fix: GraphQL "Did you mean" suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj)

[ulsreall]

Fix for GHSA-8cph-rgr4-g5vj

Vulnerability

GraphQL validation rules (FieldsOnCorrectTypeRule, KnownArgumentNamesRule, KnownTypeNamesRule, etc.) embed "Did you mean ...?" hints sourced from the live schema in their error messages. These messages are returned to the caller before runs, so they sidestep and disclose schema identifiers the introspection guard is meant to hide.

Example: An unauthenticated user sends a query with a typo:

query { healt }

The response contains:

Cannot query field "healt" on type "Query". Did you mean "health"?

This reveals valid field names without needing introspection access.

Fix

Added a new SchemaSuggestionsControlPlugin that hooks into the validation phase (validationDidStart) and strips Did you mean ...? suffixes from error messages for callers that are NOT:

• Master key authenticated
• Maintenance key authenticated
• Using a server with graphQLPublicIntrospection enabled

This ensures the fix works regardless of when the suggestions are generated (before IntrospectionControlPlugin's didResolveOperation hook).

Files Changed

• src/GraphQL/ParseGraphQLServer.js - Added SchemaSuggestionsControlPlugin and registered it in the Apollo Server plugins
• spec/ParseGraphQLServer.spec.js - Added 5 test cases covering:
  • Field suggestions stripped without auth
  • Argument suggestions stripped without auth
  • Suggestions preserved with master key
  • Suggestions preserved with maintenance key
  • Suggestions preserved with public introspection enabled

Summary by CodeRabbit

• New Features
  • Conditional display of "Did you mean" suggestions in GraphQL validation errors: suggestions are removed for unauthenticated/public requests when introspection is disabled, and preserved for master/maintenance requests or when public introspection is enabled.
• Tests
  • Added validation tests covering presence or stripping of "Did you mean" suggestions across unknown fields, arguments, and types.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 59525e06-7c7f-499f-a3c7-c04e951893d4

📥 Commits

Reviewing files that changed from the base of the PR and between 25ec822 and 18d58d8.

📒 Files selected for processing (1)

• spec/ParseGraphQLServer.spec.js

🚧 Files skipped from review as they are similar to previous changes (1)

• spec/ParseGraphQLServer.spec.js

---

📝 Walkthrough

Walkthrough

This PR adds a new SchemaSuggestionsControlPlugin that conditionally removes "Did you mean" hints from GraphQL validation errors when public introspection is disabled and the request lacks master or maintenance credentials; tests validate behavior across master, maintenance, and public-introspection configurations.

Changes

GraphQL Schema Suggestions Control

Layer / File(s)	Summary
Plugin implementation and registration src/GraphQL/ParseGraphQLServer.js	New SchemaSuggestionsControlPlugin inspects GraphQL validation results and removes trailing "Did you mean …?" suffixes from error messages when public introspection is disabled and the request is unauthenticated; plugin is registered in Apollo's plugins array.
Suggestion handling validation tests spec/ParseGraphQLServer.spec.js	Five test cases verify suggestions are removed for unauthenticated requests and preserved when requests include a master key, maintenance key, or when graphQLPublicIntrospection is enabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• parse-community/parse-server#10467: Shares the same SchemaSuggestionsControlPlugin implementation and "Did you mean" suggestion control logic under master/maintenance/public-introspection conditions.

Suggested reviewers

• mtrezza

🚥 Pre-merge checks | ✅ 7

✅ Passed checks (7 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title begins with the 'fix:' prefix as required and clearly describes the security fix for schema disclosure via GraphQL validation suggestions.
Description check	✅ Passed	The pull request description provides comprehensive context including vulnerability details, the fix approach, and files changed, though it deviates from the template structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Implements GHSA-8cph-rgr4-g5vj security fix with SchemaSuggestionsControlPlugin. Safe regex, correct access controls, no vulnerabilities found in implementation.
Engage In Review Feedback	✅ Passed	Author engaged with CodeRabbit review feedback by implementing a missing regression test (commit 18d58d8) for KnownTypeNamesRule, explicitly referencing the feedback in the commit message.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix/graphql-schema-disclosure

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.22.0)

OpenGrep fatal error (exit code 2): [00.94][ERROR]: Error: exception Unix_error: No such file or directory stat spec/ParseGraphQLServer.spec.js
Raised by primitive operation at UTmp.replace_named_pipe_by_regular_file_if_needed in file "libs/commons/UTmp.ml", line 145, characters 8-27
Called from Scan_CLI.replace_target_roots_by_regular_files_where_needed.(fun) in file "src/osemgrep/cli_scan/Scan_CLI.ml", lines 1086-1087, characters 19-65
Called from List_.fast_map in file "libs/commons/List_.ml", line 81, characters 17-20
Called f

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/GraphQL/ParseGraphQLServer.js (1)

100-111: ⚡ Quick win

Remove unnecessary async keywords.

The async keywords on lines 100, 101, and 111 are not needed since these functions don't use await or return promises. While harmless, removing them improves clarity.

♻️ Suggested refactor

-  requestDidStart: async (requestContext) => ({
-    validationDidStart: async () => {
+  requestDidStart: (requestContext) => ({
+    validationDidStart: () => {
       if (publicIntrospection) {
         return;
       }
       const isMasterOrMaintenance =
         requestContext.contextValue.auth?.isMaster ||
         requestContext.contextValue.auth?.isMaintenance;
       if (isMasterOrMaintenance) {
         return;
       }
-      return async (validationErrors) => {
+      return (validationErrors) => {
         validationErrors?.forEach(error => {
           error.message = error.message.replace(/ ?Did you mean(.+?)\?$/, '');
         });
       };
     },
   }),

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/GraphQL/ParseGraphQLServer.js` around lines 100 - 111, Remove the
unnecessary async keywords from the Apollo plugin handlers: remove async from
the requestDidStart handler definition (requestDidStart: (requestContext) =>
...), from the validationDidStart handler (validationDidStart: () => ...), and
from the returned validation function inside validationDidStart (the function
that accepts validationErrors); these functions do not use await or return
Promises so dropping async clarifies intent while preserving behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@spec/ParseGraphQLServer.spec.js`:
- Around line 1020-1127: Add a regression test that verifies unknown type
suggestions (KnownTypeNamesRule) are stripped without auth: create a new it
block similar to the existing typo tests that uses apolloClient.query with a
GraphQL query containing a misspelled input type (e.g., query($x:
UsreWhereInput) { health }) and assert the caught error message
(e.networkError.result.errors[0].message) contains the base error ("Unknown
type" or relevant phrase) but does NOT match /Did you mean/ and does NOT contain
the real type name; reuse helpers reconfigureServer/createGQLFromParseServer
when toggling public introspection and keep test structure consistent with the
other cases that check master/maintenance keys and public introspection.

---

Nitpick comments:
In `@src/GraphQL/ParseGraphQLServer.js`:
- Around line 100-111: Remove the unnecessary async keywords from the Apollo
plugin handlers: remove async from the requestDidStart handler definition
(requestDidStart: (requestContext) => ...), from the validationDidStart handler
(validationDidStart: () => ...), and from the returned validation function
inside validationDidStart (the function that accepts validationErrors); these
functions do not use await or return Promises so dropping async clarifies intent
while preserving behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6d072484-a04d-431d-b54a-57764f862594

📥 Commits

Reviewing files that changed from the base of the PR and between 2b9d93d and 25ec822.

📒 Files selected for processing (2)

• spec/ParseGraphQLServer.spec.js
• src/GraphQL/ParseGraphQLServer.js

[mtrezza]

@ulsreall Are you are human or an AI agent? Our terms require that you disclose clearly if you are an AI agent.

[mtrezza]

Closing as AI spam; clone of already merged fix #10467.