fix: LiveQuery protected field leak via shared mutable state across concurrent subscribers (GHSA-m983-v2ff-wq65)

[mtrezza]

Issue

LiveQuery protected field leak via shared mutable state across concurrent subscribers (GHSA-m983-v2ff-wq65)

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds LiveQuery tests for concurrent-subscriber scenarios around protected fields and afterLiveQueryEvent; updates ParseLiveQueryServer to deep-clone per-request payloads and to unconditionally clear protectedFields for master-key clients to prevent shared-state leakage.

Changes

Cohort / File(s)	Summary
LiveQuery Protected-Fields Test Suite spec/vulnerabilities.spec.js	New LiveQuery tests exercising concurrent subscriptions (master-key vs regular), create/update/delete flows, and an afterLiveQueryEvent trigger that mutates req.object; asserts per-subscriber payload isolation and no protected-field leakage.
LiveQuery Server: Per-request Payload Isolation src/LiveQuery/ParseLiveQueryServer.ts	Replaced shared mutable per-request variables with deep-cloned locals inside each requestIds.forEach(async ...) callback; ensure cloned objects are converted-to-JSON and filtered per-client before push. Also changes _filterSensitiveData to clear protectedFields for master-key clients unconditionally.

Sequence Diagram(s)

sequenceDiagram
    participant DB as Database
    participant LQ as ParseLiveQueryServer
    participant TR as afterLiveQueryEventTrigger
    participant C1 as Client (master)
    participant C2 as Client (regular)

    DB->>LQ: emit change (create/update/delete)
    LQ->>LQ: for each subscription requestId\ndeep-clone payload -> localObject
    alt trigger configured
        LQ->>TR: call afterLiveQueryEvent with localObject
        TR-->>LQ: may mutate localObject (per-request)
    end
    LQ->>LQ: toJSONwithObjects(localObject) and _filterSensitiveData(localObject, client)
    LQ->>C1: push filtered localObject (master sees protected fields)
    LQ->>C2: push filtered localObject (regular does not see protected fields)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• fix: Protected fields leak via LiveQuery afterEvent trigger (GHSA-5hmj-jcgp-6hff) #10232: Modifies ParseLiveQueryServer after-save/after-delete handling to avoid LiveQuery protected-field leaks; touches same per-request delivery code paths.
• fix: LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576) #10250: Adjusts per-request LiveQuery callback and permission checks related to subscription matching and payload delivery.
• fix: LiveQuery subscription with invalid regular expression crashes server (GHSA-827p-g5x5-h86c) #10197: Updates _onAfterSave/_onAfterDelete LiveQuery handling and subscription matching (adds validation/try-catch), overlapping the same event delivery logic.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely empty, missing all required template sections including Issue, Approach, and Tasks, making it impossible to understand the author's rationale or verification steps.	Add a complete PR description following the template: describe the security issue (GHSA-m983-v2ff-wq65), explain the approach to fix the race condition in LiveQuery event payloads, and confirm which tasks were completed.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: fixing a LiveQuery protected field leak caused by shared mutable state across concurrent subscribers, with a reference to the specific security advisory (GHSA-m983-v2ff-wq65).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 86.66667% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.52%. Comparing base (e7efbeb) to head (fb8cf00).
⚠️ Report is 3 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/LiveQuery/ParseLiveQueryServer.ts	86.66%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10330   +/-   ##
=======================================
  Coverage   92.52%   92.52%           
=======================================
  Files         192      192           
  Lines       16517    16519    +2     
  Branches      227      229    +2     
=======================================
+ Hits        15283    15285    +2     
  Misses       1214     1214           
  Partials       20       20           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 3409-3423: The race test uses the helper createSubscribedClient
and derives the "injected" marker from req.sessionToken || 'no-session', which
makes both anonymous clients produce the same marker; change
createSubscribedClient to tag each client with a unique client-specific marker
(e.g., include a generated id or suffix in the payload subscriber metadata) so
the server sees distinct values per client, and update the assertions that
currently check payloads with toBeDefined() to instead assert that the two
received payload markers are both defined and not equal (i.e., payloadA !==
payloadB), referencing createSubscribedClient, the injected variable, and the
code handling req.sessionToken to locate and modify the test and assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f7adc915-ac84-4ea0-96a0-0e88a56d087f

📥 Commits

Reviewing files that changed from the base of the PR and between aee2146 and aeb14e3.

📒 Files selected for processing (2)

• spec/vulnerabilities.spec.js
• src/LiveQuery/ParseLiveQueryServer.ts

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spec/vulnerabilities.spec.js (1)

3672-3726: Cover the concurrent original clone path too.

This only proves per-subscriber isolation for req.object on a create event. The server change also clones localOriginalParseObject and sends it through the same trigger/filter path in src/LiveQuery/ParseLiveQueryServer.ts:321-328 and src/LiveQuery/ParseLiveQueryServer.ts:407-442, so a regression there would still pass. Prefer an update/leave case that mutates and asserts both object and original per subscriber.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 3672 - 3726, Add a test that
exercises the concurrent "original" clone path by using an update (or leave)
LiveQuery event where the afterLiveQueryEvent handler mutates both req.object
and req.original (or localOriginalParseObject) differently per installationId;
use Parse.Cloud.afterLiveQueryEvent (same as existing test) and
createSubscribedClient to create two subscribers, perform an update on the
object, then assert each subscriber sees both object and original mutated to
their own installation-specific values (e.g., injectedObject vs
injectedOriginal) to ensure per-subscriber isolation of the original clone path
handled in ParseLiveQueryServer (localOriginalParseObject).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 3424-3425: The subscription ACK wait using client.subscribe(...)
then awaiting new Promise(resolve => sub.on('open', resolve)) can hang
indefinitely; replace that await with a bounded wait that races the 'open' event
against a short timeout (e.g., a few hundred milliseconds) and rejects or fails
deterministically on timeout; ensure you reference the subscription returned by
client.subscribe and the event listener on sub.on('open', ...), remove the
listener and close/unsubscribe the subscription on timeout to avoid leaks, and
make the test assert or throw when the timeout wins so failures surface
immediately.

---

Nitpick comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 3672-3726: Add a test that exercises the concurrent "original"
clone path by using an update (or leave) LiveQuery event where the
afterLiveQueryEvent handler mutates both req.object and req.original (or
localOriginalParseObject) differently per installationId; use
Parse.Cloud.afterLiveQueryEvent (same as existing test) and
createSubscribedClient to create two subscribers, perform an update on the
object, then assert each subscriber sees both object and original mutated to
their own installation-specific values (e.g., injectedObject vs
injectedOriginal) to ensure per-subscriber isolation of the original clone path
handled in ParseLiveQueryServer (localOriginalParseObject).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1ccd0e94-58a1-4ac1-933f-1c3126d68327

📥 Commits

Reviewing files that changed from the base of the PR and between aeb14e3 and fb8cf00.

📒 Files selected for processing (1)

• spec/vulnerabilities.spec.js

[parseplatformorg]

🎉 This change has been released in version 9.7.0-alpha.9