fix: SQL injection via dot-notation field name in PostgreSQL (GHSA-qpr4-jrj4-6f27)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

SQL injection via dot-notation field name in PostgreSQL (GHSA-qpr4-jrj4-6f27)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Tests
  • Added comprehensive PostgreSQL tests validating that malicious sort parameters cannot perform SQL-injection or timing-based attacks; includes checks for varied payload encodings (note: test suite was duplicated).
• Bug Fixes
  • Improved escaping of quotation characters in field identifiers used in queries, preventing malformed identifiers and reducing injection risk.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Postgres-focused tests that probe SQL injection via dot-notation sort fields and updates PostgresStorageAdapter to escape quotes when constructing SQL identifiers.

Changes

Cohort / File(s)	Summary
SQL Injection Security Tests spec/vulnerabilities.spec.js	Adds ~161 lines of Postgres-only tests for GHSA-qpr4-jrj4-6f27 exercising injection via the order parameter (pg_sleep, dollar-quoting variants, CHR concatenation, backslash escapes), verifies data integrity and valid dot-notation sorting. Note: the suite is duplicated in the file.
PostgreSQL Quote Escaping src/Adapters/Storage/Postgres/PostgresStorageAdapter.js	Updates transformDotFieldToComponents to escape double quotes in the first component and single quotes in subsequent components when serializing dot-notation components into SQL identifiers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR description is mostly complete with required sections, but the Approach section is empty and should detail the specific changes made to fix the SQL injection vulnerability.	Add a detailed Approach section describing how the SQL injection vulnerability is fixed (e.g., quote escaping in transformDotFieldToComponents) and why this approach prevents injection attacks.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: fixing SQL injection vulnerability via dot-notation field names in PostgreSQL, with the security advisory identifier for clarity.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 887-888: The integrity check currently uses new
Parse.Query('InjectionTest').first() and then
expect(verify.get('name')).toBe('original'), which can pick up a different row;
instead re-fetch the specific object by its objectId (e.g., use new
Parse.Query('InjectionTest').get(obj.id) or add equalTo('objectId', obj.id) and
first()) prior to the assertion so you validate the same saved row (ensure you
capture obj.id from the created object before re-querying); alternatively
isolate tests with reconfigureServer() to avoid shared class state.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ab81807-1a37-4d0f-9022-312a1231e350

📥 Commits

Reviewing files that changed from the base of the PR and between df80c89 and 9627660.

📒 Files selected for processing (2)

• spec/vulnerabilities.spec.js
• src/Adapters/Storage/Postgres/PostgresStorageAdapter.js

[coderabbitai]

♻️ Duplicate comments (1)

spec/vulnerabilities.spec.js (1)

927-928: ⚠️ Potential issue | 🟡 Minor

Query the created row by objectId in these integrity checks.

first() can pick up a different InjectionTest row once earlier specs have inserted more data, so these assertions may validate the wrong object. Re-fetch obj.id here, like the first test already does.

🔧 Suggested fix

-    const verify = await new Parse.Query('InjectionTest').first();
+    const verify = await new Parse.Query('InjectionTest').get(obj.id);

Also applies to: 947-948, 967-968, 987-988

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 927 - 928, The integrity checks
use new Parse.Query('InjectionTest').first() which can return a different row if
other tests inserted data; instead re-query by the created object's id (use
obj.id) so you fetch the exact row — replace the generic first() query with a
query.where('objectId', obj.id) (or equivalent getById) and then assert
verify.get('name') === 'original' for the same object; apply the same change for
the other occurrences around the tests that reference
Parse.Query('InjectionTest').first().

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 927-928: The integrity checks use new
Parse.Query('InjectionTest').first() which can return a different row if other
tests inserted data; instead re-query by the created object's id (use obj.id) so
you fetch the exact row — replace the generic first() query with a
query.where('objectId', obj.id) (or equivalent getById) and then assert
verify.get('name') === 'original' for the same object; apply the same change for
the other occurrences around the tests that reference
Parse.Query('InjectionTest').first().

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 032dab6f-4885-4473-b714-52a377fd100a

📥 Commits

Reviewing files that changed from the base of the PR and between 9627660 and 8bba2ec.

📒 Files selected for processing (1)

• spec/vulnerabilities.spec.js

[coderabbitai]

🧹 Nitpick comments (2)

spec/vulnerabilities.spec.js (2)

991-1021: Consider verifying actual sort order in positive tests.

The positive tests confirm requests succeed (HTTP 200), but they don't verify that sorting actually works correctly. Adding objects with different values and asserting the response order would strengthen confidence that the fix doesn't break legitimate functionality.

💡 Example enhancement

 it('allows valid dot-notation sort on object field', async () => {
-  const obj = new Parse.Object('InjectionTest');
-  obj.set('data', { key: 'value' });
-  await obj.save();
+  const obj1 = new Parse.Object('SortTest');
+  obj1.set('data', { key: 'b' });
+  await obj1.save();
+  const obj2 = new Parse.Object('SortTest');
+  obj2.set('data', { key: 'a' });
+  await obj2.save();

   const response = await request({
     method: 'GET',
-    url: 'http://localhost:8378/1/classes/InjectionTest',
+    url: 'http://localhost:8378/1/classes/SortTest',
     headers,
     qs: {
       order: 'data.key',
     },
   });
   expect(response.status).toBe(200);
+  expect(response.data.results[0].objectId).toBe(obj2.id); // 'a' comes before 'b'
 });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 991 - 1021, Update the two tests
"allows valid dot-notation sort on object field" and "allows valid dot-notation
with special characters in sub-field" to assert actual sort order, not just HTTP
200: create and save at least two Parse.Object instances with differing values
for data.key (or data['my-field']), perform the same GET request via request({
... qs: { order: 'data.key' } }) or order: 'data.my-field', parse
response.results and add assertions that the returned array is in the expected
ascending/descending order (compare the specific field values), and clean up any
created objects if necessary to keep tests isolated.

---

863-1022: PR title suggestion per repository conventions.

Based on learnings: For Parse Server PRs, suggest an Angular commit convention PR title that would make a meaningful changelog entry. The current title fix: GHSA-qpr4-jrj4-6f27-v9 is valid but could be more descriptive for the changelog:

fix(security): SQL injection via sort dot-notation field name in Postgres

This clearly communicates:

• Type: security fix
• Scope: Postgres adapter
• Impact: SQL injection vulnerability

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 863 - 1022, The PR title is too
terse; update it from "fix: GHSA-qpr4-jrj4-6f27-v9" to a descriptive
Angular-style title so changelogs capture the fix — e.g. rename the PR to
"fix(security): SQL injection via sort dot-notation field name in Postgres"
(this applies to the commit/PR that touches the tests in
spec/vulnerabilities.spec.js and the Postgres adapter code paths handling
dot-notation sort fields).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 991-1021: Update the two tests "allows valid dot-notation sort on
object field" and "allows valid dot-notation with special characters in
sub-field" to assert actual sort order, not just HTTP 200: create and save at
least two Parse.Object instances with differing values for data.key (or
data['my-field']), perform the same GET request via request({ ... qs: { order:
'data.key' } }) or order: 'data.my-field', parse response.results and add
assertions that the returned array is in the expected ascending/descending order
(compare the specific field values), and clean up any created objects if
necessary to keep tests isolated.
- Around line 863-1022: The PR title is too terse; update it from "fix:
GHSA-qpr4-jrj4-6f27-v9" to a descriptive Angular-style title so changelogs
capture the fix — e.g. rename the PR to "fix(security): SQL injection via sort
dot-notation field name in Postgres" (this applies to the commit/PR that touches
the tests in spec/vulnerabilities.spec.js and the Postgres adapter code paths
handling dot-notation sort fields).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 622281e3-9175-4af4-b302-baf3cdee5ff3

📥 Commits

Reviewing files that changed from the base of the PR and between 8bba2ec and a7a9866.

📒 Files selected for processing (1)

• spec/vulnerabilities.spec.js

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.2

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.17%. Comparing base (28d11a3) to head (a7a9866).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10159      +/-   ##
==========================================
- Coverage   92.58%   92.17%   -0.42%     
==========================================
  Files         192      192              
  Lines       16207    16207              
  Branches      183      183              
==========================================
- Hits        15005    14938      -67     
- Misses       1190     1253      +63     
- Partials       12       16       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.