fix: Protected fields bypass via dot-notation in query and sort (GHSA-r2m8-pxm9-9c4g)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Protected fields bypass via dot-notation in query and sort (GHSA-r2m8-pxm9-9c4g)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Bug Fixes

  • Strengthened protection against dot-notation bypasses for protected fields in queries and sorting; nested access via $or, $and, $nor is validated and blocked where appropriate while non-protected fields remain accessible and master-key access is preserved.

• Tests

  • Added test suite validating query and sort restrictions for protected object-type fields.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds tests and updates request-time validation to block accessing protected fields via dot-notation in query where-clauses and sort keys; preserves existing behavior for direct nested object queries and allows master-key access where applicable.

Changes

Cohort / File(s)	Summary
Test Suite spec/vulnerabilities.spec.js	Adds new tests "(GHSA-r2m8-pxm9-9c4g) Protected fields WHERE clause bypass via dot-notation on object-type fields" covering where/$or/$and/$nor and sort behaviors against protected fields, plus master-key cases.
Query Validation src/RestQuery.js	Updates denyProtectedFields to iterate over where keys, check root fields split at the first dot, and additionally validate sort keys against protected fields; throws OPERATION_FORBIDDEN referencing the offending key.
Manifests manifest_file, package.json	Manifest/package metadata files modified (non-API changes).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Protected fields bypass via logical query operators (GHSA-72hp-qff8-4pvv) #10140: Also updates denyProtectedFields in RestQuery.js to prevent protected-field bypasses, focusing on recursive logical-operator handling that complements this PR's dot-notation and sort-key checks.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description follows the template with Issue and Tasks sections filled, but the Approach section is missing, which is required to explain the code changes.	Add an Approach section describing how the protected fields bypass vulnerability was fixed, including the changes to RestQuery.js for where-clause and sort validation.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: fixing a security vulnerability (GHSA-r2m8-pxm9-9c4g) related to protected fields bypass via dot-notation in query and sort operations. It directly matches the changeset which adds validation in RestQuery.js and corresponding tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 1456-1458: The new describe block titled "(GHSA-r2m8-pxm9-9c4g)
Protected fields WHERE clause bypass via dot-notation on object-type fields" is
accidentally nested inside the previous "(GHSA-gqpp-xgvh-9h7h)" describe; move
the entire describe("(GHSA-r2m8-pxm9-9h7h)..." {...}) block boundary so that the
GHSA-r2m8-pxm9-9c4g describe is a top-level sibling (i.e., close the
GHSA-gqpp-xgvh-9h7h describe before starting the GHSA-r2m8-pxm9-9c4g describe),
and remove the now-redundant extra closing `});` at the file end that was
compensating for the incorrect nesting.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ac100741-62c3-4cb5-aa27-aef599d60bb1

📥 Commits

Reviewing files that changed from the base of the PR and between 27add6d and 2e3e992.

📒 Files selected for processing (2)

• spec/vulnerabilities.spec.js
• src/RestQuery.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.19%. Comparing base (169d692) to head (9f07a61).
⚠️ Report is 117 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10167      +/-   ##
==========================================
- Coverage   92.60%   92.19%   -0.42%     
==========================================
  Files         192      192              
  Lines       16214    16220       +6     
  Branches      183      183              
==========================================
- Hits        15015    14954      -61     
- Misses       1187     1250      +63     
- Partials       12       16       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

spec/vulnerabilities.spec.js (1)

1647-1659: Consider adding explicit error code assertion for consistency.

This test only checks res.status while other tests in the suite verify both res.data.code and res.data.error. Adding these assertions would make the regression test more robust and consistent with the rest of the suite.

💡 Suggested enhancement

   it('should still block direct query on protected field (existing behavior)', async () => {
     const res = await request({
       method: 'GET',
       url: `${Parse.serverURL}/classes/SecretClass`,
       headers: {
         'X-Parse-Application-Id': Parse.applicationId,
         'X-Parse-REST-API-Key': 'rest',
       },
       qs: { where: JSON.stringify({ secretObj: { apiKey: 'SENSITIVE_KEY_123' } }) },
     }).catch(e => e);
-    expect(res.status).toBe(400);
+    expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+    expect(res.data.error).toBe('Permission denied');
   });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 1647 - 1659, The test "should
still block direct query on protected field (existing behavior)" only asserts
res.status; update it to also assert the response body contains explicit error
details like other tests in the suite by adding assertions on res.data (e.g.,
expect(res.data).toHaveProperty('code') and
expect(res.data).toHaveProperty('error') or assert specific expected values if
consistent with the suite), referencing the local variable res and the existing
it(...) test block to locate where to add these checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 1647-1659: The test "should still block direct query on protected
field (existing behavior)" only asserts res.status; update it to also assert the
response body contains explicit error details like other tests in the suite by
adding assertions on res.data (e.g., expect(res.data).toHaveProperty('code') and
expect(res.data).toHaveProperty('error') or assert specific expected values if
consistent with the suite), referencing the local variable res and the existing
it(...) test block to locate where to add these checks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3392c259-3840-465b-8e79-8f2eca591526

📥 Commits

Reviewing files that changed from the base of the PR and between 2e3e992 and 9f07a61.

📒 Files selected for processing (1)

• spec/vulnerabilities.spec.js

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.6

[parseplatformorg]

🎉 This change has been released in version 9.6.0