fix: Bypass of class-level permissions in LiveQuery (GHSA-7ch5-98q2-7289)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Bypass of class-level permissions in LiveQuery (GHSA-7ch5-98q2-7289)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Bug Fixes

  • Enhanced class-level permission validation during LiveQuery subscription to properly enforce authorization restrictions and reject unauthorized access attempts.

• Tests

  • Expanded test coverage for class-level permissions with LiveQuery, including authenticated and unauthenticated subscription scenarios.
  • Modernized asynchronous test assertions with async/await patterns for improved clarity.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes add class-level permissions (CLP) validation to LiveQuery subscriptions. New test cases verify that subscriptions are rejected or allowed based on CLP rules. The server implementation is modified to validate CLP at subscription time before proceeding with event delivery.

Changes

Cohort / File(s)	Summary
CLP Test Coverage spec/ParseLiveQuery.spec.js	Introduces setPermissionsOnClass() helper and two new test cases: one validating LiveQuery event delivery to authenticated clients with appropriate CLP, another asserting subscription rejection when CLP denies find access.
Async/Await Test Refactoring spec/ParseLiveQueryServer.spec.js	Converts three existing CLP test cases from promise polling with done() callbacks to modern async/await syntax using expectAsync, with corresponding test name and assertion updates (e.g., "matches" → "resolves"/"rejects").
CLP Validation Implementation src/LiveQuery/ParseLiveQueryServer.ts	Modifies _matchesCLP() to use direct await on SchemaController validation. Adds subscribe-time CLP enforcement in _handleSubscribe() by loading schema, obtaining permissions, and validating client access before subscription creation.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Server as LiveQuery Server
    participant SchemaController
    participant Config

    Client->>Server: Subscribe to class with credentials
    Server->>Config: Load class schema
    Config-->>Server: Return schema with CLP
    Server->>SchemaController: validatePermission(CLP, client, find)
    alt CLP allows find
        SchemaController-->>Server: Permission granted
        Server->>Server: Create subscription
        Server-->>Client: Subscription established
        Note over Client,Server: Events delivered on mutations
    else CLP denies find
        SchemaController-->>Server: Permission denied
        Server-->>Client: Subscription rejected
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The pull request description is incomplete. While the Issue section references a security advisory (GHSA-7ch5-98q2-7289), the Approach section is empty, and only one task (Add tests) is marked complete.	Add a detailed explanation in the Approach section describing the changes made to fix the CLP bypass vulnerability in LiveQuery, and clarify which remaining tasks apply to this PR.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies a security fix for a specific vulnerability (class-level permissions bypass in LiveQuery), directly matching the changes which add CLP validation at subscription time and update tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

🧹 Nitpick comments (1)

src/LiveQuery/ParseLiveQueryServer.ts (1)

892-917: Good security fix: subscribe-time CLP validation.

This correctly validates class-level permissions before establishing a subscription, preventing unauthorized clients from subscribing to classes they cannot query.

One defensive consideration: Config.get(this.config.appId) returns undefined if the appId is not registered in AppCache (per src/Config.js:43-46). While this scenario is unlikely in normal operation, accessing appConfig.database would throw a confusing error.

🛡️ Optional: Add a guard for missing config

       // Check CLP for subscribe operation
       const appConfig = Config.get(this.config.appId);
+      if (!appConfig) {
+        throw new Parse.Error(Parse.Error.INTERNAL_SERVER_ERROR, 'Server configuration not found');
+      }
       const schemaController = await appConfig.database.loadSchema();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/LiveQuery/ParseLiveQueryServer.ts` around lines 892 - 917, The code
assumes Config.get(this.config.appId) always returns an appConfig; add a guard
after calling Config.get(this.config.appId) to handle undefined (e.g., log an
error and abort the subscribe flow or throw) before accessing appConfig.database
and calling appConfig.database.loadSchema(); ensure you only call loadSchema(),
schemaController.getClassLevelPermissions(className) and
SchemaController.validatePermission when appConfig is present to avoid confusing
runtime errors from dereferencing undefined.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/LiveQuery/ParseLiveQueryServer.ts`:
- Around line 892-917: The code assumes Config.get(this.config.appId) always
returns an appConfig; add a guard after calling Config.get(this.config.appId) to
handle undefined (e.g., log an error and abort the subscribe flow or throw)
before accessing appConfig.database and calling appConfig.database.loadSchema();
ensure you only call loadSchema(),
schemaController.getClassLevelPermissions(className) and
SchemaController.validatePermission when appConfig is present to avoid confusing
runtime errors from dereferencing undefined.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 976e767f-740d-437e-8d30-ea41d53be9f4

📥 Commits

Reviewing files that changed from the base of the PR and between 0a86d5c and 90beaca.

📒 Files selected for processing (3)

• spec/ParseLiveQuery.spec.js
• spec/ParseLiveQueryServer.spec.js
• src/LiveQuery/ParseLiveQueryServer.ts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.71%. Comparing base (0a86d5c) to head (90beaca).
⚠️ Report is 2 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10133   +/-   ##
=======================================
  Coverage   92.71%   92.71%           
=======================================
  Files         192      192           
  Lines       16051    16062   +11     
  Branches      180      183    +3     
=======================================
+ Hits        14881    14892   +11     
  Misses       1158     1158           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.5.2-alpha.3