fix: LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2)

[mtrezza]

Issue

LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2)

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds strict array-type validation for $or, $and, and $nor across LiveQuery and REST query handling; subscription parsing now rejects non-array logical-operator values with Parse.Error.INVALID_QUERY. Tests added to assert array-like operator objects cannot bypass protected-field checks and that no events are emitted when such subscriptions are rejected.

Changes

Cohort / File(s)	Summary
Vulnerability Test Suite spec/vulnerabilities.spec.js	New LiveQuery tests (GHSA-mmg8-87c5-jrc2) that provision a protected-field schema and assert subscriptions using array-like $or/$and/$nor are rejected with Parse.Error.INVALID_QUERY and do not emit events.
LiveQuery Server and Tools src/LiveQuery/ParseLiveQueryServer.ts, src/LiveQuery/QueryTools.js	Enforce that $or/$and/$nor must be arrays before traversal; _validateQueryConstraints and matchesKeyConstraints now validate operand types and recursively validate subqueries, rejecting non-array values with INVALID_QUERY.
REST Query Protected-Field Validation src/RestQuery.js	denyProtectedFields now throws a sanitized Parse.Error.INVALID_QUERY when $or/$and/$nor exist but are not arrays, retaining recursive checks for array operands.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant LQ as ParseLiveQueryServer
    participant Tools as QueryTools / RestQuery
    participant DB as Database

    Client->>LQ: subscribe(query with $or/$and/$nor)
    LQ->>Tools: _validateQueryConstraints(where)
    Tools-->>LQ: invalid if operator present && not Array
    alt invalid operator type
        LQ-->>Client: reject with Parse.Error.INVALID_QUERY
    else valid arrays
        LQ->>DB: evaluate subscription / perform protected-field traversal
        DB-->>LQ: results / no matching events if denied
        LQ-->>Client: subscription established (or rejected if protected fields found)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Query condition depth bypass via pre-validation transform pipeline (GHSA-9fjp-q3c4-6w3j) #10257: Modifies validation of $or/$and/$nor in query handling, overlapping changes in LiveQuery and REST paths.
• fix: LiveQuery subscription query depth bypass (GHSA-6qh5-m6g3-xhq6) #10259: Adjusts LiveQuery subscription validation and depth checks—overlaps with subscribe-time validation updated here.
• fix: Protected fields bypass via logical query operators (GHSA-72hp-qff8-4pvv) #10140: Updates RestQuery protected-field handling for logical operators—directly related to the denyProtectedFields changes.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely empty; no content was provided by the author despite the template requiring sections for Issue, Approach, and Tasks.	Add a description following the provided template: include the Issue being fixed (GHSA-mmg8-87c5-jrc2), describe the Approach (validation logic changes), and check off completed Tasks (tests added, security check).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Title check	✅ Passed	The title clearly and specifically describes the main fix: addressing a LiveQuery vulnerability (GHSA-mmg8-87c5-jrc2) involving a protected-field guard bypass via array-like logical operator values, which matches the core changes across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spec/vulnerabilities.spec.js (1)

5335-5373: Add the matching REST regression for these malformed operators.

These cases only exercise query.subscribe(), but the fix also hardens the HTTP query path. A /classes/SecretClass regression with the same array-like $or / $and / $nor payloads would keep the REST and LiveQuery validators from drifting independently.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 5335 - 5373, Add REST regression
tests mirroring the LiveQuery cases by issuing POST requests to the classes
endpoint (e.g., POST to /classes/SecretClass) with the same malformed array-like
$or/$and/$nor payloads used in the subscribe tests and asserting the server
returns a Parse.Error.INVALID_QUERY (HTTP 400) for each payload; reference the
existing test patterns that use Parse.Query and query.subscribe() and replicate
them by constructing the equivalent {"where": { $or: { "0": {...}, length: 1 }
}} (and similar for $and/$nor and the non-protected-field $or) in the REST
request body so the REST query path is validated the same as the LiveQuery path.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 5375-5401: The test currently wraps the entire subscription flow
in one try/catch so any later error (like obj.save() or the updateSpy assertion)
can be mistaken for the subscribe() rejection; change the logic to only catch
the subscribe() call itself by invoking await query.subscribe() inside its own
try/catch (assign to a local subscription variable on success and set
subscriptionError only from that catch), then run the rest of the interaction
(subscription.on handlers, obj.set()/obj.save(), assertions) outside that catch
so failures there do not mark subscribe() as rejected; reference:
query.subscribe(), subscriptionError, subscription, updateSpy, obj.save().

---

Nitpick comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 5335-5373: Add REST regression tests mirroring the LiveQuery cases
by issuing POST requests to the classes endpoint (e.g., POST to
/classes/SecretClass) with the same malformed array-like $or/$and/$nor payloads
used in the subscribe tests and asserting the server returns a
Parse.Error.INVALID_QUERY (HTTP 400) for each payload; reference the existing
test patterns that use Parse.Query and query.subscribe() and replicate them by
constructing the equivalent {"where": { $or: { "0": {...}, length: 1 } }} (and
similar for $and/$nor and the non-protected-field $or) in the REST request body
so the REST query path is validated the same as the LiveQuery path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a3badc6-d95e-4060-8e34-95f2982e277b

📥 Commits

Reviewing files that changed from the base of the PR and between f897d83 and a1e1b80.

📒 Files selected for processing (4)

• spec/vulnerabilities.spec.js
• src/LiveQuery/ParseLiveQueryServer.ts
• src/LiveQuery/QueryTools.js
• src/RestQuery.js

[codecov]

Codecov Report

❌ Patch coverage is 55.55556% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.52%. Comparing base (63c37c4) to head (13ff53a).
⚠️ Report is 7 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/LiveQuery/ParseLiveQueryServer.ts	60.00%	2 Missing and 2 partials ⚠️
src/LiveQuery/QueryTools.js	50.00%	3 Missing ⚠️
src/RestQuery.js	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10350      +/-   ##
==========================================
- Coverage   92.53%   92.52%   -0.02%     
==========================================
  Files         192      192              
  Lines       16541    16552      +11     
  Branches      229      231       +2     
==========================================
+ Hits        15306    15314       +8     
- Misses       1215     1216       +1     
- Partials       20       22       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[parseplatformorg]

🎉 This change has been released in version 9.7.0-alpha.16

[parseplatformorg]

🎉 This change has been released in version 9.7.0