fix: Incomplete JSON key escaping in PostgreSQL Increment on nested Object fields#10261
Merged
mtrezza merged 2 commits intoparse-community:alphafrom Mar 20, 2026
Conversation
|
🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review. Tip
Note Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect. Caution Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. |
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds JSON-string escaping for nested-object Increment keys in the Postgres storage adapter and updates PostgreSQL tests to assert that crafted sub-keys cannot create or modify unintended JSONB keys or bypass ACL/CLP protections. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/Adapters/Storage/Postgres/PostgresStorageAdapter.js`:
- Line 212: The escapeJsonString function currently only escapes backslashes and
quotes, leaving control characters like newline, carriage return and tabs
unescaped which can break the CONCAT-built JSON literal; update escapeJsonString
to also replace control characters (at minimum \n, \r, \t — and ideally \b and
\f) with their escaped sequences (e.g. \\n, \\r, \\t, \\b, \\f) using global
replacements so the produced string is a valid JSON string when inserted into
CONCAT('{"...":', ...)::jsonb; keep the existing backslash and quote escaping
and ensure the replacements run on the same input value in escapeJsonString.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 48172d9e-852e-47fa-9e29-e5f14b0645ac
📒 Files selected for processing (3)
spec/PostgresStorageAdapter.spec.jsspec/vulnerabilities.spec.jssrc/Adapters/Storage/Postgres/PostgresStorageAdapter.js
…special characters
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## alpha #10261 +/- ##
=======================================
Coverage 92.55% 92.55%
=======================================
Files 192 192
Lines 16431 16433 +2
Branches 226 226
=======================================
+ Hits 15208 15210 +2
Misses 1203 1203
Partials 20 20 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
parseplatformorg
pushed a commit
that referenced
this pull request
Mar 20, 2026
# [9.6.0-alpha.46](9.6.0-alpha.45...9.6.0-alpha.46) (2026-03-20) ### Bug Fixes * Incomplete JSON key escaping in PostgreSQL Increment on nested Object fields ([#10261](#10261)) ([a692873](a692873))
Contributor
|
🎉 This change has been released in version 9.6.0-alpha.46 |
parseplatformorg
pushed a commit
that referenced
this pull request
Mar 22, 2026
# [9.6.0](9.5.1...9.6.0) (2026-03-22) ### Bug Fixes * LiveQuery `regexTimeout` default value not applied ([#10156](#10156)) ([416cfbc](416cfbc)) * Account lockout race condition allows bypassing threshold via concurrent requests ([#10266](#10266)) ([ff70fee](ff70fee)) * Account takeover via operator injection in authentication data identifier ([GHSA-5fw2-8jcv-xh87](GHSA-5fw2-8jcv-xh87)) ([#10185](#10185)) ([0d0a554](0d0a554)) * Add configurable batch request sub-request limit via option `requestComplexity.batchRequestLimit` ([#10265](#10265)) ([164ed0d](164ed0d)) * Auth data exposed via /users/me endpoint ([GHSA-37mj-c2wf-cx96](GHSA-37mj-c2wf-cx96)) ([#10278](#10278)) ([875cf10](875cf10)) * Auth provider validation bypass on login via partial authData ([GHSA-pfj7-wv7c-22pr](GHSA-pfj7-wv7c-22pr)) ([#10246](#10246)) ([98f4ba5](98f4ba5)) * Block dot-notation updates to authData sub-fields and harden login provider checks ([#10223](#10223)) ([12c24c6](12c24c6)) * Bypass of class-level permissions in LiveQuery ([GHSA-7ch5-98q2-7289](GHSA-7ch5-98q2-7289)) ([#10133](#10133)) ([98188d9](98188d9)) * Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes ([GHSA-7xg7-rqf6-pw6c](GHSA-7xg7-rqf6-pw6c)) ([#10151](#10151)) ([1de4e43](1de4e43)) * Cloud function dispatch crashes server via prototype chain traversal ([GHSA-4263-jgmp-7pf4](GHSA-4263-jgmp-7pf4)) ([#10210](#10210)) ([286373d](286373d)) * Concurrent signup with same authentication creates duplicate users ([#10149](#10149)) ([853bfe1](853bfe1)) * Create CLP not enforced before user field validation on signup ([#10268](#10268)) ([a0530c2](a0530c2)) * Denial of service via unindexed database query for unconfigured auth providers ([GHSA-g4cf-xj29-wqqr](GHSA-g4cf-xj29-wqqr)) ([#10270](#10270)) ([fbac847](fbac847)) * Denial-of-service via unbounded query complexity in REST and GraphQL API ([GHSA-cmj3-wx7h-ffvg](GHSA-cmj3-wx7h-ffvg)) ([#10130](#10130)) ([0ae9c25](0ae9c25)) * Email verification resend page leaks user existence (GHSA-h29g-q5c2-9h4f) ([#10238](#10238)) ([fbda4cb](fbda4cb)) * Empty authData bypasses credential requirement on signup ([GHSA-wjqw-r9x4-j59v](GHSA-wjqw-r9x4-j59v)) ([#10219](#10219)) ([5dcbf41](5dcbf41)) * GraphQL WebSocket endpoint bypasses security middleware ([GHSA-p2x3-8689-cwpg](GHSA-p2x3-8689-cwpg)) ([#10189](#10189)) ([3ffba75](3ffba75)) * Incomplete JSON key escaping in PostgreSQL Increment on nested Object fields ([#10261](#10261)) ([a692873](a692873)) * Input type validation for query operators and batch path ([#10230](#10230)) ([a628911](a628911)) * Instance comparison with `instanceof` is not realm-safe ([#10225](#10225)) ([51efb1e](51efb1e)) * LDAP injection via unsanitized user input in DN and group filter construction ([GHSA-7m6r-fhh7-r47c](GHSA-7m6r-fhh7-r47c)) ([#10154](#10154)) ([5bbca7b](5bbca7b)) * LiveQuery bypasses CLP pointer permission enforcement ([GHSA-fph2-r4qg-9576](GHSA-fph2-r4qg-9576)) ([#10250](#10250)) ([6c3317a](6c3317a)) * LiveQuery subscription query depth bypass ([GHSA-6qh5-m6g3-xhq6](GHSA-6qh5-m6g3-xhq6)) ([#10259](#10259)) ([2126fe4](2126fe4)) * LiveQuery subscription with invalid regular expression crashes server ([GHSA-827p-g5x5-h86c](GHSA-827p-g5x5-h86c)) ([#10197](#10197)) ([0ae0eee](0ae0eee)) * Locale parameter path traversal in pages router ([#10242](#10242)) ([01fb6a9](01fb6a9)) * MFA recovery code single-use bypass via concurrent requests ([GHSA-2299-ghjr-6vjp](GHSA-2299-ghjr-6vjp)) ([#10275](#10275)) ([5e70094](5e70094)) * MFA recovery codes not consumed after use ([GHSA-4hf6-3x24-c9m8](GHSA-4hf6-3x24-c9m8)) ([#10170](#10170)) ([18abdd9](18abdd9)) * Missing audience validation in Keycloak authentication adapter ([GHSA-48mh-j4p5-7j9v](GHSA-48mh-j4p5-7j9v)) ([#10137](#10137)) ([78ef1a1](78ef1a1)) * Normalize HTTP method case in `allowMethodOverride` middleware ([#10262](#10262)) ([a248e8c](a248e8c)) * NoSQL injection via token type in password reset and email verification endpoints ([GHSA-vgjh-hmwf-c588](GHSA-vgjh-hmwf-c588)) ([#10128](#10128)) ([b2f2317](b2f2317)) * OAuth2 adapter app ID validation sends wrong token to introspection endpoint ([GHSA-69xg-f649-w5g2](GHSA-69xg-f649-w5g2)) ([#10187](#10187)) ([7f9f854](7f9f854)) * OAuth2 adapter shares mutable state across providers via singleton instance ([GHSA-2cjm-2gwv-m892](GHSA-2cjm-2gwv-m892)) ([#10183](#10183)) ([6009bc1](6009bc1)) * Parse Server OAuth2 authentication adapter account takeover via identity spoofing ([GHSA-fr88-w35c-r596](GHSA-fr88-w35c-r596)) ([#10145](#10145)) ([9cfd06e](9cfd06e)) * Parse Server role escalation and CLP bypass via direct `_Join table write ([GHSA-5f92-jrq3-28rc](GHSA-5f92-jrq3-28rc)) ([#10141](#10141)) ([22faa08](22faa08)) * Parse Server session token exfiltration via `redirectClassNameForKey` query parameter ([GHSA-6r2j-cxgf-495f](GHSA-6r2j-cxgf-495f)) ([#10143](#10143)) ([70b7b07](70b7b07)) * Password reset token single-use bypass via concurrent requests ([GHSA-r3xq-68wh-gwvh](GHSA-r3xq-68wh-gwvh)) ([#10216](#10216)) ([84db0a0](84db0a0)) * Protected field change detection oracle via LiveQuery watch parameter ([GHSA-qpc3-fg4j-8hgm](GHSA-qpc3-fg4j-8hgm)) ([#10253](#10253)) ([0c0a0a5](0c0a0a5)) * Protected fields bypass via dot-notation in query and sort ([GHSA-r2m8-pxm9-9c4g](GHSA-r2m8-pxm9-9c4g)) ([#10167](#10167)) ([8f54c54](8f54c54)) * Protected fields bypass via LiveQuery subscription WHERE clause ([GHSA-j7mm-f4rv-6q6q](GHSA-j7mm-f4rv-6q6q)) ([#10175](#10175)) ([4d48847](4d48847)) * Protected fields bypass via logical query operators ([GHSA-72hp-qff8-4pvv](GHSA-72hp-qff8-4pvv)) ([#10140](#10140)) ([be1d65d](be1d65d)) * Protected fields leak via LiveQuery afterEvent trigger ([GHSA-5hmj-jcgp-6hff](GHSA-5hmj-jcgp-6hff)) ([#10232](#10232)) ([6648500](6648500)) * Query condition depth bypass via pre-validation transform pipeline ([GHSA-9fjp-q3c4-6w3j](GHSA-9fjp-q3c4-6w3j)) ([#10257](#10257)) ([85994ef](85994ef)) * Rate limit bypass via batch request endpoint ([GHSA-775h-3xrc-c228](GHSA-775h-3xrc-c228)) ([#10147](#10147)) ([2766f4f](2766f4f)) * Rate limit bypass via HTTP method override and batch method spoofing ([#10234](#10234)) ([7d72d26](7d72d26)) * Rate limit user zone key fallback and batch request bypass ([#10214](#10214)) ([434ecbe](434ecbe)) * Revert accidental breaking default values for query complexity limits ([#10205](#10205)) ([ab8dd54](ab8dd54)) * Sanitize control characters in page parameter response headers ([#10237](#10237)) ([337ffd6](337ffd6)) * Schema poisoning via prototype pollution in deep copy ([GHSA-9ccr-fpp6-78qf](GHSA-9ccr-fpp6-78qf)) ([#10200](#10200)) ([b321423](b321423)) * Security fix fast-xml-parser from 5.5.5 to 5.5.6 ([#10235](#10235)) ([f521576](f521576)) * Security upgrade fast-xml-parser from 5.3.7 to 5.4.2 ([#10086](#10086)) ([b04ca5e](b04ca5e)) * Server crash via deeply nested query condition operators ([GHSA-9xp9-j92r-p88v](GHSA-9xp9-j92r-p88v)) ([#10202](#10202)) ([f44e306](f44e306)) * Session creation endpoint allows overwriting server-generated session fields ([GHSA-5v7g-9h8f-8pgg](GHSA-5v7g-9h8f-8pgg)) ([#10195](#10195)) ([7ccfb97](7ccfb97)) * Session token expiration unchecked on cache hit ([#10194](#10194)) ([a944203](a944203)) * Session update endpoint allows overwriting server-generated session fields ([GHSA-jc39-686j-wp6q](GHSA-jc39-686j-wp6q)) ([#10263](#10263)) ([ea68fc0](ea68fc0)) * SQL injection via `Increment` operation on nested object field in PostgreSQL ([GHSA-q3vj-96h2-gwvg](GHSA-q3vj-96h2-gwvg)) ([#10161](#10161)) ([8f82282](8f82282)) * SQL injection via aggregate and distinct field names in PostgreSQL adapter ([GHSA-p2w6-rmh7-w8q3](GHSA-p2w6-rmh7-w8q3)) ([#10272](#10272)) ([bdddab5](bdddab5)) * SQL injection via dot-notation field name in PostgreSQL ([GHSA-qpr4-jrj4-6f27](GHSA-qpr4-jrj4-6f27)) ([#10159](#10159)) ([ea538a4](ea538a4)) * SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL ([GHSA-gqpp-xgvh-9h7h](GHSA-gqpp-xgvh-9h7h)) ([#10165](#10165)) ([169d692](169d692)) * SQL injection via query field name when using PostgreSQL ([GHSA-c442-97qw-j6c6](GHSA-c442-97qw-j6c6)) ([#10181](#10181)) ([be281b1](be281b1)) * Stored cross-site scripting (XSS) via SVG file upload ([GHSA-hcj7-6gxh-24ww](GHSA-hcj7-6gxh-24ww)) ([#10136](#10136)) ([93b784d](93b784d)) * Stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries ([GHSA-42ph-pf9q-cr72](GHSA-42ph-pf9q-cr72)) ([#10191](#10191)) ([4f53ab3](4f53ab3)) * Stored XSS via file upload of HTML-renderable file types ([GHSA-v5hf-f4c3-m5rv](GHSA-v5hf-f4c3-m5rv)) ([#10162](#10162)) ([03287cf](03287cf)) * User enumeration via email verification endpoint ([GHSA-w54v-hf9p-8856](GHSA-w54v-hf9p-8856)) ([#10172](#10172)) ([936abd4](936abd4)) * Validate authData provider values in challenge endpoint ([#10224](#10224)) ([e5e1f5b](e5e1f5b)) * Validate body field types in request middleware ([#10209](#10209)) ([df69046](df69046)) * Validate session in middleware for non-GET requests to `/sessions/me` ([#10213](#10213)) ([2a9fdab](2a9fdab)) * Validate token type in PagesRouter to prevent type confusion errors ([#10212](#10212)) ([386a989](386a989)) ### Features * Add `enableProductPurchaseLegacyApi` option to disable legacy IAP validation ([#10228](#10228)) ([622ee85](622ee85)) * Add `protectedFieldsOwnerExempt` option to control `_User` class owner exemption for `protectedFields` ([#10280](#10280)) ([d5213f8](d5213f8)) * Add `X-Content-Type-Options: nosniff` header and customizable response headers for files via `Parse.Cloud.afterFind(Parse.File)` ([#10158](#10158)) ([28d11a3](28d11a3))
Contributor
|
🎉 This change has been released in version 9.6.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Incomplete JSON key escaping in PostgreSQL Increment on nested Object fields (GHSA-33gq-87fg-pf98)