJoYXNOdW1iZXJzIiwiaGFzTm9uQWxwaGFzTnVtZXJpY3MiLCJsZW5ndGgiLCJzZWN1cml0eSIsImVuYWJsZUNoZWNrTG9nIiwiYWxsb3dDbGllbnRDbGFzc0NyZWF0aW9uIiwiZW5mb3JjZVByaXZhdGVVc2VycyIsIm1vZHVsZSIsImV4cG9ydHMiXSwibWFwcGluZ3MiOiI7O0FBSUE7O0FBQ0E7O0FBQ0E7O0FBQ0E7Ozs7QUFQQTtBQUNBO0FBQ0E7O0FBT0E7QUFDQTtBQUNBO0FBQ0E7QUFDQSxNQUFNQSxzQkFBTixTQUFxQ0MsbUJBQXJDLENBQWdEO0FBQzlDQyxFQUFBQSxPQUFPLEdBQUc7QUFDUixXQUFPLDRCQUFQO0FBQ0Q7O0FBQ0RDLEVBQUFBLFNBQVMsR0FBRztBQUNWLFVBQU1DLE1BQU0sR0FBR0MsZ0JBQU9DLEdBQVAsQ0FBV0MsY0FBTUMsYUFBakIsQ0FBZjs7QUFDQSxXQUFPLENBQ0wsSUFBSUMsWUFBSixDQUFVO0FBQ1JDLE1BQUFBLEtBQUssRUFBRSxtQkFEQztBQUVSQyxNQUFBQSxPQUFPLEVBQUUsZ0ZBRkQ7QUFHUkMsTUFBQUEsUUFBUSxFQUNOLHVJQUpNO0FBS1JDLE1BQUFBLEtBQUssRUFBRSxNQUFNO0FBQ1gsY0FBTUMsU0FBUyxHQUFHVixNQUFNLENBQUNVLFNBQXpCO0FBQ0EsY0FBTUMsWUFBWSxHQUFHLFFBQVFDLElBQVIsQ0FBYUYsU0FBYixDQUFyQjtBQUNBLGNBQU1HLFlBQVksR0FBRyxRQUFRRCxJQUFSLENBQWFGLFNBQWIsQ0FBckI7QUFDQSxjQUFNSSxVQUFVLEdBQUcsS0FBS0YsSUFBTCxDQUFVRixTQUFWLENBQW5CO0FBQ0EsY0FBTUssb0JBQW9CLEdBQUcsS0FBS0gsSUFBTCxDQUFVRixTQUFWLENBQTdCLENBTFcsQ0FNWDs7QUFDQSxZQUFJQSxTQUFTLENBQUNNLE1BQVYsR0FBbUIsRUFBdkIsRUFBMkI7QUFDekIsZ0JBQU0sQ0FBTjtBQUNELFNBVFUsQ0FVWDs7O0FBQ0EsWUFBSUwsWUFBWSxHQUFHRSxZQUFmLEdBQThCQyxVQUE5QixHQUEyQ0Msb0JBQTNDLEdBQWtFLENBQXRFLEVBQXlFO0FBQ3ZFLGdCQUFNLENBQU47QUFDRDtBQUNGO0FBbkJPLEtBQVYsQ0FESyxFQXNCTCxJQUFJVixZQUFKLENBQVU7QUFDUkMsTUFBQUEsS0FBSyxFQUFFLHVCQURDO0FBRVJDLE1BQUFBLE9BQU8sRUFDTCxtRkFITTtBQUlSQyxNQUFBQSxRQUFRLEVBQUUsd0VBSkY7QUFLUkMsTUFBQUEsS0FBSyxFQUFFLE1BQU07QUFDWCxZQUFJVCxNQUFNLENBQUNpQixRQUFQLElBQW1CakIsTUFBTSxDQUFDaUIsUUFBUCxDQUFnQkMsY0FBdkMsRUFBdUQ7QUFDckQsZ0JBQU0sQ0FBTjtBQUNEO0FBQ0Y7QUFUTyxLQUFWLENBdEJLLEVBaUNMLElBQUliLFlBQUosQ0FBVTtBQUNSQyxNQUFBQSxLQUFLLEVBQUUsZ0NBREM7QUFFUkMsTUFBQUEsT0FBTyxFQUNMLHlGQUhNO0FBSVJDLE1BQUFBLFFBQVEsRUFBRSx5RUFKRjtBQUtSQyxNQUFBQSxLQUFLLEVBQUUsTUFBTTtBQUNYLFlBQUlULE1BQU0sQ0FBQ21CLHdCQUFQLElBQW1DbkIsTUFBTSxDQUFDbUIsd0JBQVAsSUFBbUMsSUFBMUUsRUFBZ0Y7QUFDOUUsZ0JBQU0sQ0FBTjtBQUNEO0FBQ0Y7QUFUTyxLQUFWLENBakNLLEVBNENMLElBQUlkLFlBQUosQ0FBVTtBQUNSQyxNQUFBQSxLQUFLLEVBQUUseUNBREM7QUFFUkMsTUFBQUEsT0FBTyxFQUNMLGtJQUhNO0FBSVJDLE1BQUFBLFFBQVEsRUFBRSxtRUFKRjtBQUtSQyxNQUFBQSxLQUFLLEVBQUUsTUFBTTtBQUNYLFlBQUksQ0FBQ1QsTUFBTSxDQUFDb0IsbUJBQVosRUFBaUM7QUFDL0IsZ0JBQU0sQ0FBTjtBQUNEO0FBQ0Y7QUFUTyxLQUFWLENBNUNLLENBQVA7QUF3REQ7O0FBOUQ2Qzs7QUFpRWhEQyxNQUFNLENBQUNDLE9BQVAsR0FBaUIxQixzQkFBakIiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIEBtb2R1bGUgU2VjdXJpdHlDaGVja1xuICovXG5cbmltcG9ydCB7IENoZWNrIH0gZnJvbSAnLi4vQ2hlY2snO1xuaW1wb3J0IENoZWNrR3JvdXAgZnJvbSAnLi4vQ2hlY2tHcm91cCc7XG5pbXBvcnQgQ29uZmlnIGZyb20gJy4uLy4uL0NvbmZpZyc7XG5pbXBvcnQgUGFyc2UgZnJvbSAncGFyc2Uvbm9kZSc7XG5cbi8qKlxuICogVGhlIHNlY3VyaXR5IGNoZWNrcyBncm91cCBmb3IgUGFyc2UgU2VydmVyIGNvbmZpZ3VyYXRpb24uXG4gKiBDaGVja3MgY29tbW9uIFBhcnNlIFNlcnZlciBwYXJhbWV0ZXJzIHN1Y2ggYXMgYWNjZXNzIGtleXMuXG4gKi9cbmNsYXNzIENoZWNrR3JvdXBTZXJ2ZXJDb25maWcgZXh0ZW5kcyBDaGVja0dyb3VwIHtcbiAgc2V0TmFtZSgpIHtcbiAgICByZXR1cm4gJ1BhcnNlIFNlcnZlciBDb25maWd1cmF0aW9uJztcbiAgfVxuICBzZXRDaGVja3MoKSB7XG4gICAgY29uc3QgY29uZmlnID0gQ29uZmlnLmdldChQYXJzZS5hcHBsaWNhdGlvbklkKTtcbiAgICByZXR1cm4gW1xuICAgICAgbmV3IENoZWNrKHtcbiAgICAgICAgdGl0bGU6ICdTZWN1cmUgbWFzdGVyIGtleScsXG4gICAgICAgIHdhcm5pbmc6ICdUaGUgUGFyc2UgU2VydmVyIG1hc3RlciBrZXkgaXMgaW5zZWN1cmUgYW5kIHZ1bG5lcmFibGUgdG8gYnJ1dGUgZm9yY2UgYXR0YWNrcy4nLFxuICAgICAgICBzb2x1dGlvbjpcbiAgICAgICAgICAnQ2hvb3NlIGEgbG9uZ2VyIGFuZC9vciBtb3JlIGNvbXBsZXggbWFzdGVyIGtleSB3aXRoIGEgY29tYmluYXRpb24gb2YgdXBwZXItIGFuZCBsb3dlcmNhc2UgY2hhcmFjdGVycywgbnVtYmVycyBhbmQgc3BlY2lhbCBjaGFyYWN0ZXJzLicsXG4gICAgICAgIGNoZWNrOiAoKSA9PiB7XG4gICAgICAgICAgY29uc3QgbWFzdGVyS2V5ID0gY29uZmlnLm1hc3RlcktleTtcbiAgICAgICAgICBjb25zdCBoYXNVcHBlckNhc2UgPSAvW0EtWl0vLnRlc3QobWFzdGVyS2V5KTtcbiAgICAgICAgICBjb25zdCBoYXNMb3dlckNhc2UgPSAvW2Etel0vLnRlc3QobWFzdGVyS2V5KTtcbiAgICAgICAgICBjb25zdCBoYXNOdW1iZXJzID0gL1xcZC8udGVzdChtYXN0ZXJLZXkpO1xuICAgICAgICAgIGNvbnN0IGhhc05vbkFscGhhc051bWVyaWNzID0gL1xcVy8udGVzdChtYXN0ZXJLZXkpO1xuICAgICAgICAgIC8vIEVuc3VyZSBsZW5ndGhcbiAgICAgICAgICBpZiAobWFzdGVyS2V5Lmxlbmd0aCA8IDE0KSB7XG4gICAgICAgICAgICB0aHJvdyAxO1xuICAgICAgICAgIH1cbiAgICAgICAgICAvLyBFbnN1cmUgYXQgbGVhc3QgMyBvdXQgb2YgNCByZXF1aXJlbWVudHMgcGFzc2VkXG4gICAgICAgICAgaWYgKGhhc1VwcGVyQ2FzZSArIGhhc0xvd2VyQ2FzZSArIGhhc051bWJlcnMgKyBoYXNOb25BbHBoYXNOdW1lcmljcyA8IDMpIHtcbiAgICAgICAgICAgIHRocm93IDE7XG4gICAgICAgICAgfVxuICAgICAgICB9LFxuICAgICAgfSksXG4gICAgICBuZXcgQ2hlY2soe1xuICAgICAgICB0aXRsZTogJ1NlY3VyaXR5IGxvZyBkaXNhYmxlZCcsXG4gICAgICAgIHdhcm5pbmc6XG4gICAgICAgICAgJ1NlY3VyaXR5IGNoZWNrcyBpbiBsb2dzIG1heSBleHBvc2UgdnVsbmVyYWJpbGl0aWVzIHRvIGFueW9uZSB3aXRoIGFjY2VzcyB0byBsb2dzLicsXG4gICAgICAgIHNvbHV0aW9uOiBcIkNoYW5nZSBQYXJzZSBTZXJ2ZXIgY29uZmlndXJhdGlvbiB0byAnc2VjdXJpdHkuZW5hYmxlQ2hlY2tMb2c6IGZhbHNlJy5cIixcbiAgICAgICAgY2hlY2s6ICgpID0+IHtcbiAgICAgICAgICBpZiAoY29uZmlnLnNlY3VyaXR5ICYmIGNvbmZpZy5zZWN1cml0eS5lbmFibGVDaGVja0xvZykge1xuICAgICAgICAgICAgdGhyb3cgMTtcbiAgICAgICAgICB9XG4gICAgICAgIH0sXG4gICAgICB9KSxcbiAgICAgIG5ldyBDaGVjayh7XG4gICAgICAgIHRpdGxlOiAnQ2xpZW50IGNsYXNzIGNyZWF0aW9uIGRpc2FibGVkJyxcbiAgICAgICAgd2FybmluZzpcbiAgICAgICAgICAnQXR0YWNrZXJzIGFyZSBhbGxvd2VkIHRvIGNyZWF0ZSBuZXcgY2xhc3NlcyB3aXRob3V0IHJlc3RyaWN0aW9uIGFuZCBmbG9vZCB0aGUgZGF0YWJhc2UuJyxcbiAgICAgICAgc29sdXRpb246IFwiQ2hhbmdlIFBhcnNlIFNlcnZlciBjb25maWd1cmF0aW9uIHRvICdhbGxvd0NsaWVudENsYXNzQ3JlYXRpb246IGZhbHNlJy5cIixcbiAgICAgICAgY2hlY2s6ICgpID0+IHtcbiAgICAgICAgICBpZiAoY29uZmlnLmFsbG93Q2xpZW50Q2xhc3NDcmVhdGlvbiB8fCBjb25maWcuYWxsb3dDbGllbnRDbGFzc0NyZWF0aW9uID09IG51bGwpIHtcbiAgICAgICAgICAgIHRocm93IDE7XG4gICAgICAgICAgfVxuICAgICAgICB9LFxuICAgICAgfSksXG4gICAgICBuZXcgQ2hlY2soe1xuICAgICAgICB0aXRsZTogJ1VzZXJzIGFyZSBjcmVhdGVkIHdpdGhvdXQgcHVibGljIGFjY2VzcycsXG4gICAgICAgIHdhcm5pbmc6XG4gICAgICAgICAgJ1VzZXJzIHdpdGggcHVibGljIHJlYWQgYWNjZXNzIGFyZSBleHBvc2VkIHRvIGFueW9uZSB3aG8ga25vd3MgdGhlaXIgb2JqZWN0IElEcywgb3IgdG8gYW55b25lIHdobyBjYW4gcXVlcnkgdGhlIFBhcnNlLlVzZXIgY2xhc3MuJyxcbiAgICAgICAgc29sdXRpb246IFwiQ2hhbmdlIFBhcnNlIFNlcnZlciBjb25maWd1cmF0aW9uIHRvICdlbmZvcmNlUHJpdmF0ZVVzZXJzOiB0cnVlJy5cIixcbiAgICAgICAgY2hlY2s6ICgpID0+IHtcbiAgICAgICAgICBpZiAoIWNvbmZpZy5lbmZvcmNlUHJpdmF0ZVVzZXJzKSB7XG4gICAgICAgICAgICB0aHJvdyAxO1xuICAgICAgICAgIH1cbiAgICAgICAgfSxcbiAgICAgIH0pLFxuICAgIF07XG4gIH1cbn1cblxubW9kdWxlLmV4cG9ydHMgPSBDaGVja0dyb3VwU2VydmVyQ29uZmlnO1xuIl19

package/lib/Security/CheckGroups/CheckGroups.js

@@ -0,0 +1,24 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+Object.defineProperty(exports, "CheckGroupDatabase", {
+  enumerable: true,
+  get: function () {
+    return _CheckGroupDatabase.default;
+  }
+});
+Object.defineProperty(exports, "CheckGroupServerConfig", {
+  enumerable: true,
+  get: function () {
+    return _CheckGroupServerConfig.default;
+  }
+});
+
+var _CheckGroupDatabase = _interopRequireDefault(require("./CheckGroupDatabase"));
+
+var _CheckGroupServerConfig = _interopRequireDefault(require("./CheckGroupServerConfig"));
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9TZWN1cml0eS9DaGVja0dyb3Vwcy9DaGVja0dyb3Vwcy5qcyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFPQTs7QUFDQSIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQG1vZHVsZSBTZWN1cml0eUNoZWNrXG4gKi9cblxuLyoqXG4gKiBUaGUgbGlzdCBvZiBzZWN1cml0eSBjaGVjayBncm91cHMuXG4gKi9cbmV4cG9ydCB7IGRlZmF1bHQgYXMgQ2hlY2tHcm91cERhdGFiYXNlIH0gZnJvbSAnLi9DaGVja0dyb3VwRGF0YWJhc2UnO1xuZXhwb3J0IHsgZGVmYXVsdCBhcyBDaGVja0dyb3VwU2VydmVyQ29uZmlnIH0gZnJvbSAnLi9DaGVja0dyb3VwU2VydmVyQ29uZmlnJztcbiJdfQ==

package/lib/Security/CheckRunner.js

@@ -0,0 +1,236 @@
+"use strict";
+
+var _Utils = _interopRequireDefault(require("../Utils"));
+
+var _Check = require("./Check");
+
+var CheckGroups = _interopRequireWildcard(require("./CheckGroups/CheckGroups"));
+
+var _logger = _interopRequireDefault(require("../logger"));
+
+var _lodash = require("lodash");
+
+function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
+
+function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+/**
+ * @module SecurityCheck
+ */
+
+/**
+ * The security check runner.
