fix

Author: mtrezza

package-lock.json

@@ -30,7 +30,6 @@
     "bcryptjs": "3.0.3",
     "commander": "14.0.3",
     "cors": "2.8.6",
-    "deepcopy": "2.1.0",
     "express": "5.2.1",
     "express-rate-limit": "8.2.1",
     "follow-redirects": "1.15.9",

package.json

@@ -353,12 +353,23 @@ describe('Vulnerabilities', () => {
       });
 
       it('denies __proto__ after a sibling nested object', async () => {
-        // Cannot test via HTTP because deepcopy() strips __proto__ before the denylist
-        // check runs. Test objectContainsKeyValue directly with a JSON.parse'd object
-        // that preserves __proto__ as an own property.
-        const Utils = require('../lib/Utils');
-        const data = JSON.parse('{"profile": {"name": "alice"}, "__proto__": {"isAdmin": true}}');
-        expect(Utils.objectContainsKeyValue(data, '__proto__', undefined)).toBe(true);
+        const headers = {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        };
+        const response = await request({
+          headers,
+          method: 'POST',
+          url: 'http://localhost:8378/1/classes/PP',
+          body: JSON.stringify(
+            JSON.parse('{"profile": {"name": "alice"}, "__proto__": {"isAdmin": true}}')
+          ),
+        }).catch(e => e);
+        expect(response.status).toBe(400);
+        const text = typeof response.data === 'string' ? JSON.parse(response.data) : response.data;
+        expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+        expect(text.error).toContain('__proto__');
       });
 
       it('denies constructor after a sibling nested object', async () => {
@@ -2644,4 +2655,95 @@ describe('(GHSA-c442-97qw-j6c6) SQL Injection via $regex query operator field na
       expect(result.body.errors[0].message).toMatch(/exceeds maximum allowed/);
     });
   });
+
+  describe('(GHSA-9ccr-fpp6-78qf) Schema poisoning via __proto__ bypassing requestKeywordDenylist and addField CLP', () => {
+    const headers = {
+      'Content-Type': 'application/json',
+      'X-Parse-Application-Id': 'test',
+      'X-Parse-REST-API-Key': 'rest',
+    };
+
+    it('rejects __proto__ in request body via HTTP', async () => {
+      const response = await request({
+        headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/ProtoTest',
+        body: JSON.stringify(JSON.parse('{"name":"test","__proto__":{"injected":"value"}}')),
+      }).catch(e => e);
+      expect(response.status).toBe(400);
+      const text = typeof response.data === 'string' ? JSON.parse(response.data) : response.data;
+      expect(text.code).toBe(Parse.Error.INVALID_KEY_NAME);
+      expect(text.error).toContain('__proto__');
+    });
+
+    it('does not add fields to a locked schema via __proto__', async () => {
+      const schema = new Parse.Schema('LockedSchema');
+      schema.addString('name');
+      schema.setCLP({
+        find: { '*': true },
+        get: { '*': true },
+        create: { '*': true },
+        update: { '*': true },
+        delete: { '*': true },
+        addField: {},
+      });
+      await schema.save();
+
+      // Attempt to inject a field via __proto__
+      const response = await request({
+        headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/LockedSchema',
+        body: JSON.stringify(JSON.parse('{"name":"test","__proto__":{"newField":"bypassed"}}')),
+      }).catch(e => e);
+
+      // Should be rejected by denylist
+      expect(response.status).toBe(400);
+
+      // Verify schema was not modified
+      const schemaResponse = await request({
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-Master-Key': 'test',
+        },
+        method: 'GET',
+        url: 'http://localhost:8378/1/schemas/LockedSchema',
+      });
+      const fields = schemaResponse.data.fields;
+      expect(fields.newField).toBeUndefined();
+    });
+
+    it('does not cause schema type conflict via __proto__', async () => {
+      const schema = new Parse.Schema('TypeConflict');
+      schema.addString('name');
+      schema.addString('score');
+      schema.setCLP({
+        find: { '*': true },
+        get: { '*': true },
+        create: { '*': true },
+        update: { '*': true },
+        delete: { '*': true },
+        addField: {},
+      });
+      await schema.save();
+
+      // Attempt to inject 'score' as Number via __proto__
+      const response = await request({
+        headers,
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/TypeConflict',
+        body: JSON.stringify(JSON.parse('{"name":"test","__proto__":{"score":42}}')),
+      }).catch(e => e);
+
+      // Should be rejected by denylist
+      expect(response.status).toBe(400);
+
+      // Verify 'score' field is still String type
+      const obj = new Parse.Object('TypeConflict');
+      obj.set('name', 'valid');
+      obj.set('score', 'string-value');
+      await obj.save();
+      expect(obj.get('score')).toBe('string-value');
+    });
+  });
 });

