fix: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj)

[mtrezza]

Issue

GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj)

Tasks

• Add tests

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a GraphQL validation error filtering mechanism that prevents "Did you mean" suggestions from leaking to unauthorized public users. A new Apollo Server plugin strips these schema hints when public introspection is disabled and the request lacks master or maintenance credentials, while preserving them for authorized callers.

Changes

Schema Suggestions Error Handling

Layer / File(s)	Summary
Schema suggestions plugin and server integration src/GraphQL/ParseGraphQLServer.js, spec/ParseGraphQLServer.spec.js	SchemaSuggestionsControlPlugin post-processes validation errors to remove trailing "Did you mean" hints for unauthorized users when introspection is off. Plugin is added to Apollo Server configuration. Tests confirm suggestions are stripped for public requests and retained when master key, maintenance key, or public introspection is enabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely missing; no content was provided by the author despite the template requiring Issue, Approach, and Tasks sections.	Add a complete pull request description following the provided template, including Issue (link to GHSA-8cph-rgr4-g5vj), Approach (summary of the plugin-based solution), and completed Tasks (tests added, security check applied).
Engage In Review Feedback	❓ Inconclusive	PR #10467 is newly opened with no visible review comments in git history. Cannot access GitHub PR discussion threads where feedback would appear.	Manually review PR #10467 on GitHub to check for review feedback comments and verify user engagement with any posted feedback.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Secure fix for schema enumeration vulnerability. Plugin strips "Did you mean" from GraphQL validation errors with proper auth checks and safe implementation. No security issues detected.
Title check	✅ Passed	The title begins with 'fix:' prefix as required and clearly describes the security fix: preventing GraphQL 'Did you mean' validation suggestions from disclosing schema information to unauthenticated callers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.57%. Comparing base (56c159e) to head (7429415).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10467   +/-   ##
=======================================
  Coverage   92.57%   92.57%           
=======================================
  Files         193      193           
  Lines       16874    16884   +10     
  Branches      234      234           
=======================================
+ Hits        15621    15631   +10     
  Misses       1230     1230           
  Partials       23       23           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.9.1-alpha.2