+ */
+class CheckRunner {
+  /**
+   * The security check runner.
+   * @param {Object} [config] The configuration options.
+   * @param {Boolean} [config.enableCheck=false] Is true if Parse Server should report weak security settings.
+   * @param {Boolean} [config.enableCheckLog=false] Is true if the security check report should be written to logs.
+   * @param {Object} [config.checkGroups] The check groups to run. Default are the groups defined in `./CheckGroups/CheckGroups.js`.
+   */
+  constructor(config = {}) {
+    this._validateParams(config);
+
+    const {
+      enableCheck = false,
+      enableCheckLog = false,
+      checkGroups = CheckGroups
+    } = config;
+    this.enableCheck = enableCheck;
+    this.enableCheckLog = enableCheckLog;
+    this.checkGroups = checkGroups;
+  }
+  /**
+   * Runs all security checks and returns the results.
+   * @params
+   * @returns {Object} The security check report.
+   */
+
+
+  async run({
+    version = '1.0.0'
+  } = {}) {
+    // Instantiate check groups
+    const groups = Object.values(this.checkGroups).filter(c => typeof c === 'function').map(CheckGroup => new CheckGroup()); // Run checks
+
+    groups.forEach(group => group.run()); // Generate JSON report
+
+    const report = this._generateReport({
+      groups,
+      version
+    }); // If report should be written to logs
+
+
+    if (this.enableCheckLog) {
+      this._logReport(report);
+    }
+
+    return report;
+  }
+  /**
+   * Generates a security check report in JSON format with schema:
+   * ```
+   * {
+   *    report: {
+   *      version: "1.0.0", // The report version, defines the schema
+   *      state: "fail"     // The disjunctive indicator of failed checks in all groups.
+   *      groups: [         // The check groups
+   *        {
+   *          name: "House",            // The group name
+   *          state: "fail"             // The disjunctive indicator of failed checks in this group.
+   *          checks: [                 // The checks
+   *            title: "Door locked",   // The check title
+   *            state: "fail"           // The check state
+   *            warning: "Anyone can enter your house."   // The warning.
+   *            solution: "Lock your door."               // The solution.
+   *          ]
+   *        },
+   *        ...
+   *      ]
+   *    }
+   * }
+   * ```
+   * @param {Object} params The parameters.
+   * @param {Array<CheckGroup>} params.groups The check groups.
+   * @param {String} params.version: The report schema version.
+   * @returns {Object} The report.
+   */
+
+
+  _generateReport({
+    groups,
+    version
+  }) {
+    // Create report template
+    const report = {
+      report: {
+        version,
+        state: _Check.CheckState.success,
+        groups: []
+      }
+    }; // Identify report version
+
+    switch (version) {
+      case '1.0.0':
+      default:
+        // For each check group
+        for (const group of groups) {
+          // Create group report
+          const groupReport = {
+            name: group.name(),
+            state: _Check.CheckState.success,
+            checks: []
+          }; // Create check reports
+
+          groupReport.checks = group.checks().map(check => {
+            const checkReport = {
+              title: check.title,
+              state: check.checkState()
+            };
+
+            if (check.checkState() == _Check.CheckState.fail) {
+              checkReport.warning = check.warning;
+              checkReport.solution = check.solution;
+              report.report.state = _Check.CheckState.fail;
+              groupReport.state = _Check.CheckState.fail;
+            }
+
+            return checkReport;
+          });
+          report.report.groups.push(groupReport);
+        }
+
+    }
+
+    return report;
+  }
+  /**
+   * Logs the security check report.
+   * @param {Object} report The report to log.
+   */
+
+
+  _logReport(report) {
+    // Determine log level depending on whether any check failed
+    const log = report.report.state == _Check.CheckState.success ? s => _logger.default.info(s) : s => _logger.default.warn(s); // Declare output
+
+    const indent = '   ';
+    let output = '';
+    let checksCount = 0;
+    let failedChecksCount = 0;
+    let skippedCheckCount = 0; // Traverse all groups and checks for compose output
+
+    for (const group of report.report.groups) {
+      output += `\n- ${group.name}`;
+
+      for (const check of group.checks) {
+        checksCount++;
+        output += `\n${indent}${this._getLogIconForState(check.state)} ${check.title}`;
+
+        if (check.state == _Check.CheckState.fail) {
+          failedChecksCount++;
+          output += `\n${indent}${indent}Warning: ${check.warning}`;
+          output += ` ${check.solution}`;
+        } else if (check.state == _Check.CheckState.none) {
+          skippedCheckCount++;
+          output += `\n${indent}${indent}Test did not execute, this is likely an internal server issue, please report.`;
+        }
+      }
+    }
+
+    output = `\n###################################` + `\n#                                 #` + `\n#   Parse Server Security Check   #` + `\n#                                 #` + `\n###################################` + `\n` + `\n${failedChecksCount > 0 ? 'Warning: ' : ''}${failedChecksCount} weak security setting(s) found${failedChecksCount > 0 ? '!' : ''}` + `\n${checksCount} check(s) executed` + `\n${skippedCheckCount} check(s) skipped` + `\n` + `${output}`; // Write log
+
+    log(output);
+  }
+  /**
+   * Returns an icon for use in the report log output.
+   * @param {CheckState} state The check state.
+   * @returns {String} The icon.
+   */
+
+
+  _getLogIconForState(state) {
+    switch (state) {
+      case _Check.CheckState.success:
+        return '✅';
+
+      case _Check.CheckState.fail:
+        return '❌';
+
+      default:
+        return 'ℹ️';
+    }
+  }
+  /**
+   * Validates the constructor parameters.
+   * @param {Object} params The parameters to validate.
+   */
+
+
+  _validateParams(params) {
+    _Utils.default.validateParams(params, {
+      enableCheck: {
+        t: 'boolean',
+        v: _lodash.isBoolean,
+        o: true
+      },
+      enableCheckLog: {
+        t: 'boolean',
+        v: _lodash.isBoolean,
+        o: true
+      },
+      checkGroups: {
+        t: 'array',
+        v: _lodash.isArray,
+        o: true
+      }
+    });
+  }
+
+}
+
+module.exports = CheckRunner;
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9TZWN1cml0eS9DaGVja1J1bm5lci5qcyJdLCJuYW1lcyI6WyJDaGVja1J1bm5lciIsImNvbnN0cnVjdG9yIiwiY29uZmlnIiwiX3ZhbGlkYXRlUGFyYW1zIiwiZW5hYmxlQ2hlY2siLCJlbmFibGVDaGVja0xvZyIsImNoZWNrR3JvdXBzIiwiQ2hlY2tHcm91cHMiLCJydW4iLCJ2ZXJzaW9uIiwiZ3JvdXBzIiwiT2JqZWN0IiwidmFsdWVzIiwiZmlsdGVyIiwiYyIsIm1hcCIsIkNoZWNrR3JvdXAiLCJmb3JFYWNoIiwiZ3JvdXAiLCJyZXBvcnQiLCJfZ2VuZXJhdGVSZXBvcnQiLCJfbG9nUmVwb3J0Iiwic3RhdGUiLCJDaGVja1N0YXRlIiwic3VjY2VzcyIsImdyb3VwUmVwb3J0IiwibmFtZSIsImNoZWNrcyIsImNoZWNrIiwiY2hlY2tSZXBvcnQiLCJ0aXRsZSIsImNoZWNrU3RhdGUiLCJmYWlsIiwid2FybmluZyIsInNvbHV0aW9uIiwicHVzaCIsImxvZyIsInMiLCJsb2dnZXIiLCJpbmZvIiwid2FybiIsImluZGVudCIsIm91dHB1dCIsImNoZWNrc0NvdW50IiwiZmFpbGVkQ2hlY2tzQ291bnQiLCJza2lwcGVkQ2hlY2tDb3VudCIsIl9nZXRMb2dJY29uRm9yU3RhdGUiLCJub25lIiwicGFyYW1zIiwiVXRpbHMiLCJ2YWxpZGF0ZVBhcmFtcyIsInQiLCJ2IiwiaXNCb29sZWFuIiwibyIsImlzQXJyYXkiLCJtb2R1bGUiLCJleHBvcnRzIl0sIm1hcHBpbmdzIjoiOztBQUlBOztBQUNBOztBQUNBOztBQUNBOztBQUNBOzs7Ozs7OztBQVJBO0FBQ0E7QUFDQTs7QUFRQTtBQUNBO0FBQ0E7QUFDQSxNQUFNQSxXQUFOLENBQWtCO0FBQ2hCO0FBQ0Y7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0VDLEVBQUFBLFdBQVcsQ0FBQ0MsTUFBTSxHQUFHLEVBQVYsRUFBYztBQUN2QixTQUFLQyxlQUFMLENBQXFCRCxNQUFyQjs7QUFDQSxVQUFNO0FBQUVFLE1BQUFBLFdBQVcsR0FBRyxLQUFoQjtBQUF1QkMsTUFBQUEsY0FBYyxHQUFHLEtBQXhDO0FBQStDQyxNQUFBQSxXQUFXLEdBQUdDO0FBQTdELFFBQTZFTCxNQUFuRjtBQUNBLFNBQUtFLFdBQUwsR0FBbUJBLFdBQW5CO0FBQ0EsU0FBS0MsY0FBTCxHQUFzQkEsY0FBdEI7QUFDQSxTQUFLQyxXQUFMLEdBQW1CQSxXQUFuQjtBQUNEO0FBRUQ7QUFDRjtBQUNBO0FBQ0E7QUFDQTs7O0FBQ1csUUFBSEUsR0FBRyxDQUFDO0FBQUVDLElBQUFBLE9BQU8sR0FBRztBQUFaLE1BQXdCLEVBQXpCLEVBQTZCO0FBQ3BDO0FBQ0EsVUFBTUMsTUFBTSxHQUFHQyxNQUFNLENBQUNDLE1BQVAsQ0FBYyxLQUFLTixXQUFuQixFQUNaTyxNQURZLENBQ0xDLENBQUMsSUFBSSxPQUFPQSxDQUFQLEtBQWEsVUFEYixFQUVaQyxHQUZZLENBRVJDLFVBQVUsSUFBSSxJQUFJQSxVQUFKLEVBRk4sQ0FBZixDQUZvQyxDQU1wQzs7QUFDQU4sSUFBQUEsTUFBTSxDQUFDTyxPQUFQLENBQWVDLEtBQUssSUFBSUEsS0FBSyxDQUFDVixHQUFOLEVBQXhCLEVBUG9DLENBU3BDOztBQUNBLFVBQU1XLE1BQU0sR0FBRyxLQUFLQyxlQUFMLENBQXFCO0FBQUVWLE1BQUFBLE1BQUY7QUFBVUQsTUFBQUE7QUFBVixLQUFyQixDQUFmLENBVm9DLENBWXBDOzs7QUFDQSxRQUFJLEtBQUtKLGNBQVQsRUFBeUI7QUFDdkIsV0FBS2dCLFVBQUwsQ0FBZ0JGLE1BQWhCO0FBQ0Q7O0FBQ0QsV0FBT0EsTUFBUDtBQUNEO0FBRUQ7QUFDRjtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7QUFDQTtBQUNBO0FBQ0E7OztBQUNFQyxFQUFBQSxlQUFlLENBQUM7QUFBRVYsSUFBQUEsTUFBRjtBQUFVRCxJQUFBQTtBQUFWLEdBQUQsRUFBc0I7QUFDbkM7QUFDQSxVQUFNVSxNQUFNLEdBQUc7QUFDYkEsTUFBQUEsTUFBTSxFQUFFO0FBQ05WLFFBQUFBLE9BRE07QUFFTmEsUUFBQUEsS0FBSyxFQUFFQyxrQkFBV0MsT0FGWjtBQUdOZCxRQUFBQSxNQUFNLEVBQUU7QUFIRjtBQURLLEtBQWYsQ0FGbUMsQ0FVbkM7O0FBQ0EsWUFBUUQsT0FBUjtBQUNFLFdBQUssT0FBTDtBQUNBO0FBQ0U7QUFDQSxhQUFLLE1BQU1TLEtBQVgsSUFBb0JSLE1BQXBCLEVBQTRCO0FBQzFCO0FBQ0EsZ0JBQU1lLFdBQVcsR0FBRztBQUNsQkMsWUFBQUEsSUFBSSxFQUFFUixLQUFLLENBQUNRLElBQU4sRUFEWTtBQUVsQkosWUFBQUEsS0FBSyxFQUFFQyxrQkFBV0MsT0FGQTtBQUdsQkcsWUFBQUEsTUFBTSxFQUFFO0FBSFUsV0FBcEIsQ0FGMEIsQ0FRMUI7O0FBQ0FGLFVBQUFBLFdBQVcsQ0FBQ0UsTUFBWixHQUFxQlQsS0FBSyxDQUFDUyxNQUFOLEdBQWVaLEdBQWYsQ0FBbUJhLEtBQUssSUFBSTtBQUMvQyxrQkFBTUMsV0FBVyxHQUFHO0FBQ2xCQyxjQUFBQSxLQUFLLEVBQUVGLEtBQUssQ0FBQ0UsS0FESztBQUVsQlIsY0FBQUEsS0FBSyxFQUFFTSxLQUFLLENBQUNHLFVBQU47QUFGVyxhQUFwQjs7QUFJQSxnQkFBSUgsS0FBSyxDQUFDRyxVQUFOLE1BQXNCUixrQkFBV1MsSUFBckMsRUFBMkM7QUFDekNILGNBQUFBLFdBQVcsQ0FBQ0ksT0FBWixHQUFzQkwsS0FBSyxDQUFDSyxPQUE1QjtBQUNBSixjQUFBQSxXQUFXLENBQUNLLFFBQVosR0FBdUJOLEtBQUssQ0FBQ00sUUFBN0I7QUFDQWYsY0FBQUEsTUFBTSxDQUFDQSxNQUFQLENBQWNHLEtBQWQsR0FBc0JDLGtCQUFXUyxJQUFqQztBQUNBUCxjQUFBQSxXQUFXLENBQUNILEtBQVosR0FBb0JDLGtCQUFXUyxJQUEvQjtBQUNEOztBQUNELG1CQUFPSCxXQUFQO0FBQ0QsV0Fab0IsQ0FBckI7QUFjQVYsVUFBQUEsTUFBTSxDQUFDQSxNQUFQLENBQWNULE1BQWQsQ0FBcUJ5QixJQUFyQixDQUEwQlYsV0FBMUI7QUFDRDs7QUE1Qkw7O0FBOEJBLFdBQU9OLE1BQVA7QUFDRDtBQUVEO0FBQ0Y7QUFDQTtBQUNBOzs7QUFDRUUsRUFBQUEsVUFBVSxDQUFDRixNQUFELEVBQVM7QUFDakI7QUFDQSxVQUFNaUIsR0FBRyxHQUNQakIsTUFBTSxDQUFDQSxNQUFQLENBQWNHLEtBQWQsSUFBdUJDLGtCQUFXQyxPQUFsQyxHQUE0Q2EsQ0FBQyxJQUFJQyxnQkFBT0MsSUFBUCxDQUFZRixDQUFaLENBQWpELEdBQWtFQSxDQUFDLElBQUlDLGdCQUFPRSxJQUFQLENBQVlILENBQVosQ0FEekUsQ0FGaUIsQ0FLakI7O0FBQ0EsVUFBTUksTUFBTSxHQUFHLEtBQWY7QUFDQSxRQUFJQyxNQUFNLEdBQUcsRUFBYjtBQUNBLFFBQUlDLFdBQVcsR0FBRyxDQUFsQjtBQUNBLFFBQUlDLGlCQUFpQixHQUFHLENBQXhCO0FBQ0EsUUFBSUMsaUJBQWlCLEdBQUcsQ0FBeEIsQ0FWaUIsQ0FZakI7O0FBQ0EsU0FBSyxNQUFNM0IsS0FBWCxJQUFvQkMsTUFBTSxDQUFDQSxNQUFQLENBQWNULE1BQWxDLEVBQTBDO0FBQ3hDZ0MsTUFBQUEsTUFBTSxJQUFLLE9BQU14QixLQUFLLENBQUNRLElBQUssRUFBNUI7O0FBRUEsV0FBSyxNQUFNRSxLQUFYLElBQW9CVixLQUFLLENBQUNTLE1BQTFCLEVBQWtDO0FBQ2hDZ0IsUUFBQUEsV0FBVztBQUNYRCxRQUFBQSxNQUFNLElBQUssS0FBSUQsTUFBTyxHQUFFLEtBQUtLLG1CQUFMLENBQXlCbEIsS0FBSyxDQUFDTixLQUEvQixDQUFzQyxJQUFHTSxLQUFLLENBQUNFLEtBQU0sRUFBN0U7O0FBRUEsWUFBSUYsS0FBSyxDQUFDTixLQUFOLElBQWVDLGtCQUFXUyxJQUE5QixFQUFvQztBQUNsQ1ksVUFBQUEsaUJBQWlCO0FBQ2pCRixVQUFBQSxNQUFNLElBQUssS0FBSUQsTUFBTyxHQUFFQSxNQUFPLFlBQVdiLEtBQUssQ0FBQ0ssT0FBUSxFQUF4RDtBQUNBUyxVQUFBQSxNQUFNLElBQUssSUFBR2QsS0FBSyxDQUFDTSxRQUFTLEVBQTdCO0FBQ0QsU0FKRCxNQUlPLElBQUlOLEtBQUssQ0FBQ04sS0FBTixJQUFlQyxrQkFBV3dCLElBQTlCLEVBQW9DO0FBQ3pDRixVQUFBQSxpQkFBaUI7QUFDakJILFVBQUFBLE1BQU0sSUFBSyxLQUFJRCxNQUFPLEdBQUVBLE1BQU8sK0VBQS9CO0FBQ0Q7QUFDRjtBQUNGOztBQUVEQyxJQUFBQSxNQUFNLEdBQ0gsdUNBQUQsR0FDQyx1Q0FERCxHQUVDLHVDQUZELEdBR0MsdUNBSEQsR0FJQyx1Q0FKRCxHQUtDLElBTEQsR0FNQyxLQUNDRSxpQkFBaUIsR0FBRyxDQUFwQixHQUF3QixXQUF4QixHQUFzQyxFQUN2QyxHQUFFQSxpQkFBa0Isa0NBQWlDQSxpQkFBaUIsR0FBRyxDQUFwQixHQUF3QixHQUF4QixHQUE4QixFQUFHLEVBUnZGLEdBU0MsS0FBSUQsV0FBWSxvQkFUakIsR0FVQyxLQUFJRSxpQkFBa0IsbUJBVnZCLEdBV0MsSUFYRCxHQVlDLEdBQUVILE1BQU8sRUFiWixDQS9CaUIsQ0E4Q2pCOztBQUNBTixJQUFBQSxHQUFHLENBQUNNLE1BQUQsQ0FBSDtBQUNEO0FBRUQ7QUFDRjtBQUNBO0FBQ0E7QUFDQTs7O0FBQ0VJLEVBQUFBLG1CQUFtQixDQUFDeEIsS0FBRCxFQUFRO0FBQ3pCLFlBQVFBLEtBQVI7QUFDRSxXQUFLQyxrQkFBV0MsT0FBaEI7QUFDRSxlQUFPLEdBQVA7O0FBQ0YsV0FBS0Qsa0JBQVdTLElBQWhCO0FBQ0UsZUFBTyxHQUFQOztBQUNGO0FBQ0UsZUFBTyxJQUFQO0FBTko7QUFRRDtBQUVEO0FBQ0Y7QUFDQTtBQUNBOzs7QUFDRTdCLEVBQUFBLGVBQWUsQ0FBQzZDLE1BQUQsRUFBUztBQUN0QkMsbUJBQU1DLGNBQU4sQ0FBcUJGLE1BQXJCLEVBQTZCO0FBQzNCNUMsTUFBQUEsV0FBVyxFQUFFO0FBQUUrQyxRQUFBQSxDQUFDLEVBQUUsU0FBTDtBQUFnQkMsUUFBQUEsQ0FBQyxFQUFFQyxpQkFBbkI7QUFBOEJDLFFBQUFBLENBQUMsRUFBRTtBQUFqQyxPQURjO0FBRTNCakQsTUFBQUEsY0FBYyxFQUFFO0FBQUU4QyxRQUFBQSxDQUFDLEVBQUUsU0FBTDtBQUFnQkMsUUFBQUEsQ0FBQyxFQUFFQyxpQkFBbkI7QUFBOEJDLFFBQUFBLENBQUMsRUFBRTtBQUFqQyxPQUZXO0FBRzNCaEQsTUFBQUEsV0FBVyxFQUFFO0FBQUU2QyxRQUFBQSxDQUFDLEVBQUUsT0FBTDtBQUFjQyxRQUFBQSxDQUFDLEVBQUVHLGVBQWpCO0FBQTBCRCxRQUFBQSxDQUFDLEVBQUU7QUFBN0I7QUFIYyxLQUE3QjtBQUtEOztBQWhNZTs7QUFtTWxCRSxNQUFNLENBQUNDLE9BQVAsR0FBaUJ6RCxXQUFqQiIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQG1vZHVsZSBTZWN1cml0eUNoZWNrXG4gKi9cblxuaW1wb3J0IFV0aWxzIGZyb20gJy4uL1V0aWxzJztcbmltcG9ydCB7IENoZWNrU3RhdGUgfSBmcm9tICcuL0NoZWNrJztcbmltcG9ydCAqIGFzIENoZWNrR3JvdXBzIGZyb20gJy4vQ2hlY2tHcm91cHMvQ2hlY2tHcm91cHMnO1xuaW1wb3J0IGxvZ2dlciBmcm9tICcuLi9sb2dnZXInO1xuaW1wb3J0IHsgaXNBcnJheSwgaXNCb29sZWFuIH0gZnJvbSAnbG9kYXNoJztcblxuLyoqXG4gKiBUaGUgc2VjdXJpdHkgY2hlY2sgcnVubmVyLlxuICovXG5jbGFzcyBDaGVja1J1bm5lciB7XG4gIC8qKlxuICAgKiBUaGUgc2VjdXJpdHkgY2hlY2sgcnVubmVyLlxuICAgKiBAcGFyYW0ge09iamVjdH0gW2NvbmZpZ10gVGhlIGNvbmZpZ3VyYXRpb24gb3B0aW9ucy5cbiAgICogQHBhcmFtIHtCb29sZWFufSBbY29uZmlnLmVuYWJsZUNoZWNrPWZhbHNlXSBJcyB0cnVlIGlmIFBhcnNlIFNlcnZlciBzaG91bGQgcmVwb3J0IHdlYWsgc2VjdXJpdHkgc2V0dGluZ3MuXG4gICAqIEBwYXJhbSB7Qm9vbGVhbn0gW2NvbmZpZy5lbmFibGVDaGVja0xvZz1mYWxzZV0gSXMgdHJ1ZSBpZiB0aGUgc2VjdXJpdHkgY2hlY2sgcmVwb3J0IHNob3VsZCBiZSB3cml0dGVuIHRvIGxvZ3MuXG4gICAqIEBwYXJhbSB7T2JqZWN0fSBbY29uZmlnLmNoZWNrR3JvdXBzXSBUaGUgY2hlY2sgZ3JvdXBzIHRvIHJ1bi4gRGVmYXVsdCBhcmUgdGhlIGdyb3VwcyBkZWZpbmVkIGluIGAuL0NoZWNrR3JvdXBzL0NoZWNrR3JvdXBzLmpzYC5cbiAgICovXG4gIGNvbnN0cnVjdG9yKGNvbmZpZyA9IHt9KSB7XG4gICAgdGhpcy5fdmFsaWRhdGVQYXJhbXMoY29uZmlnKTtcbiAgICBjb25zdCB7IGVuYWJsZUNoZWNrID0gZmFsc2UsIGVuYWJsZUNoZWNrTG9nID0gZmFsc2UsIGNoZWNrR3JvdXBzID0gQ2hlY2tHcm91cHMgfSA9IGNvbmZpZztcbiAgICB0aGlzLmVuYWJsZUNoZWNrID0gZW5hYmxlQ2hlY2s7XG4gICAgdGhpcy5lbmFibGVDaGVja0xvZyA9IGVuYWJsZUNoZWNrTG9nO1xuICAgIHRoaXMuY2hlY2tHcm91cHMgPSBjaGVja0dyb3VwcztcbiAgfVxuXG4gIC8qKlxuICAgKiBSdW5zIGFsbCBzZWN1cml0eSBjaGVja3MgYW5kIHJldHVybnMgdGhlIHJlc3VsdHMuXG4gICAqIEBwYXJhbXNcbiAgICogQHJldHVybnMge09iamVjdH0gVGhlIHNlY3VyaXR5IGNoZWNrIHJlcG9ydC5cbiAgICovXG4gIGFzeW5jIHJ1bih7IHZlcnNpb24gPSAnMS4wLjAnIH0gPSB7fSkge1xuICAgIC8vIEluc3RhbnRpYXRlIGNoZWNrIGdyb3Vwc1xuICAgIGNvbnN0IGdyb3VwcyA9IE9iamVjdC52YWx1ZXModGhpcy5jaGVja0dyb3VwcylcbiAgICAgIC5maWx0ZXIoYyA9PiB0eXBlb2YgYyA9PT0gJ2Z1bmN0aW9uJylcbiAgICAgIC5tYXAoQ2hlY2tHcm91cCA9PiBuZXcgQ2hlY2tHcm91cCgpKTtcblxuICAgIC8vIFJ1biBjaGVja3NcbiAgICBncm91cHMuZm9yRWFjaChncm91cCA9PiBncm91cC5ydW4oKSk7XG5cbiAgICAvLyBHZW5lcmF0ZSBKU09OIHJlcG9ydFxuICAgIGNvbnN0IHJlcG9ydCA9IHRoaXMuX2dlbmVyYXRlUmVwb3J0KHsgZ3JvdXBzLCB2ZXJzaW9uIH0pO1xuXG4gICAgLy8gSWYgcmVwb3J0IHNob3VsZCBiZSB3cml0dGVuIHRvIGxvZ3NcbiAgICBpZiAodGhpcy5lbmFibGVDaGVja0xvZykge1xuICAgICAgdGhpcy5fbG9nUmVwb3J0KHJlcG9ydCk7XG4gICAgfVxuICAgIHJldHVybiByZXBvcnQ7XG4gIH1cblxuICAvKipcbiAgICogR2VuZXJhdGVzIGEgc2VjdXJpdHkgY2hlY2sgcmVwb3J0IGluIEpTT04gZm9ybWF0IHdpdGggc2NoZW1hOlxuICAgKiBgYGBcbiAgICoge1xuICAgKiAgICByZXBvcnQ6IHtcbiAgICogICAgICB2ZXJzaW9uOiBcIjEuMC4wXCIsIC8vIFRoZSByZXBvcnQgdmVyc2lvbiwgZGVmaW5lcyB0aGUgc2NoZW1hXG4gICAqICAgICAgc3RhdGU6IFwiZmFpbFwiICAgICAvLyBUaGUgZGlzanVuY3RpdmUgaW5kaWNhdG9yIG9mIGZhaWxlZCBjaGVja3MgaW4gYWxsIGdyb3Vwcy5cbiAgICogICAgICBncm91cHM6IFsgICAgICAgICAvLyBUaGUgY2hlY2sgZ3JvdXBzXG4gICAqICAgICAgICB7XG4gICAqICAgICAgICAgIG5hbWU6IFwiSG91c2VcIiwgICAgICAgICAgICAvLyBUaGUgZ3JvdXAgbmFtZVxuICAgKiAgICAgICAgICBzdGF0ZTogXCJmYWlsXCIgICAgICAgICAgICAgLy8gVGhlIGRpc2p1bmN0aXZlIGluZGljYXRvciBvZiBmYWlsZWQgY2hlY2tzIGluIHRoaXMgZ3JvdXAuXG4gICAqICAgICAgICAgIGNoZWNrczogWyAgICAgICAgICAgICAgICAgLy8gVGhlIGNoZWNrc1xuICAgKiAgICAgICAgICAgIHRpdGxlOiBcIkRvb3IgbG9ja2VkXCIsICAgLy8gVGhlIGNoZWNrIHRpdGxlXG4gICAqICAgICAgICAgICAgc3RhdGU6IFwiZmFpbFwiICAgICAgICAgICAvLyBUaGUgY2hlY2sgc3RhdGVcbiAgICogICAgICAgICAgICB3YXJuaW5nOiBcIkFueW9uZSBjYW4gZW50ZXIgeW91ciBob3VzZS5cIiAgIC8vIFRoZSB3YXJuaW5nLlxuICAgKiAgICAgICAgICAgIHNvbHV0aW9uOiBcIkxvY2sgeW91ciBkb29yLlwiICAgICAgICAgICAgICAgLy8gVGhlIHNvbHV0aW9uLlxuICAgKiAgICAgICAgICBdXG4gICAqICAgICAgICB9LFxuICAgKiAgICAgICAgLi4uXG4gICAqICAgICAgXVxuICAgKiAgICB9XG4gICAqIH1cbiAgICogYGBgXG4gICAqIEBwYXJhbSB7T2JqZWN0fSBwYXJhbXMgVGhlIHBhcmFtZXRlcnMuXG4gICAqIEBwYXJhbSB7QXJyYXk8Q2hlY2tHcm91cD59IHBhcmFtcy5ncm91cHMgVGhlIGNoZWNrIGdyb3Vwcy5cbiAgICogQHBhcmFtIHtTdHJpbmd9IHBhcmFtcy52ZXJzaW9uOiBUaGUgcmVwb3J0IHNjaGVtYSB2ZXJzaW9uLlxuICAgKiBAcmV0dXJucyB7T2JqZWN0fSBUaGUgcmVwb3J0LlxuICAgKi9cbiAgX2dlbmVyYXRlUmVwb3J0KHsgZ3JvdXBzLCB2ZXJzaW9uIH0pIHtcbiAgICAvLyBDcmVhdGUgcmVwb3J0IHRlbXBsYXRlXG4gICAgY29uc3QgcmVwb3J0ID0ge1xuICAgICAgcmVwb3J0OiB7XG4gICAgICAgIHZlcnNpb24sXG4gICAgICAgIHN0YXRlOiBDaGVja1N0YXRlLnN1Y2Nlc3MsXG4gICAgICAgIGdyb3VwczogW10sXG4gICAgICB9LFxuICAgIH07XG5cbiAgICAvLyBJZGVudGlmeSByZXBvcnQgdmVyc2lvblxuICAgIHN3aXRjaCAodmVyc2lvbikge1xuICAgICAgY2FzZSAnMS4wLjAnOlxuICAgICAgZGVmYXVsdDpcbiAgICAgICAgLy8gRm9yIGVhY2ggY2hlY2sgZ3JvdXBcbiAgICAgICAgZm9yIChjb25zdCBncm91cCBvZiBncm91cHMpIHtcbiAgICAgICAgICAvLyBDcmVhdGUgZ3JvdXAgcmVwb3J0XG4gICAgICAgICAgY29uc3QgZ3JvdXBSZXBvcnQgPSB7XG4gICAgICAgICAgICBuYW1lOiBncm91cC5uYW1lKCksXG4gICAgICAgICAgICBzdGF0ZTogQ2hlY2tTdGF0ZS5zdWNjZXNzLFxuICAgICAgICAgICAgY2hlY2tzOiBbXSxcbiAgICAgICAgICB9O1xuXG4gICAgICAgICAgLy8gQ3JlYXRlIGNoZWNrIHJlcG9ydHNcbiAgICAgICAgICBncm91cFJlcG9ydC5jaGVja3MgPSBncm91cC5jaGVja3MoKS5tYXAoY2hlY2sgPT4ge1xuICAgICAgICAgICAgY29uc3QgY2hlY2tSZXBvcnQgPSB7XG4gICAgICAgICAgICAgIHRpdGxlOiBjaGVjay50aXRsZSxcbiAgICAgICAgICAgICAgc3RhdGU6IGNoZWNrLmNoZWNrU3RhdGUoKSxcbiAgICAgICAgICAgIH07XG4gICAgICAgICAgICBpZiAoY2hlY2suY2hlY2tTdGF0ZSgpID09IENoZWNrU3RhdGUuZmFpbCkge1xuICAgICAgICAgICAgICBjaGVja1JlcG9ydC53YXJuaW5nID0gY2hlY2sud2FybmluZztcbiAgICAgICAgICAgICAgY2hlY2tSZXBvcnQuc29sdXRpb24gPSBjaGVjay5zb2x1dGlvbjtcbiAgICAgICAgICAgICAgcmVwb3J0LnJlcG9ydC5zdGF0ZSA9IENoZWNrU3RhdGUuZmFpbDtcbiAgICAgICAgICAgICAgZ3JvdXBSZXBvcnQuc3RhdGUgPSBDaGVja1N0YXRlLmZhaWw7XG4gICAgICAgICAgICB9XG4gICAgICAgICAgICByZXR1cm4gY2hlY2tSZXBvcnQ7XG4gICAgICAgICAgfSk7XG5cbiAgICAgICAgICByZXBvcnQucmVwb3J0Lmdyb3Vwcy5wdXNoKGdyb3VwUmVwb3J0KTtcbiAgICAgICAgfVxuICAgIH1cbiAgICByZXR1cm4gcmVwb3J0O1xuICB9XG5cbiAgLyoqXG4gICAqIExvZ3MgdGhlIHNlY3VyaXR5IGNoZWNrIHJlcG9ydC5cbiAgICogQHBhcmFtIHtPYmplY3R9IHJlcG9ydCBUaGUgcmVwb3J0IHRvIGxvZy5cbiAgICovXG4gIF9sb2dSZXBvcnQocmVwb3J0KSB7XG4gICAgLy8gRGV0ZXJtaW5lIGxvZyBsZXZlbCBkZXBlbmRpbmcgb24gd2hldGhlciBhbnkgY2hlY2sgZmFpbGVkXG4gICAgY29uc3QgbG9nID1cbiAgICAgIHJlcG9ydC5yZXBvcnQuc3RhdGUgPT0gQ2hlY2tTdGF0ZS5zdWNjZXNzID8gcyA9PiBsb2dnZXIuaW5mbyhzKSA6IHMgPT4gbG9nZ2VyLndhcm4ocyk7XG5cbiAgICAvLyBEZWNsYXJlIG91dHB1dFxuICAgIGNvbnN0IGluZGVudCA9ICcgICAnO1xuICAgIGxldCBvdXRwdXQgPSAnJztcbiAgICBsZXQgY2hlY2tzQ291bnQgPSAwO1xuICAgIGxldCBmYWlsZWRDaGVja3NDb3VudCA9IDA7XG4gICAgbGV0IHNraXBwZWRDaGVja0NvdW50ID0gMDtcblxuICAgIC8vIFRyYXZlcnNlIGFsbCBncm91cHMgYW5kIGNoZWNrcyBmb3IgY29tcG9zZSBvdXRwdXRcbiAgICBmb3IgKGNvbnN0IGdyb3VwIG9mIHJlcG9ydC5yZXBvcnQuZ3JvdXBzKSB7XG4gICAgICBvdXRwdXQgKz0gYFxcbi0gJHtncm91cC5uYW1lfWA7XG5cbiAgICAgIGZvciAoY29uc3QgY2hlY2sgb2YgZ3JvdXAuY2hlY2tzKSB7XG4gICAgICAgIGNoZWNrc0NvdW50Kys7XG4gICAgICAgIG91dHB1dCArPSBgXFxuJHtpbmRlbnR9JHt0aGlzLl9nZXRMb2dJY29uRm9yU3RhdGUoY2hlY2suc3RhdGUpfSAke2NoZWNrLnRpdGxlfWA7XG5cbiAgICAgICAgaWYgKGNoZWNrLnN0YXRlID09IENoZWNrU3RhdGUuZmFpbCkge1xuICAgICAgICAgIGZhaWxlZENoZWNrc0NvdW50Kys7XG4gICAgICAgICAgb3V0cHV0ICs9IGBcXG4ke2luZGVudH0ke2luZGVudH1XYXJuaW5nOiAke2NoZWNrLndhcm5pbmd9YDtcbiAgICAgICAgICBvdXRwdXQgKz0gYCAke2NoZWNrLnNvbHV0aW9ufWA7XG4gICAgICAgIH0gZWxzZSBpZiAoY2hlY2suc3RhdGUgPT0gQ2hlY2tTdGF0ZS5ub25lKSB7XG4gICAgICAgICAgc2tpcHBlZENoZWNrQ291bnQrKztcbiAgICAgICAgICBvdXRwdXQgKz0gYFxcbiR7aW5kZW50fSR7aW5kZW50fVRlc3QgZGlkIG5vdCBleGVjdXRlLCB0aGlzIGlzIGxpa2VseSBhbiBpbnRlcm5hbCBzZXJ2ZXIgaXNzdWUsIHBsZWFzZSByZXBvcnQuYDtcbiAgICAgICAgfVxuICAgICAgfVxuICAgIH1cblxuICAgIG91dHB1dCA9XG4gICAgICBgXFxuIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNgICtcbiAgICAgIGBcXG4jICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI2AgK1xuICAgICAgYFxcbiMgICBQYXJzZSBTZXJ2ZXIgU2VjdXJpdHkgQ2hlY2sgICAjYCArXG4gICAgICBgXFxuIyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICNgICtcbiAgICAgIGBcXG4jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI2AgK1xuICAgICAgYFxcbmAgK1xuICAgICAgYFxcbiR7XG4gICAgICAgIGZhaWxlZENoZWNrc0NvdW50ID4gMCA/ICdXYXJuaW5nOiAnIDogJydcbiAgICAgIH0ke2ZhaWxlZENoZWNrc0NvdW50fSB3ZWFrIHNlY3VyaXR5IHNldHRpbmcocykgZm91bmQke2ZhaWxlZENoZWNrc0NvdW50ID4gMCA/ICchJyA6ICcnfWAgK1xuICAgICAgYFxcbiR7Y2hlY2tzQ291bnR9IGNoZWNrKHMpIGV4ZWN1dGVkYCArXG4gICAgICBgXFxuJHtza2lwcGVkQ2hlY2tDb3VudH0gY2hlY2socykgc2tpcHBlZGAgK1xuICAgICAgYFxcbmAgK1xuICAgICAgYCR7b3V0cHV0fWA7XG5cbiAgICAvLyBXcml0ZSBsb2dcbiAgICBsb2cob3V0cHV0KTtcbiAgfVxuXG4gIC8qKlxuICAgKiBSZXR1cm5zIGFuIGljb24gZm9yIHVzZSBpbiB0aGUgcmVwb3J0IGxvZyBvdXRwdXQuXG4gICAqIEBwYXJhbSB7Q2hlY2tTdGF0ZX0gc3RhdGUgVGhlIGNoZWNrIHN0YXRlLlxuICAgKiBAcmV0dXJucyB7U3RyaW5nfSBUaGUgaWNvbi5cbiAgICovXG4gIF9nZXRMb2dJY29uRm9yU3RhdGUoc3RhdGUpIHtcbiAgICBzd2l0Y2ggKHN0YXRlKSB7XG4gICAgICBjYXNlIENoZWNrU3RhdGUuc3VjY2VzczpcbiAgICAgICAgcmV0dXJuICfinIUnO1xuICAgICAgY2FzZSBDaGVja1N0YXRlLmZhaWw6XG4gICAgICAgIHJldHVybiAn4p2MJztcbiAgICAgIGRlZmF1bHQ6XG4gICAgICAgIHJldHVybiAn4oS577iPJztcbiAgICB9XG4gIH1cblxuICAvKipcbiAgICogVmFsaWRhdGVzIHRoZSBjb25zdHJ1Y3RvciBwYXJhbWV0ZXJzLlxuICAgKiBAcGFyYW0ge09iamVjdH0gcGFyYW1zIFRoZSBwYXJhbWV0ZXJzIHRvIHZhbGlkYXRlLlxuICAgKi9cbiAgX3ZhbGlkYXRlUGFyYW1zKHBhcmFtcykge1xuICAgIFV0aWxzLnZhbGlkYXRlUGFyYW1zKHBhcmFtcywge1xuICAgICAgZW5hYmxlQ2hlY2s6IHsgdDogJ2Jvb2xlYW4nLCB2OiBpc0Jvb2xlYW4sIG86IHRydWUgfSxcbiAgICAgIGVuYWJsZUNoZWNrTG9nOiB7IHQ6ICdib29sZWFuJywgdjogaXNCb29sZWFuLCBvOiB0cnVlIH0sXG4gICAgICBjaGVja0dyb3VwczogeyB0OiAnYXJyYXknLCB2OiBpc0FycmF5LCBvOiB0cnVlIH0sXG4gICAgfSk7XG4gIH1cbn1cblxubW9kdWxlLmV4cG9ydHMgPSBDaGVja1J1bm5lcjtcbiJdfQ==