fix: NoSQL injection via token type in password reset and email verification endpoints (GHSA-vgjh-hmwf-c588)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

NoSQL injection via token type in password reset and email verification endpoints (GHSA-vgjh-hmwf-c588)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Bug Fixes

  • Enhanced token validation in password reset workflows to ensure type consistency.
  • Improved token normalization in email verification flows.

• Tests

  • Added comprehensive test coverage for token handling in password reset and email verification processes.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes enhance token handling and input validation in password reset and email verification flows. A new test suite validates rejection of regex injection operators in tokens, while code modifications normalize token types to strings and introduce runtime validation checks before downstream processing.

Changes

Cohort / File(s)	Summary
Test Coverage Enhancements spec/MongoTransform.spec.js, spec/RegexVulnerabilities.spec.js	Adds comprehensive test suites verifying rejection of token injection operators ($ne, $regex, $exists, $gt) in password reset flows and validating token type normalization in verification email resend flows. Includes trailing whitespace formatting adjustment.
Token Normalization & Validation src/Routers/PagesRouter.js, src/Routers/UsersRouter.js	Normalizes token payload in resendVerificationEmail by converting non-string tokens to strings via toString(). Adds runtime validation in handleResetRequest to enforce string type requirement for tokens, throwing INVALID_VALUE on type mismatch.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: Deprecation DEPPS11: Replace PublicAPIRouter with PagesRouter #9974: Touches public/pages routing and token-handling flows in password reset and verification contexts, sharing direct code-level connections with PagesRouter and UsersRouter modifications.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The PR description is incomplete, missing critical information in the Issue and Approach sections despite following the template structure.	Fill in the Issue section with a clear reference to the security vulnerability (GHSA-vgjh-hmwf-c588) and provide the Approach section detailing the changes made to fix the NoSQL injection vulnerability in token handling.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the primary change: fixing a NoSQL injection vulnerability via token type handling in password reset and email verification endpoints, referencing the specific security advisory.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

spec/MongoTransform.spec.js (1)

696-742: Make these assertions specific to the intended rejection.

A generic toThrow() will also pass on unrelated parser failures. For a security regression like this, please assert the expected INVALID_VALUE message/code so these tests only pass for the token-type guard.

Example tightening

     it('should reject non-string value for _perishable_token', () => {
-      expect(() => {
-        transform.transformWhere(null, { _perishable_token: { $regex: '^a' } });
-      }).toThrow();
+      expect(() => {
+        transform.transformWhere(null, { _perishable_token: { $regex: '^a' } });
+      }).toThrowError(/_perishable_token must be a string/);
     });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/MongoTransform.spec.js` around lines 696 - 742, Update the tests that
currently use generic toThrow() for token-field rejections to assert the
specific INVALID_VALUE error from transform.transformWhere so unrelated parser
errors don't mask regressions: replace plain toThrow() checks for
_perishable_token and _email_verify_token (including cases for non-string, $ne
and $exists) with assertions that the thrown error includes the expected
INVALID_VALUE code/message (e.g., inspect the thrown error and expect error.code
or error.message to equal/contain "INVALID_VALUE") while leaving the
valid-string tests unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Adapters/Storage/Mongo/MongoTransform.js`:
- Around line 285-287: The current switch case for '_rperm' and '_wperm'
prematurely returns { key, value }, bypassing transformConstraint() and letting
operator objects reach Mongo; change this so only plain arrays are returned
directly (i.e., when value is an Array), while object values (operator objects)
are not returned early and instead fall through to be processed by
transformConstraint() so operator validation still runs; update the case in
MongoTransform.js (the '_rperm' / '_wperm' handling) to detect Array vs Object
and only short-circuit for arrays.

In `@src/Routers/PagesRouter.js`:
- Around line 111-112: The code currently calls a potentially user-controlled
toString() on req.body?.token (rawToken -> token) which can throw if token is an
object with a non-callable toString property; change the logic in the
PagesRouter request handler so you only accept string tokens and explicitly
reject or sanitize non-string inputs instead of calling toString(): e.g., check
typeof rawToken === 'string' and use that value (or set token = null/return a
fail response) for validation, referencing the rawToken and token variables in
the request handler to locate and replace the unsafe conversion.

---

Nitpick comments:
In `@spec/MongoTransform.spec.js`:
- Around line 696-742: Update the tests that currently use generic toThrow() for
token-field rejections to assert the specific INVALID_VALUE error from
transform.transformWhere so unrelated parser errors don't mask regressions:
replace plain toThrow() checks for _perishable_token and _email_verify_token
(including cases for non-string, $ne and $exists) with assertions that the
thrown error includes the expected INVALID_VALUE code/message (e.g., inspect the
thrown error and expect error.code or error.message to equal/contain
"INVALID_VALUE") while leaving the valid-string tests unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc81a297-10bc-4cc4-b1d2-85a0437fbf48

📥 Commits

Reviewing files that changed from the base of the PR and between bc45ef9 and fb69186.

📒 Files selected for processing (5)

• spec/MongoTransform.spec.js
• spec/RegexVulnerabilities.spec.js
• src/Adapters/Storage/Mongo/MongoTransform.js
• src/Routers/PagesRouter.js
• src/Routers/UsersRouter.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.70%. Comparing base (0e06b93) to head (cf72215).
⚠️ Report is 161 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10128      +/-   ##
==========================================
+ Coverage   83.99%   92.70%   +8.70%     
==========================================
  Files         191      191              
  Lines       15939    15942       +3     
  Branches      180      180              
==========================================
+ Hits        13388    14779    +1391     
+ Misses       2535     1151    -1384     
+ Partials       16       12       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.5.2-alpha.1

[parseplatformorg]

🎉 This change has been released in version 9.6.0