Skip to content

fix: GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm)#10564

Merged
mtrezza merged 1 commit into
parse-community:release-8.x.xfrom
mtrezza:fix/GHSA-9g8f-h8f3-hjcm-v8
Jul 8, 2026
Merged

fix: GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm)#10564
mtrezza merged 1 commit into
parse-community:release-8.x.xfrom
mtrezza:fix/GHSA-9g8f-h8f3-hjcm-v8

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 7, 2026

Copy link
Copy Markdown
Member

Issue

GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm)

Tasks

  • Add tests

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Refactors SchemaSuggestionsControlPlugin to strip GraphQL "Did you mean...?" schema hints during the willSendResponse phase rather than validationDidStart, using a shared stripSchemaSuggestion helper applied to both error messages and stacktrace extensions. Adds corresponding spec tests.

Changes

Schema Suggestion Stripping

Layer / File(s) Summary
Plugin logic: strip suggestions in response phase
src/GraphQL/ParseGraphQLServer.js
Adds stripSchemaSuggestion helper and moves hint-stripping logic from validationDidStart to willSendResponse, handling both single and incremental response shapes and sanitizing error.message and error.extensions.stacktrace.
Spec coverage for stripped/preserved suggestions
spec/ParseGraphQLServer.spec.js
Adds an error-extraction helper and tests confirming suggestions are removed for variable-coercion errors without master/maintenance key (with no cloud-function-name leakage) and preserved with master key or public introspection.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant ApolloServer
  participant SchemaSuggestionsControlPlugin

  Client->>ApolloServer: GraphQL request (no master key)
  ApolloServer->>SchemaSuggestionsControlPlugin: willSendResponse(requestContext)
  SchemaSuggestionsControlPlugin->>SchemaSuggestionsControlPlugin: stripSchemaSuggestion(error.message)
  SchemaSuggestionsControlPlugin->>SchemaSuggestionsControlPlugin: stripSchemaSuggestion(error.extensions.stacktrace)
  SchemaSuggestionsControlPlugin-->>ApolloServer: sanitized response body
  ApolloServer-->>Client: error response without schema hints
Loading

Possibly related PRs

  • parse-community/parse-server#10467: Addresses the same "Did you mean" schema-hint disclosure issue with corresponding changes to SchemaSuggestionsControlPlugin and matching spec test coverage.

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Description check ❌ Error No PR description was provided, so the required Issue, Approach, and Tasks sections are missing. Add the repository template sections and briefly describe the issue, the approach taken, and the completed checklist items.
✅ Passed checks (6 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed PASS: The patch sanitizes "Did you mean" hints in returned GraphQL errors for non-introspecting callers and leaves authorized/public cases intact; no insecure pattern was introduced.
Engage In Review Feedback ✅ Passed PASS: The PR summary shows only a review request and no feedback comments, so there was nothing to ignore or resolve without discussion.
Title check ✅ Passed The title uses the required prefix and clearly summarizes the security fix in the changeset.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mtrezza

mtrezza commented Jul 7, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.48%. Comparing base (55eab32) to head (3be2fb1).
⚠️ Report is 1 commits behind head on release-8.x.x.

Additional details and impacted files
@@                Coverage Diff                @@
##           release-8.x.x   #10564      +/-   ##
=================================================
+ Coverage          92.47%   92.48%   +0.01%     
=================================================
  Files                192      192              
  Lines              16185    16190       +5     
  Branches             234      234              
=================================================
+ Hits               14967    14974       +7     
+ Misses              1198     1196       -2     
  Partials              20       20              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza changed the title fix: GHSA-9g8f-h8f3-hjcm fix: GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm) Jul 7, 2026
@mtrezza mtrezza merged commit 2728fcb into parse-community:release-8.x.x Jul 8, 2026
46 of 49 checks passed
@mtrezza mtrezza deleted the fix/GHSA-9g8f-h8f3-hjcm-v8 branch July 8, 2026 04:49
parseplatformorg pushed a commit that referenced this pull request Jul 8, 2026
## [8.6.85](8.6.84...8.6.85) (2026-07-08)

### Bug Fixes

* GraphQL variable-coercion suggestions disclose schema to unauthenticated callers ([GHSA-9g8f-h8f3-hjcm](GHSA-9g8f-h8f3-hjcm)) ([#10564](#10564)) ([2728fcb](2728fcb))
@parseplatformorg

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 8.6.85

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released-8.x.x Released as LTS version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants