Skip to content

fix: GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354)#10567

Merged
mtrezza merged 1 commit into
parse-community:release-8.x.xfrom
mtrezza:fix/GHSA-2fgh-8j2g-w354-8.x.x
Jul 10, 2026
Merged

fix: GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354)#10567
mtrezza merged 1 commit into
parse-community:release-8.x.xfrom
mtrezza:fix/GHSA-2fgh-8j2g-w354-8.x.x

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member

Issue

GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354)

Tasks

  • Add tests

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

GraphQL error sanitization now redacts schema identifiers from additional coercion messages and stack traces when public introspection is disabled. Tests cover restricted callers, master-key access, public introspection, and inline-literal validation.

Changes

GraphQL error redaction

Layer / File(s) Summary
Coercion identifier redaction
src/GraphQL/ParseGraphQLServer.js
Adds redaction for coercion messages without suggestion suffixes and applies the combined sanitizer to error messages and stack traces.
Authorization-aware regression coverage
spec/ParseGraphQLServer.spec.js
Verifies schema identifiers are hidden for restricted callers and retained for master-key or public-introspection requests, including inline literals.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (2 errors, 1 warning)

Check name Status Explanation Resolution
Description check ❌ Error No PR description was provided, so the required Issue, Approach, and Tasks sections are missing. Add the template sections with an Issue link, a brief Approach summary, and the Tasks checklist, including test and security check status.
Engage In Review Feedback ❌ Error The patch only redacts required-field omission messages; it does not address the reviewed nested coercion templates or tests the comment asked for. Implement the remaining nested coercion redactions and regression tests, or point to the review discussion where the reviewer accepted leaving them unchanged.
Security Check ⚠️ Warning The sanitizer still leaves GraphQL coercion templates that expose schema-derived type names to non-introspecting callers. Redact the remaining coercion templates (e.g. nested object/unknown-field messages) and add regression tests for malformed nested values and unknown nested fields.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title uses an allowed prefix and accurately describes the main fix to GraphQL error redaction.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mtrezza

mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/GraphQL/ParseGraphQLServer.js`:
- Around line 73-83: Extend stripSchemaCoercionIdentifiers to redact the type
and field identifiers in the “Expected type "<type>" to be an object.” and
“Field "<field>" is not defined by type "<type>".” coercion messages, while
preserving their non-sensitive wording. Add regression tests covering malformed
nested values and unknown nested fields, verifying generated schema/type names
are absent from the resulting errors.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 70d47f1d-a383-4538-9db7-ed65c0c7c709

📥 Commits

Reviewing files that changed from the base of the PR and between dbd4281 and 1803606.

📒 Files selected for processing (2)
  • spec/ParseGraphQLServer.spec.js
  • src/GraphQL/ParseGraphQLServer.js

Comment thread src/GraphQL/ParseGraphQLServer.js
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.49%. Comparing base (2728fcb) to head (1803606).
⚠️ Report is 1 commits behind head on release-8.x.x.

Additional details and impacted files
@@                Coverage Diff                @@
##           release-8.x.x   #10567      +/-   ##
=================================================
+ Coverage          92.47%   92.49%   +0.01%     
=================================================
  Files                192      192              
  Lines              16190    16194       +4     
  Branches             234      234              
=================================================
+ Hits               14972    14978       +6     
+ Misses              1198     1196       -2     
  Partials              20       20              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza

mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review your feedback conversations and resolve where you found a consensus

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
repo="parse-community/parse-server"
pr=10567

echo "=== Review comments (threaded) ==="
gh api repos/$repo/pulls/$pr/comments --paginate \
  --jq '.[] | {id, in_reply_to_id, user: .user.login, path, line, body: .body[0:300], diff_hunk: .diff_hunk[0:200]}'

Length of output: 2534


🏁 Script executed:

#!/bin/bash
set -euo pipefail
repo="parse-community/parse-server"
pr=10567

gh api graphql -f query='
query($owner:String!, $name:String!, $pr:Int!) {
  repository(owner:$owner, name:$name) {
    pullRequest(number:$pr) {
      reviewThreads(first:50) {
        nodes {
          id
          isResolved
          comments(first:10) {
            nodes { id databaseId author { login } body }
          }
        }
      }
    }
  }
}' -f owner=parse-community -f name=parse-server -F pr=$pr \
  --jq '.data.repository.pullRequest.reviewThreads.nodes[] | {id, isResolved, comment_ids: [.comments.nodes[].databaseId]}'

Length of output: 854


@mtrezza I reviewed the feedback conversation on this PR. There's one threaded discussion, on Line 83 of src/GraphQL/ParseGraphQLServer.js regarding the nested-input-type name disclosure. In that thread, you explained the scope boundary (limiting this PR to the ... was not provided. required-field-name disclosure, with the nested-input-type issue tracked separately), and I agreed that this is a fair and well-reasoned distinction.

That thread (PRRT_kwDOAwQnRs6P57gM) has already been marked resolved, so there's nothing further to do there. I didn't find any other threaded review conversations on this PR to reconcile.

@mtrezza mtrezza changed the title fix: GHSA-2fgh-8j2g-w354 fix: GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354) Jul 10, 2026
@mtrezza mtrezza merged commit 6985a38 into parse-community:release-8.x.x Jul 10, 2026
47 of 49 checks passed
@mtrezza mtrezza deleted the fix/GHSA-2fgh-8j2g-w354-8.x.x branch July 10, 2026 15:44
parseplatformorg pushed a commit that referenced this pull request Jul 10, 2026
## [8.6.86](8.6.85...8.6.86) (2026-07-10)

### Bug Fixes

* GraphQL error messages disclose required input field names when public introspection is disabled ([GHSA-2fgh-8j2g-w354](GHSA-2fgh-8j2g-w354)) ([#10567](#10567)) ([6985a38](6985a38)), closes [GHSA-2f#8j2g-w354](https://github.com/GHSA-2f/issues/8j2g-w354) [/github.com/parse-community/parse-server/security/advisories/GHSA-2f#8j2g-w354](https://github.com//github.com/parse-community/parse-server/security/advisories/GHSA-2f/issues/8j2g-w354)
@parseplatformorg

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 8.6.86

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released-8.x.x Released as LTS version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants