test: LiveQuery operator type confusion (GHSA-fjxm-vhvc-gcmj)

[mtrezza]

Summary

• Adds tests to verify that LiveQuery operator type confusion ($in, $nin, $all, $containedBy with non-array values) does not crash the server
• Tests prove that errors are caught by ParseLiveQueryServer's existing try/catch handling and other subscriptions continue to work normally

Tasks

• Add unit tests
• Add integration test

Summary by CodeRabbit

• Tests
  • Added unit tests to ensure operator/value type-mismatch cases are rejected and valid patterns succeed.
  • Added integration tests verifying malformed real-time subscriptions do not crash the server and valid subscriptions continue receiving events.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new test suite to spec/vulnerabilities.spec.js that verifies LiveQuery/matchesQuery handling of operator type-confusion and checks a malformed LiveQuery subscription does not crash the server while valid subscriptions continue receiving events.

Changes

Cohort / File(s)	Summary
LiveQuery Vulnerability Tests spec/vulnerabilities.spec.js	Adds a new test suite "GHSA-fjxm-vhvc-gcmj) LiveQuery Operator Type Confusion" with unit tests for matchesQuery operator/type validation (expecting specific malformed operator/value shapes to throw and a valid $in array to succeed) and an integration test ensuring a malformed LiveQuery subscription doesn't crash the server and other subscriptions still function.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: LiveQuery subscription with invalid regular expression crashes server (GHSA-827p-g5x5-h86c) #10197: Related LiveQuery robustness tests and fixes addressing malformed subscription queries.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers the main purpose and includes completed tasks, but lacks explicit issue reference and doesn't address all template sections (documentation/security check requirements).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding tests for a specific LiveQuery operator type confusion vulnerability (GHSA-fjxm-vhvc-gcmj).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 2819-2847: Replace the mixed async+done pattern in the spec by
removing the done callback and awaiting a Promise for the 'create' event on
validSubscription; specifically, change the test function signature to async ()
=>, wrap validSubscription.on('create', ...) into a new Promise that resolves
when the event fires and rejects on errors, ensure malClient.close() is called
in a finally block for guaranteed cleanup, and await that Promise before
finishing the test (keep use of malClient, malformedQuery, validQuery,
validSubscription, and obj to locate the relevant code).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1efd61d-7185-4d53-a6c7-fb55bd744fe9

📥 Commits

Reviewing files that changed from the base of the PR and between f403131 and 87f9ac4.

📒 Files selected for processing (1)

• spec/vulnerabilities.spec.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.56%. Comparing base (f403131) to head (3db72b9).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10208   +/-   ##
=======================================
  Coverage   92.56%   92.56%           
=======================================
  Files         192      192           
  Lines       16284    16284           
  Branches      199      199           
=======================================
  Hits        15073    15073           
  Misses       1194     1194           
  Partials       17       17           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 2773-2774: The test suite starting with
describe('(GHSA-fjxm-vhvc-gcmj) LiveQuery Operator Type Confusion' is missing
LiveQuery server setup; add a beforeEach that calls reconfigureServer with
liveQuery enabled and classNames including 'TestObject' (so the WebSocket will
accept subscriptions for that class) and an afterEach to tear down or
reconfigure the server back to defaults (or stop the LiveQuery server) so other
suites aren't affected; place these hooks inside the same describe block
alongside the existing matchesQuery require to ensure the LiveQuery server is
running for the tests that follow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 518c955f-9ff7-4ebe-a4e1-1d84919893dd

📥 Commits

Reviewing files that changed from the base of the PR and between 87f9ac4 and 5b9cb5c.

📒 Files selected for processing (1)

• spec/vulnerabilities.spec.js

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.23