spec/vulnerabilities.spec.js

@@ -8,8 +8,6 @@ import { Parse } from 'parse/node';
 import _ from 'lodash';
 // @flow-disable-next
 import intersect from 'intersect';
-// @flow-disable-next
-import deepcopy from 'deepcopy';
 import logger from '../logger';
 import Utils from '../Utils';
 import * as SchemaController from './SchemaController';
@@ -541,7 +539,7 @@ class DatabaseController {
     const originalQuery = query;
     const originalUpdate = update;
     // Make a copy of the object, so we don't mutate the incoming data.
-    update = deepcopy(update);
+    update = structuredClone(update);
     var relationUpdates = [];
     var isMaster = acl === undefined;
     var aclGroup = acl || [];

src/Controllers/DatabaseController.js

@@ -21,8 +21,6 @@ import SchemaCache from '../Adapters/Cache/SchemaCache';
 import DatabaseController from './DatabaseController';
 import Config from '../Config';
 import { createSanitizedError } from '../Error';
-// @flow-disable-next
-import deepcopy from 'deepcopy';
 import type {
   Schema,
   SchemaFields,
@@ -573,7 +571,7 @@ class SchemaData {
           if (!this.__data[schema.className]) {
             const data = {};
             data.fields = injectDefaultSchema(schema).fields;
-            data.classLevelPermissions = deepcopy(schema.classLevelPermissions);
+            data.classLevelPermissions = structuredClone(schema.classLevelPermissions);
             data.indexes = schema.indexes;
 
             const classProtectedFields = this.__protectedFields[schema.className];

src/Controllers/SchemaController.js

@@ -1,5 +1,5 @@
 import { GraphQLNonNull, GraphQLEnumType } from 'graphql';
-import deepcopy from 'deepcopy';
+
 import { mutationWithClientMutationId } from 'graphql-relay';
 import { FunctionsRouter } from '../../Routers/FunctionsRouter';
 import * as defaultGraphQLTypes from './defaultGraphQLTypes';
@@ -44,7 +44,7 @@ const load = parseGraphQLSchema => {
       },
       mutateAndGetPayload: async (args, context) => {
         try {
-          const { functionName, params } = deepcopy(args);
+          const { functionName, params } = structuredClone(args);
           const { config, auth, info } = context;
 
           return {

src/GraphQL/loaders/functionsMutations.js

@@ -1,7 +1,7 @@
 import { GraphQLNonNull } from 'graphql';
 import { fromGlobalId, mutationWithClientMutationId } from 'graphql-relay';
 import getFieldNames from 'graphql-list-fields';
-import deepcopy from 'deepcopy';
+
 import * as defaultGraphQLTypes from './defaultGraphQLTypes';
 import { extractKeysAndInclude, getParseClassMutationConfig } from '../parseGraphQLUtils';
 import * as objectsMutations from '../helpers/objectsMutations';
@@ -75,7 +75,7 @@ const load = function (parseGraphQLSchema, parseClass, parseClassConfig: ?ParseG
       },
       mutateAndGetPayload: async (args, context, mutationInfo) => {
         try {
-          let { fields } = deepcopy(args);
+          let { fields } = structuredClone(args);
           if (!fields) { fields = {}; }
           const { config, auth, info } = context;
 
@@ -178,7 +178,7 @@ const load = function (parseGraphQLSchema, parseClass, parseClassConfig: ?ParseG
       },
       mutateAndGetPayload: async (args, context, mutationInfo) => {
         try {
-          let { id, fields } = deepcopy(args);
+          let { id, fields } = structuredClone(args);
           if (!fields) { fields = {}; }
           const { config, auth, info } = context;
 
@@ -284,7 +284,7 @@ const load = function (parseGraphQLSchema, parseClass, parseClassConfig: ?ParseG
       },
       mutateAndGetPayload: async (args, context, mutationInfo) => {
         try {
-          let { id } = deepcopy(args);
+          let { id } = structuredClone(args);
           const { config, auth, info } = context;
 
           const globalIdObject = fromGlobalId(id);

src/GraphQL/loaders/parseClassMutations.js

@@ -1,7 +1,7 @@
 import { GraphQLNonNull } from 'graphql';
 import { fromGlobalId } from 'graphql-relay';
 import getFieldNames from 'graphql-list-fields';
-import deepcopy from 'deepcopy';
+
 import pluralize from 'pluralize';
 import * as defaultGraphQLTypes from './defaultGraphQLTypes';
 import * as objectsQueries from '../helpers/objectsQueries';
@@ -75,7 +75,7 @@ const load = function (parseGraphQLSchema, parseClass, parseClassConfig: ?ParseG
           return await getQuery(
             parseClass,
             _source,
-            deepcopy(args),
+            structuredClone(args),
             context,
             queryInfo,
             parseGraphQLSchema.parseClasses
@@ -99,7 +99,7 @@ const load = function (parseGraphQLSchema, parseClass, parseClassConfig: ?ParseG
       async resolve(_source, args, context, queryInfo) {
         try {
           // Deep copy args to avoid internal re assign issue
-          const { where, order, skip, first, after, last, before, options } = deepcopy(args);
+          const { where, order, skip, first, after, last, before, options } = structuredClone(args);
           const { readPreference, includeReadPreference, subqueryReadPreference } = options || {};
           const { config, auth, info } = context;
           const selectedFields = getFieldNames(queryInfo);

src/GraphQL/loaders/parseClassQueries.js

@@ -1,6 +1,6 @@
 import Parse from 'parse/node';
 import { GraphQLNonNull } from 'graphql';
-import deepcopy from 'deepcopy';
+
 import { mutationWithClientMutationId } from 'graphql-relay';
 import * as schemaTypes from './schemaTypes';
 import { transformToParse, transformToGraphQL } from '../transformers/schemaFields';
@@ -28,7 +28,7 @@ const load = parseGraphQLSchema => {
     },
     mutateAndGetPayload: async (args, context) => {
       try {
-        const { name, schemaFields } = deepcopy(args);
+        const { name, schemaFields } = structuredClone(args);
         const { config, auth } = context;
 
         enforceMasterKeyAccess(auth, config);
@@ -78,7 +78,7 @@ const load = parseGraphQLSchema => {
     },
     mutateAndGetPayload: async (args, context) => {
       try {
-        const { name, schemaFields } = deepcopy(args);
+        const { name, schemaFields } = structuredClone(args);
         const { config, auth } = context;
 
         enforceMasterKeyAccess(auth, config);
@@ -130,7 +130,7 @@ const load = parseGraphQLSchema => {
     },
     mutateAndGetPayload: async (args, context) => {
       try {
-        const { name } = deepcopy(args);
+        const { name } = structuredClone(args);
         const { config, auth } = context;
 
         enforceMasterKeyAccess(auth, config);

src/GraphQL/loaders/schemaMutations.js

@@ -1,5 +1,5 @@
 import Parse from 'parse/node';
-import deepcopy from 'deepcopy';
+
 import { GraphQLNonNull, GraphQLList } from 'graphql';
 import { transformToGraphQL } from '../transformers/schemaFields';
 import * as schemaTypes from './schemaTypes';
@@ -28,7 +28,7 @@ const load = parseGraphQLSchema => {
       type: new GraphQLNonNull(schemaTypes.CLASS),
       resolve: async (_source, args, context) => {
         try {
-          const { name } = deepcopy(args);
+          const { name } = structuredClone(args);
           const { config, auth } = context;
 
           enforceMasterKeyAccess(auth, config);