fix: Rate limit bypass via HTTP method override and batch method spoofing

[mtrezza]

Issue

Rate limit bypass via HTTP method override and batch method spoofing (GHSA-vpvj-hfh8-388m)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, in-code descriptions)

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds comprehensive rate limiting support for batch requests and method overrides, introduces new ParseServerOptions fields (requestContextMiddleware and enableSanitizedErrorResponse), corrects documentation text, and modifies middleware logic to track original HTTP methods in batch contexts while enforcing stricter method override validation.

Changes

Cohort / File(s)	Summary
Test Coverage spec/RateLimit.spec.js	Added 163 lines of test coverage for rate-limiting scenarios including method override bypass attempts, batch request handling, mixed paths, and master-key exemptions with Redis-backed caching integration.
Documentation Updates src/Options/Definitions.js, src/Options/docs.js	Fixed textual errors in rateLimit help and documentation: corrected "architecture and user case" to "architecture and use case" and removed stray spacing issues.
ParseServerOptions Extensions src/Options/index.js	Added two new public fields to ParseServerOptions: requestContextMiddleware function for customizing request context handling and enableSanitizedErrorResponse boolean flag for controlling error message sanitization in responses.
Rate-Limiting Implementation src/batch.js, src/middlewares.js, src/cloud-code/Parse.Cloud.js	Modified batch and middleware handling to support rate limiting across multiple HTTP methods: added _batchOriginalMethod tracking in batch requests, updated method override validation to only apply overrides for string-type _method values, enhanced addRateLimit to check against both current and original methods, and changed beforeLogin rate-limit configuration to accept array of methods instead of single string.

Sequence Diagram(s)

sequenceDiagram
    Client->>BatchHandler: POST /batch with _method overrides
    BatchHandler->>MethodValidator: Check _method override
    MethodValidator->>BatchHandler: Store _batchOriginalMethod: 'POST'
    BatchHandler->>RateLimiter: Process sub-request with methodsToCheck
    RateLimiter->>RateLimiter: Build set with request.method + _batchOriginalMethod
    alt Array-based requestMethods
        RateLimiter->>RateLimiter: Check some(methodsToCheck) against requestMethods
    else RegExp-based requestMethods
        RateLimiter->>RateLimiter: Test each method in methodsToCheck
    end
    RateLimiter-->>BatchHandler: Rate limit status
    alt Limit Reached
        BatchHandler-->>Client: 429 error
    else Allowed
        BatchHandler-->>Client: Process sub-request
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: Add request context middleware for config and dependency injection in hooks #8480: Adds requestContextMiddleware field to src/Options/index.js, directly overlapping with the ParseServerOptions extensions in this PR.
• fix: Rate limit bypass via batch request endpoint (GHSA-775h-3xrc-c228) #10147: Modifies batch request rate-limiting and method override handling in src/batch.js and src/middlewares.js with related test coverage changes.
• fix: Rate limit user zone key fallback and batch request bypass #10214: Implements original method tracking (_batchOriginalMethod) in batch and middleware rate-limiting logic to enforce per-subrequest limits.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request has no description provided by the author, failing to meet the repository's required template structure.	Add a detailed description following the template: explain the issue being fixed, describe the approach taken in the changes, and check off applicable tasks (tests, documentation, security checks).
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main security fix: preventing rate limit bypass via HTTP method override and batch method spoofing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.60%. Comparing base (6648500) to head (31004e3).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10234   +/-   ##
=======================================
  Coverage   92.60%   92.60%           
=======================================
  Files         192      192           
  Lines       16347    16351    +4     
  Branches      201      201           
=======================================
+ Hits        15138    15142    +4     
  Misses       1192     1192           
  Partials       17       17           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/middlewares.js`:
- Around line 485-488: The rate-limit matching logic currently checks only
req.method and ignores req.originalMethod set by the method-override block, so
POST requests with a _method override can bypass POST-scoped limits; update the
method comparison in the rate-limit matcher (the code that determines whether a
rule applies by HTTP method) to consider the original method as well by using
something like const effectiveMethod = req.originalMethod || req.method and
matching against effectiveMethod (or explicitly checking both req.method and
req.originalMethod) wherever methods are compared in the rate-limit middleware.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c48d3b8-b860-4cdf-bcf1-834f63b7ff09

📥 Commits

Reviewing files that changed from the base of the PR and between e71c125 and 31004e3.

📒 Files selected for processing (7)

• spec/RateLimit.spec.js
• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js
• src/batch.js
• src/cloud-code/Parse.Cloud.js
• src/middlewares.js

[mtrezza]

Re: CodeRabbit suggestion to add req.originalMethod to rate-limit method matching —

This was intentionally not included. The Parse JS SDK sends all non-POST requests as POST + _method (see RESTController.js:239-241). Adding originalMethod to the rate limiter's method check would make every SDK operation (queries, updates, deletes) count against POST rate limits, breaking the intended requestMethods semantics.

The bypass is addressed by:

1. beforeLogin now uses requestMethods: ['POST', 'GET'] — covers both methods the login endpoint accepts
2. _batchOriginalMethod on the batch fakeReq — prevents batch sub-requests from spoofing the method to bypass rate limits

[mtrezza]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.36