Skip to content

fix: GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354)#10566

Merged
mtrezza merged 2 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-2fgh-8j2g-w354-v9
Jul 10, 2026
Merged

fix: GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354)#10566
mtrezza merged 2 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-2fgh-8j2g-w354-v9

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member

Issue

GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354)

Tasks

  • Add tests

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

GraphQL error sanitization now redacts required custom field identifiers from restricted base and inline-literal coercion errors, including serialized stacktraces, while preserving identifiers for master-key requests and public introspection.

Changes

GraphQL error redaction

Layer / File(s) Summary
Schema identifier redaction
src/GraphQL/ParseGraphQLServer.js
Adds coercion-error identifier redaction and applies combined sanitization to messages and serialized stacktraces.
Response sanitization and coverage
spec/ParseGraphQLServer.spec.js
Tests restricted, master-key, and introspection-enabled base coercion errors, plus restricted inline-literal errors and serialized output.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (2 errors)

Check name Status Explanation Resolution
Description check ❌ Error No pull request description was provided, so the required Issue, Approach, and Tasks sections are missing. Add the repository template sections with a linked issue, a concise approach summary, and the completed task checklist.
Engage In Review Feedback ❌ Error The inline-literal feedback was implemented in de53d22, but the PR page shows no visible reply/discussion and only one participant, so engagement isn't evidenced. Reply in the review thread to confirm the fix addresses the comment, or get the reviewer to retract/resolve it after discussion.
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed The PR only adds tests; no runtime code changes are present in the diff, and the existing redaction logic already blocks schema-identifier leaks.
Title check ✅ Passed The title matches the PR's main fix and satisfies the required prefix and capitalization rules.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.67%. Comparing base (2625489) to head (de53d22).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files
@@            Coverage Diff             @@
##            alpha   #10566      +/-   ##
==========================================
- Coverage   92.68%   92.67%   -0.02%     
==========================================
  Files         193      193              
  Lines       16986    16990       +4     
  Branches      248      248              
==========================================
+ Hits        15743    15745       +2     
- Misses       1222     1224       +2     
  Partials       21       21              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
spec/ParseGraphQLServer.spec.js (1)

1235-1266: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add coverage for the inline-literal coercion path, not just the variable path.

All three tests pass the required field through a query variable ($input), so they only exercise graphql-js's variable-coercion branch, which emits Field "secretRequiredField" of required type .... The inline-literal branch (input written directly in the operation, validated by ValuesOfCorrectTypeRule) emits a different string that additionally discloses the class-derived type name: Field "${type.name}.${fieldDef.name}" of required type "${typeStr}" was not provided.

Your regex does cover it, but nothing in the suite proves it. Since this is a security control, add a variant that sends the mutation with inline input and asserts neither TestReqClass nor secretRequiredField appears in the serialized error. Otherwise a future edit that narrows the regex to the variable-only form would pass CI while re-opening half the disclosure surface.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/ParseGraphQLServer.spec.js` around lines 1235 - 1266, Add a separate
test alongside the existing required-field coercion coverage that invokes
createTestReqClass with the input object written directly in the mutation rather
than via $input. Capture the resulting error with getReturnedError and assert
the serialized error contains neither TestReqClass nor secretRequiredField,
covering the ValuesOfCorrectTypeRule inline-literal path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@spec/ParseGraphQLServer.spec.js`:
- Around line 1235-1266: Add a separate test alongside the existing
required-field coercion coverage that invokes createTestReqClass with the input
object written directly in the mutation rather than via $input. Capture the
resulting error with getReturnedError and assert the serialized error contains
neither TestReqClass nor secretRequiredField, covering the
ValuesOfCorrectTypeRule inline-literal path.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 862257b3-b752-4a7e-9f97-4a1da728b98d

📥 Commits

Reviewing files that changed from the base of the PR and between 293f60e and 4ce3063.

📒 Files selected for processing (2)
  • spec/ParseGraphQLServer.spec.js
  • src/GraphQL/ParseGraphQLServer.js

@mtrezza

mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@mtrezza mtrezza changed the title fix: GHSA-2fgh-8j2g-w354 fix: GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354) Jul 10, 2026
@mtrezza mtrezza merged commit d96c945 into parse-community:alpha Jul 10, 2026
23 of 24 checks passed
@mtrezza mtrezza deleted the fix/GHSA-2fgh-8j2g-w354-v9 branch July 10, 2026 15:44
parseplatformorg pushed a commit that referenced this pull request Jul 10, 2026
# [9.10.0-alpha.5](9.10.0-alpha.4...9.10.0-alpha.5) (2026-07-10)

### Bug Fixes

* GraphQL error messages disclose required input field names when public introspection is disabled ([GHSA-2fgh-8j2g-w354](GHSA-2fgh-8j2g-w354)) ([#10566](#10566)) ([d96c945](d96c945)), closes [GHSA-2f#8j2g-w354](https://github.com/GHSA-2f/issues/8j2g-w354) [/github.com/parse-community/parse-server/security/advisories/GHSA-2f#8j2g-w354](https://github.com//github.com/parse-community/parse-server/security/advisories/GHSA-2f/issues/8j2g-w354)
@parseplatformorg

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 9.10.0-alpha.5

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released-alpha Released as alpha version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants