fix: Parse Server role escalation and CLP bypass via direct _Join table write (GHSA-5f92-jrq3-28rc)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Parse Server role escalation and CLP bypass via direct `_Join table write (GHSA-5f92-jrq3-28rc)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

Release Notes

• Security

  • Enhanced access controls for internal join tables to restrict unauthorized operations
  • Improved permission validation to ensure only authorized users can modify or access join table structures

• Tests

  • Added comprehensive test suite validating join table security and permission enforcement across various user roles

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes implement security restrictions for internal _Join table collections by adding an access-control check that prevents non-master and non-maintenance users from performing operations on these tables. Accompanying helper and test updates validate the enforcement.

Changes

Cohort / File(s)	Summary
Test Infrastructure spec/helper.js, spec/rest.spec.js	Helper adds exception to allow class names starting with "_Join:" in tests; new test suite validates access-control for _Join tables across scenarios (without masterKey, with masterKey, maintenance key, read-only key) and verifies denial of operations and permission boundary enforcement.
Access Control Implementation src/SharedRest.js	Adds guard clause in enforceRoleSecurity to deny any non-master, non-maintenance user from performing operations on internal _Join: collections, returning OPERATION_FORBIDDEN error with method and collection details.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. While it identifies the security issue (GHSA-5f92-jrq3-28rc), the Approach section is empty, and most tasks remain unchecked despite code changes being present.	Complete the Approach section describing the changes made. Update task checkboxes to reflect completed work (tests added, security checks implemented). Document implementation details and verification steps.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Title check	✅ Passed	The title directly references the security vulnerability (GHSA-5f92-jrq3-28rc) and clearly describes the main fix: preventing role escalation and CLP bypass through direct _Join table writes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

spec/rest.spec.js (1)

1010-1014: Cover the maintenance-key write branch explicitly.

enforceRoleSecurity exempts auth.isMaintenance for every _Join: method, but this suite only pins the read path. Adding one direct write assertion with the maintenance key would lock down that privilege boundary and make future changes less ambiguous.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/rest.spec.js` around lines 1010 - 1014, Add an explicit test that
exercises the maintenance-key write branch by invoking a write operation (e.g.,
rest.create or rest.update) against the _Join table name '_Join:users:_Role'
using auth.maintenance(config) and assert it resolves; specifically, add an
it(...) that calls rest.create(config, auth.maintenance(config),
'_Join:users:_Role', {/* minimal body */}) (or rest.update with an appropriate
id/body) and expects the promise to be resolved to cover the write-path
protected by enforceRoleSecurity.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/rest.spec.js`:
- Around line 1010-1014: Add an explicit test that exercises the maintenance-key
write branch by invoking a write operation (e.g., rest.create or rest.update)
against the _Join table name '_Join:users:_Role' using auth.maintenance(config)
and assert it resolves; specifically, add an it(...) that calls
rest.create(config, auth.maintenance(config), '_Join:users:_Role', {/* minimal
body */}) (or rest.update with an appropriate id/body) and expects the promise
to be resolved to cover the write-path protected by enforceRoleSecurity.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5d855c2a-05cd-4803-b219-6aa9b9d03313

📥 Commits

Reviewing files that changed from the base of the PR and between 189f15e and 10dd802.

📒 Files selected for processing (3)

• spec/helper.js
• spec/rest.spec.js
• src/SharedRest.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.72%. Comparing base (be1d65d) to head (10dd802).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10141   +/-   ##
=======================================
  Coverage   92.71%   92.72%           
=======================================
  Files         192      192           
  Lines       16090    16092    +2     
  Branches      183      183           
=======================================
+ Hits        14918    14921    +3     
+ Misses       1160     1159    -1     
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.5.2-alpha.7