Skip to content

fix: GraphQL error messages disclose pointer and relation target class names when public introspection is disabled (GHSA-r2g6-4f6j-f6rf)#10568

Merged
mtrezza merged 3 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-r2g6-4f6j-f6rf-v9
Jul 10, 2026
Merged

fix: GraphQL error messages disclose pointer and relation target class names when public introspection is disabled (GHSA-r2g6-4f6j-f6rf)#10568
mtrezza merged 3 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-r2g6-4f6j-f6rf-v9

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member

Issue

GraphQL error messages disclose pointer and relation target class names when public introspection is disabled (GHSA-r2g6-4f6j-f6rf)

Tasks

  • Add tests
  • Add changes to documentation (guides, repository pages, code comments)
  • Add security check
  • Add new Parse Error codes to Parse JS SDK

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

GraphQL error sanitization now uses incoming operation text to preserve caller-referenced type names while redacting undisclosed pointer target classes. Tests cover coercion, validation, selection, fragment, stacktrace, master-key, and public-introspection cases.

Changes

GraphQL error redaction

Layer / File(s) Summary
Operation-aware schema identifier sanitization
src/GraphQL/ParseGraphQLServer.js
Schema-derived type identifiers are redacted unless referenced as whole tokens in operation text; sanitization applies to error messages and stack traces.
Pointer schema redaction coverage
spec/ParseGraphQLServer.spec.js
Tests cover pointer target class redaction and preservation across GraphQL coercion, validation, selection, fragment, master-key, public-introspection, and caller-referenced type scenarios.

Estimated code review effort: 3 (Moderate) | ~30 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant SchemaSuggestionsControlPlugin
  participant stripSchemaIdentifiers
  participant GraphQLResponse
  Client->>SchemaSuggestionsControlPlugin: Send GraphQL query
  SchemaSuggestionsControlPlugin->>stripSchemaIdentifiers: Pass error text and operation text
  stripSchemaIdentifiers->>GraphQLResponse: Return redacted error text
  SchemaSuggestionsControlPlugin->>Client: Send sanitized response
Loading

Possibly related PRs


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 1 inconclusive)

Check name Status Explanation Resolution
Description check ❌ Error No PR description was provided, so the required Issue, Approach, and Tasks sections from the template are missing. Add the template sections with the issue link, a brief approach summary, and the relevant task checkboxes completed or removed.
Engage In Review Feedback ❓ Inconclusive PR history shows follow-up commits, but review-comment engagement itself is not observable from the repo artifacts. Need PR discussion/review metadata or comments to verify engagement before judging this check.
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed The patch hardens GraphQL error redaction for the known schema-disclosure class and I found no regex injection, auth bypass, or other new vuln pattern.
Title check ✅ Passed The title uses an allowed prefix and accurately summarizes the security fix in GraphQL error redaction.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.69%. Comparing base (d96c945) to head (f7aef8e).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files
@@            Coverage Diff             @@
##            alpha   #10568      +/-   ##
==========================================
+ Coverage   92.67%   92.69%   +0.01%     
==========================================
  Files         193      193              
  Lines       16990    17007      +17     
  Branches      248      248              
==========================================
+ Hits        15745    15764      +19     
+ Misses       1224     1222       -2     
  Partials       21       21              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/GraphQL/ParseGraphQLServer.js`:
- Around line 146-153: Escape all regular-expression metacharacters in bareName
before interpolating it into the RegExp constructed by isReferenced, while
preserving the existing word-boundary matching behavior and empty/type checks.
Use a standard regex-escape approach so unusual captured type names cannot throw
or alter the pattern.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1985520f-371e-4b4a-8f02-bc49160b7681

📥 Commits

Reviewing files that changed from the base of the PR and between 5a2cb90 and 92bae94.

📒 Files selected for processing (1)
  • src/GraphQL/ParseGraphQLServer.js

Comment thread src/GraphQL/ParseGraphQLServer.js Outdated
@mtrezza

mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review your feedback conversations and resolve where you found a consensus

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
repo="parse-community/parse-server"
pr=10568

echo "### Review comments (inline) ###"
gh api "repos/$repo/pulls/$pr/comments" --paginate | jq -r '.[] | "ID:\(.id) USER:\(.user.login) PATH:\(.path) LINE:\(.line // .original_line) IN_REPLY_TO:\(.in_reply_to_id // "null")\n\(.body)\n---"'

echo "### Issue (top-level) comments ###"
gh api "repos/$repo/issues/$pr/comments" --paginate | jq -r '.[] | "ID:\(.id) USER:\(.user.login)\n\(.body)\n---"'

Length of output: 20041


🏁 Script executed:

#!/bin/bash
set -euo pipefail
repo="parse-community/parse-server"
pr=10568

gh api graphql -f query='
query($owner:String!, $name:String!, $pr:Int!) {
  repository(owner:$owner, name:$name) {
    pullRequest(number:$pr) {
      reviewThreads(first:50) {
        nodes {
          id
          isResolved
          comments(first:10) {
            nodes { id databaseId author { login } body }
          }
        }
      }
    }
  }
}' -f owner=parse-community -f name=parse-server -F pr=$pr | jq '.data.repository.pullRequest.reviewThreads.nodes[] | {id, isResolved, comments: [.comments.nodes[] | {databaseId, author: .author.login}]}'

Length of output: 1077


The one review thread I have on this PR (regarding escaping/removing the dynamic RegExp construction in isReferenced at src/GraphQL/ParseGraphQLServer.js) already reached consensus — mtrezza's fix (tokenizing operationText into a Set instead of building a RegExp from captured input) fully addressed the concern, I confirmed it, and it's already marked resolved on GitHub. There are no other open review threads from me on this PR needing resolution.

@mtrezza I checked all my review conversations on this PR — there's only the one thread on src/GraphQL/ParseGraphQLServer.js (Line 153) about escaping bareName before use in RegExp. We already reached consensus there: you replaced the dynamic RegExp with token-set membership checking, I confirmed the fix closes the injection/ReDoS surface, and that thread is already resolved. No other threads are pending action.

@mtrezza

mtrezza commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@mtrezza mtrezza changed the title fix: GHSA-r2g6-4f6j-f6rf fix: GraphQL error messages disclose pointer and relation target class names when public introspection is disabled (GHSA-r2g6-4f6j-f6rf) Jul 10, 2026
@mtrezza mtrezza merged commit cb9b542 into parse-community:alpha Jul 10, 2026
24 checks passed
parseplatformorg pushed a commit that referenced this pull request Jul 10, 2026
# [9.10.0-alpha.6](9.10.0-alpha.5...9.10.0-alpha.6) (2026-07-10)

### Bug Fixes

* GraphQL error messages disclose pointer and relation target class names when public introspection is disabled ([GHSA-r2g6-4f6j-f6rf](GHSA-r2g6-4f6j-f6rf)) ([#10568](#10568)) ([cb9b542](cb9b542))
@mtrezza mtrezza deleted the fix/GHSA-r2g6-4f6j-f6rf-v9 branch July 10, 2026 22:29
@parseplatformorg

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 9.10.0-alpha.6

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released-alpha Released as alpha version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants