Skip to content

fix: GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm)#10563

Merged
mtrezza merged 2 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-9g8f-h8f3-hjcm-v9
Jul 7, 2026
Merged

fix: GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm)#10563
mtrezza merged 2 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-9g8f-h8f3-hjcm-v9

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 7, 2026

Copy link
Copy Markdown
Member

Issue

GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm)

Tasks

  • Add tests

Summary by CodeRabbit

  • Bug Fixes
    • GraphQL error messages now hide unwanted suggestion text in restricted environments.
    • Sensitive schema or field names are no longer exposed in coercion errors unless elevated access is available.
    • Error formatting now stays consistent across standard and incremental GraphQL responses.
    • Test coverage was expanded to verify suggestion handling and prevent secret leakage in error output.

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

GraphQL error suggestion stripping now happens at response time for single and incremental responses, including stacktrace entries. The spec suite adds coercion-error cases for missing keys, master key access, and public introspection.

Changes

Schema Suggestion Stripping

Layer / File(s) Summary
Response-time suggestion stripping
src/GraphQL/ParseGraphQLServer.js
SchemaSuggestionsControlPlugin now uses willSendResponse and stripSchemaSuggestion to remove "Did you mean" text from error messages and stacktraces in single and incremental responses.
Coercion error sanitization tests
spec/ParseGraphQLServer.spec.js
Adds getReturnedError plus tests for misspelled Cloud Code function and input field coercion errors, covering sanitization without keys and retention with master key or public introspection.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

  • parse-community/parse-server#10467: Also updates SchemaSuggestionsControlPlugin in src/GraphQL/ParseGraphQLServer.js and extends spec/ParseGraphQLServer.spec.js for "Did you mean" handling under different access conditions.

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Description check ❌ Error The description is missing the required Approach section and the standard Pull Request section from the template. Add the missing Pull Request and Approach sections, and expand Tasks to match the template checklist or mark non-applicable items.
✅ Passed checks (6 passed)
Check name Status Explanation
Title check ✅ Passed The title uses the required fix: prefix and accurately describes the GraphQL security fix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed PASS: The changed code only strips GraphQL hint text from non-master/non-introspection responses; I found no new auth bypass, injection, or unsafe deserialization pattern.
Engage In Review Feedback ✅ Passed PASS: CodeRabbit flagged the leak assertion, and the author answered by pushing fc2c4ce to make it quote-agnostic; the bot then approved the changes.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@spec/ParseGraphQLServer.spec.js`:
- Around line 1179-1180: The stacktrace leak assertion in the ParseGraphQLServer
spec is too specific because JSON.stringify escapes quotes, so it can miss a
leaked Did you mean "username"? message. Update the existing error checks in the
ParseGraphQLServer.spec.js expectation block to assert against username directly
rather than the quoted string, matching the style used in the cloud-function
tests and keeping the check in terms of error.message and JSON.stringify(error).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7f79fc3a-f22e-44f1-9479-d11f5deb44d9

📥 Commits

Reviewing files that changed from the base of the PR and between 7e9d53a and 989416c.

📒 Files selected for processing (2)
  • spec/ParseGraphQLServer.spec.js
  • src/GraphQL/ParseGraphQLServer.js

Comment thread spec/ParseGraphQLServer.spec.js Outdated
@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.67%. Comparing base (459786f) to head (fc2c4ce).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files
@@           Coverage Diff           @@
##            alpha   #10563   +/-   ##
=======================================
  Coverage   92.66%   92.67%           
=======================================
  Files         193      193           
  Lines       16981    16986    +5     
  Branches      248      248           
=======================================
+ Hits        15736    15741    +5     
  Misses       1224     1224           
  Partials       21       21           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza changed the title fix: GHSA-9g8f-h8f3-hjcm fix: GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm) Jul 7, 2026
@mtrezza mtrezza force-pushed the fix/GHSA-9g8f-h8f3-hjcm-v9 branch from 9045657 to fc2c4ce Compare July 7, 2026 21:33
@mtrezza mtrezza merged commit 2625489 into parse-community:alpha Jul 7, 2026
24 checks passed
@mtrezza mtrezza deleted the fix/GHSA-9g8f-h8f3-hjcm-v9 branch July 7, 2026 21:51
parseplatformorg pushed a commit that referenced this pull request Jul 7, 2026
# [9.10.0-alpha.4](9.10.0-alpha.3...9.10.0-alpha.4) (2026-07-07)

### Bug Fixes

* GraphQL variable-coercion suggestions disclose schema to unauthenticated callers ([GHSA-9g8f-h8f3-hjcm](https://github.com/parse-community/parse-server/security/advisories/GHSA-9g8f-h8f3-hjcm)) ([#10563](#10563)) ([2625489](2625489))
@parseplatformorg

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 9.10.0-alpha.4

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released-alpha Released as alpha version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants