fix: Block dot-notation updates to authData sub-fields and harden login provider checks

[mtrezza]

Issue

Two related input validation bugs in authData handling:

1. Dot-notation injection (src/Controllers/DatabaseController.js): The field name guard only blocked authData.<alphanumeric>.id via regex /^authData\.([a-zA-Z0-9_]+)\.id$/. Special characters in provider names (e.g. authData.anonymous".id) bypassed the check. Fix: widen to /^authData\./ to block all dot-notation updates to authData sub-fields. This is safe because authData is only updated as a top-level field internally, never via dot-notation.

2. Login crash on unknown provider (src/Auth.js): checkIfUserHasProvidedConfiguredProvidersForLogin calls getValidatorForProvider(provider).adapter for each stored provider. Unknown providers return undefined, causing a null dereference and 500 on login. Fix: filter out providers where the validator or adapter is missing.

Tasks

• Add tests
• Add changes
• Add security check
• Add benchmark

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Enhanced validation of authentication data fields during updates to prevent injection attacks
  • Improved login stability when authentication data contains unconfigured providers
  • Strengthened protection against malicious authentication data modifications

• Tests

  • Added test coverage for authentication data validation and login resilience scenarios

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds security tests for authData dot-notation injection attacks and implements input validation to prevent them. It expands the invalid field name check in DatabaseController from just authData.[provider].id to all fields matching authData.* patterns, and makes the login process resilient to missing or unknown provider validators.

Changes

Cohort / File(s)	Summary
Security Tests spec/vulnerabilities.spec.js	Adds 50 lines of test cases validating that dot-notation updates targeting authData sub-fields are rejected with a 400 response, and that login succeeds despite corrupted authData with unknown providers.
Auth Resilience src/Auth.js	Modified checkIfUserHasProvidedConfiguredProvidersForLogin to gracefully skip providers lacking validators or adapters instead of failing, filtering out null entries from the safeguarded provider list.
Database Validation src/Controllers/DatabaseController.js	Broadened the invalid field name check from rejecting only authData.[provider].id to rejecting any field name matching /^authData\./ during updates, preventing all authData dot-notation injection attempts.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: Concurrent signup with same authentication creates duplicate users #10149 — Modifies authData handling in DatabaseController and implements authData-unique index creation with duplicate authentication handling logic.
• SQL injection via query field name when using PostgreSQL (GHSA-c442-97qw-j6c6) #10177 — Centralizes and tightens key-name validation in DatabaseController to block unsafe dot-notation updates to internal fields beyond just authData.
• fix: Unlinking auth provider triggers auth data validation #10045 — Modifies authData update handling with controls for dot-notation updates and provider unlinking/null value handling.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the two main changes: blocking dot-notation authData updates and hardening login provider checks.
Description check	✅ Passed	The description covers Issue and Approach sections thoroughly, explaining both bugs and fixes. Tasks section indicates tests and code changes are complete, though security checks are pending.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

spec/vulnerabilities.spec.js (1)

3014-3032: Strengthen assertion for the rejected dotted-key update.

Nice test; consider also asserting Parse.Error.INVALID_KEY_NAME so the test fails only for the intended guard, not any generic 400.

Suggested test assertion tightening

       }).catch(e => e);
       expect(res.status).toBe(400);
+      const body = typeof res.data === 'string' ? JSON.parse(res.data) : res.data;
+      expect(body.code).toBe(Parse.Error.INVALID_KEY_NAME);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 3014 - 3032, Update the test
"rejects dotted update key that targets authData sub-field" to assert the
specific Parse error code for an invalid key name instead of only checking HTTP
400: after receiving the response (res), parse the JSON body and add an
assertion that the returned error code equals Parse.Error.INVALID_KEY_NAME (keep
the existing expect(res.status).toBe(400) check as well) so the test fails only
for the intended invalid-key guard.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 3014-3032: Update the test "rejects dotted update key that targets
authData sub-field" to assert the specific Parse error code for an invalid key
name instead of only checking HTTP 400: after receiving the response (res),
parse the JSON body and add an assertion that the returned error code equals
Parse.Error.INVALID_KEY_NAME (keep the existing expect(res.status).toBe(400)
check as well) so the test fails only for the intended invalid-key guard.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d750d172-d7dc-48b0-869d-b520e718c39a

📥 Commits

Reviewing files that changed from the base of the PR and between 9667fd7 and 4e284cf.

📒 Files selected for processing (3)

• spec/vulnerabilities.spec.js
• src/Auth.js
• src/Controllers/DatabaseController.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.59%. Comparing base (5dcbf41) to head (4e284cf).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10223      +/-   ##
==========================================
+ Coverage   92.57%   92.59%   +0.01%     
==========================================
  Files         192      192              
  Lines       16300    16304       +4     
  Branches      199      199              
==========================================
+ Hits        15090    15096       +6     
+ Misses       1193     1191       -2     
  Partials       17       17              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.30