Skip to content

fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) #9819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 10, 2025

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Jul 10, 2025

Fixes security vulnerability GHSA-48q3-prgv-gm4w

Copy link

parse-github-assistant bot commented Jul 10, 2025

🚀 Thanks for opening this pull request!

Copy link

coderabbitai bot commented Jul 10, 2025

📝 Walkthrough

Walkthrough

A new configuration option, graphQLPublicIntrospection, was introduced to control whether public GraphQL introspection is allowed. The Apollo Server setup now uses a plugin to restrict introspection queries based on this setting and user authorization. Corresponding tests, documentation, and security checks were updated to reflect this new behavior and configuration.

Changes

File(s) Change Summary
spec/ParseGraphQLServer.spec.js Enhanced tests for introspection security, added dynamic server options, and improved formatting.
spec/SecurityCheckGroups.spec.js Updated tests to cover the new graphQLPublicIntrospection security check.
src/GraphQL/ParseGraphQLServer.js Added IntrospectionControlPlugin to restrict introspection; Apollo Server setup now respects new option.
src/Options/Definitions.js
src/Options/index.js
src/Options/docs.js
Added new graphQLPublicIntrospection option to configuration, documentation, and type definitions.
src/Security/CheckGroups/CheckGroupServerConfig.js Added a new security check enforcing that public GraphQL introspection is disabled unless explicitly set.
src/middlewares.js Minor formatting change to empty arrow functions in Redis event listeners.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ApolloServer
    participant IntrospectionControlPlugin
    participant ParseGraphQLServer

    Client->>ApolloServer: Sends GraphQL query (may include introspection)
    ApolloServer->>IntrospectionControlPlugin: requestDidStart
    IntrospectionControlPlugin->>IntrospectionControlPlugin: didResolveOperation
    alt Public introspection disabled AND not master/maintenance user AND query is introspection
        IntrospectionControlPlugin-->>ApolloServer: Throw GraphQLError (403)
        ApolloServer-->>Client: Respond with 403 error
    else
        ApolloServer->>ParseGraphQLServer: Process query
        ParseGraphQLServer-->>ApolloServer: Result
        ApolloServer-->>Client: Respond with result
    end
Loading
sequenceDiagram
    participant AdminClient
    participant ApolloServer
    participant IntrospectionControlPlugin

    AdminClient->>ApolloServer: Sends introspection query with master/maintenance key
    ApolloServer->>IntrospectionControlPlugin: requestDidStart
    IntrospectionControlPlugin->>IntrospectionControlPlugin: didResolveOperation
    Note right of IntrospectionControlPlugin: Master/maintenance key detected
    ApolloServer-->>AdminClient: Introspection result returned
Loading

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.38.1)
spec/ParseGraphQLServer.spec.js
🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE package: '[email protected]',
npm warn EBADENGINE required: { node: '18 || 19 || 20 || 22' },
npm warn EBADENGINE current: { node: 'v24.3.0', npm: '11.4.2' }
npm warn EBADENGINE }
npm error Exit handler never called!
npm error This is an error with npm itself. Please report this error at:
npm error https://github.com/npm/cli/issues
npm error A complete log of this run can be found in: /.npm/_logs/2025-07-10T00_48_51_485Z-debug-0.log


📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92f5e08 and b6680c7.

📒 Files selected for processing (1)
  • spec/ParseGraphQLServer.spec.js (15 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • spec/ParseGraphQLServer.spec.js
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)
  • GitHub Check: PostgreSQL 15, PostGIS 3.3
  • GitHub Check: PostgreSQL 15, PostGIS 3.5
  • GitHub Check: PostgreSQL 17, PostGIS 3.5
  • GitHub Check: PostgreSQL 15, PostGIS 3.4
  • GitHub Check: Docker Build
  • GitHub Check: Node 18
  • GitHub Check: PostgreSQL 16, PostGIS 3.5
  • GitHub Check: Node 20
  • GitHub Check: MongoDB 7, ReplicaSet
  • GitHub Check: MongoDB 6, ReplicaSet
  • GitHub Check: MongoDB 8, ReplicaSet
  • GitHub Check: Redis Cache

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai auto-generate unit tests to generate unit tests for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Jul 10, 2025

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

Copy link

codecov bot commented Jul 10, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.99%. Comparing base (2c29756) to head (b6680c7).
Report is 2 commits behind head on alpha.

Additional details and impacted files
@@            Coverage Diff             @@
##            alpha    #9819      +/-   ##
==========================================
- Coverage   93.00%   92.99%   -0.01%     
==========================================
  Files         187      187              
  Lines       15082    15094      +12     
  Branches      174      174              
==========================================
+ Hits        14027    14037      +10     
- Misses       1043     1045       +2     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (3)
src/middlewares.js (1)

542-544: Empty Redis event handlers add noise; either remove or emit debug logs

Three Redis client event handlers (connect, reconnecting, ready) are registered with completely empty callbacks.
They do not contribute functional value and slightly increase cognitive load. Consider:

-client.on('connect', () => { });
-client.on('reconnecting', () => { });
-client.on('ready', () => { });
+// Optional: emit debug-level logs to aid troubleshooting, or drop the listeners entirely
+if (log.level === 'debug') {
+  client.on('connect', () => log.debug('Redis connected'));
+  client.on('reconnecting', () => log.debug('Redis reconnecting'));
+  client.on('ready', () => log.debug('Redis ready'));
+}

Removing no-op handlers keeps the codebase tidier; adding lightweight logging gives visibility during ops without altering behaviour.

spec/ParseGraphQLServer.spec.js (2)

6663-6663: Fix indentation to maintain consistency.

The static analysis correctly identified an indentation issue.

Apply this fix:

-              object4.className.charAt(0).toLowerCase() + object4.className.slice(1)
+                object4.className.charAt(0).toLowerCase() + object4.className.slice(1)

11267-11285: Fix multiple indentation issues in GraphQL type definition.

The static analysis identified several indentation issues that need to be corrected.

Apply this fix:

         const SomeClassType = new GraphQLObjectType({
-          name: 'SomeClass',
-          fields: {
-            nameUpperCase: {
-              type: new GraphQLNonNull(GraphQLString),
-              resolve: p => p.name.toUpperCase(),
+          name: 'SomeClass',
+          fields: {
+            nameUpperCase: {
+              type: new GraphQLNonNull(GraphQLString),
+              resolve: p => p.name.toUpperCase(),
             },
-            type: { type: TypeEnum },
-            language: {
-              type: new GraphQLEnumType({
-                name: 'LanguageEnum',
-                values: {
-                  fr: { value: 'fr' },
-                  en: { value: 'en' },
-                },
-              }),
-              resolve: () => 'fr',
-            },
-          },
-        }),
+            type: { type: TypeEnum },
+            language: {
+              type: new GraphQLEnumType({
+                name: 'LanguageEnum',
+                values: {
+                  fr: { value: 'fr' },
+                  en: { value: 'en' },
+                },
+              }),
+              resolve: () => 'fr',
+            },
+          },
+        }),
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c29756 and 92f5e08.

📒 Files selected for processing (8)
  • spec/ParseGraphQLServer.spec.js (17 hunks)
  • spec/SecurityCheckGroups.spec.js (3 hunks)
  • src/GraphQL/ParseGraphQLServer.js (3 hunks)
  • src/Options/Definitions.js (1 hunks)
  • src/Options/docs.js (1 hunks)
  • src/Options/index.js (1 hunks)
  • src/Security/CheckGroups/CheckGroupServerConfig.js (1 hunks)
  • src/middlewares.js (1 hunks)
🧰 Additional context used
🧠 Learnings (2)
spec/SecurityCheckGroups.spec.js (3)
Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.
Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.
Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.
spec/ParseGraphQLServer.spec.js (4)

undefined

<retrieved_learning>
Learnt from: RahulLanjewar93
PR: #9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.
</retrieved_learning>

<retrieved_learning>
Learnt from: mtrezza
PR: #9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with done().
</retrieved_learning>

<retrieved_learning>
Learnt from: mtrezza
PR: #9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with done(). The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.
</retrieved_learning>

<retrieved_learning>
Learnt from: mtrezza
PR: #9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with done(). Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.
</retrieved_learning>

🪛 Biome (1.9.4)
src/Options/index.js

[error] 309-309: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

🪛 GitHub Check: Lint
spec/ParseGraphQLServer.spec.js

[failure] 6663-6663:
Expected indentation of 16 spaces but found 14


[failure] 11275-11275:
Expected indentation of 16 spaces but found 14


[failure] 11274-11274:
Expected indentation of 14 spaces but found 12


[failure] 11273-11273:
Expected indentation of 14 spaces but found 12


[failure] 11272-11272:
Expected indentation of 14 spaces but found 12


[failure] 11271-11271:
Expected indentation of 16 spaces but found 14


[failure] 11270-11270:
Expected indentation of 16 spaces but found 14


[failure] 11269-11269:
Expected indentation of 14 spaces but found 12


[failure] 11268-11268:
Expected indentation of 12 spaces but found 10


[failure] 11267-11267:
Expected indentation of 12 spaces but found 10

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)
  • GitHub Check: Node 20
  • GitHub Check: PostgreSQL 16, PostGIS 3.5
  • GitHub Check: PostgreSQL 17, PostGIS 3.5
  • GitHub Check: PostgreSQL 15, PostGIS 3.4
  • GitHub Check: PostgreSQL 15, PostGIS 3.3
  • GitHub Check: Redis Cache
  • GitHub Check: PostgreSQL 15, PostGIS 3.5
  • GitHub Check: Node 18
  • GitHub Check: MongoDB 8, ReplicaSet
  • GitHub Check: MongoDB 7, ReplicaSet
  • GitHub Check: MongoDB 6, ReplicaSet
  • GitHub Check: Docker Build
🔇 Additional comments (16)
src/Options/docs.js (1)

56-57: Docs addition looks good

graphQLPublicIntrospection is documented with default false, matching implementation.

src/Options/Definitions.js (1)

295-300: Definition aligns with docs; ensure security check updated

The new graphQLPublicIntrospection option is correctly wired with env var, boolean parser and default false.
Confirm that CheckGroupServerConfig (or equivalent) flags this when set to true, to keep hardening consistent.

src/Options/index.js (1)

309-312: LGTM!

The new graphQLPublicIntrospection configuration option is well-implemented with secure defaults (false) and proper documentation.

spec/SecurityCheckGroups.spec.js (1)

36-36: Tests correctly verify the new security check behavior.

The tests properly validate that the security check passes when graphQLPublicIntrospection is false and fails when it's true, following the existing test patterns.

Also applies to: 45-45, 52-52, 61-61

src/Security/CheckGroups/CheckGroupServerConfig.js (1)

83-92: Security check implementation is well-structured and informative.

The check correctly validates that GraphQL public introspection is disabled and provides clear guidance on the security implications and required configuration changes.

src/GraphQL/ParseGraphQLServer.js (2)

16-52: Plugin implementation effectively controls GraphQL introspection access.

The IntrospectionControlPlugin correctly restricts introspection based on configuration and user authorization. The string-based detection approach for __schema is a reasonable performance trade-off, as acknowledged in the comments.


107-108: Apollo Server configuration properly integrates the introspection control.

The dynamic introspection setting and the addition of the IntrospectionControlPlugin work together to enforce the configured introspection policy.

spec/ParseGraphQLServer.spec.js (9)

53-53: LGTM - Maintenance key configuration added.

The addition of maintenanceKey to the server configuration is appropriate for testing the new introspection control functionality.


92-93: Minor: Consistent arrow function usage.


128-128: Minor: Consistent arrow function usage.


435-435: Well-designed test helper enhancement.

The addition of parseGraphQLServerOptions parameter and the use of spread operator to merge options provides good flexibility for testing different GraphQL server configurations.

Also applies to: 452-452


493-494: Good practice - Suppressing console output in tests.

Adding spies for console methods prevents cluttered test output.


610-697: Excellent test coverage for introspection control.

The test suite comprehensively covers all aspects of the new introspection control functionality:

  • Default disabled behavior
  • Master key authorization
  • Maintenance key authorization
  • Explicit public introspection enablement

The tests properly use async/await patterns as per the codebase standards.


844-848: Consistent authorization headers added.

All introspection queries now properly include master key headers in the context, which is necessary for the new introspection access control.

Also applies to: 880-884, 1417-1421


969-969: Minor: Consistent arrow function usage.

Also applies to: 991-991


7557-7557: Minor: Consistent arrow function usage.

Also applies to: 7559-7559, 7598-7598, 7602-7602, 7668-7668, 7670-7670

coderabbitai[bot]
coderabbitai bot previously approved these changes Jul 10, 2025
@mtrezza mtrezza changed the title test fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) Jul 10, 2025
@mtrezza mtrezza merged commit c58b2eb into parse-community:alpha Jul 10, 2025
22 of 25 checks passed
parseplatformorg pushed a commit that referenced this pull request Jul 10, 2025
## [8.2.2-alpha.1](8.2.1...8.2.2-alpha.1) (2025-07-10)

### Bug Fixes

* Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) ([#9819](#9819)) ([c58b2eb](c58b2eb))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 8.2.2-alpha.1

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jul 10, 2025
@mtrezza mtrezza deleted the pr/1 branch July 10, 2025 02:27
parseplatformorg pushed a commit that referenced this pull request Jul 10, 2025
## [8.2.2](8.2.1...8.2.2) (2025-07-10)

### Bug Fixes

* Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) ([#9819](#9819)) ([c58b2eb](c58b2eb))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 8.2.2

@parseplatformorg parseplatformorg added the state:released Released as stable version label Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
state:released Released as stable version state:released-alpha Released as alpha version
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants