fix: Schema poisoning via prototype pollution in deep copy (GHSA-9ccr-fpp6-78qf)

[mtrezza]

Issue

Schema poisoning via prototype pollution in deep copy (GHSA-9ccr-fpp6-78qf)

Tasks

• Add tests
• Add changes
• Add entry to changelog

Summary by CodeRabbit

• Chores

  • Removed external deep-copy dependency and migrated to native JavaScript object cloning functionality, improving performance and reducing package size.

• Tests

  • Expanded security testing with new tests validating protection against prototype pollution attacks, including verification of schema lock integrity and request body denial mechanisms.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0bdf19d3-3247-4e24-9056-332f7bbb4195

📥 Commits

Reviewing files that changed from the base of the PR and between 59169ba and 1de3fa4.

📒 Files selected for processing (7)

• src/GraphQL/loaders/functionsMutations.js
• src/GraphQL/loaders/parseClassMutations.js
• src/GraphQL/loaders/parseClassQueries.js
• src/GraphQL/loaders/schemaMutations.js
• src/GraphQL/loaders/schemaQueries.js
• src/GraphQL/loaders/usersMutations.js
• src/GraphQL/parseGraphQLUtils.js

🚧 Files skipped from review as they are similar to previous changes (3)

• src/GraphQL/loaders/functionsMutations.js
• src/GraphQL/loaders/schemaMutations.js
• src/GraphQL/loaders/usersMutations.js

---

📝 Walkthrough

Walkthrough

Removed the deepcopy dependency, replaced uses with structuredClone or a new cloneArgs helper, and added HTTP-based vulnerability tests covering __proto__ denial and schema protection.

Changes

Cohort / File(s)	Summary
Package Configuration package.json	Removed deepcopy from dependencies.
Vulnerability Tests spec/vulnerabilities.spec.js	Added HTTP-based tests validating __proto__ denial, schema poisoning protection via requestKeywordDenylist/addField CLP, and schema integrity checks after injection attempts.
GraphQL utilities src/GraphQL/parseGraphQLUtils.js	Added cloneArgs(args) helper that uses structuredClone with JSON fallback.
GraphQL Loaders (Mutations & Queries) src/GraphQL/loaders/... src/GraphQL/loaders/functionsMutations.js, src/GraphQL/loaders/parseClassMutations.js, src/GraphQL/loaders/schemaMutations.js, src/GraphQL/loaders/schemaQueries.js, src/GraphQL/loaders/parseClassQueries.js, src/GraphQL/loaders/usersMutations.js	Replaced direct deepcopy calls with cloneArgs (or structuredClone where applicable) and updated imports; no signature or behavioral changes beyond cloning method.
Controllers src/Controllers/DatabaseController.js, src/Controllers/SchemaController.js	Replaced deepcopy with structuredClone for cloning update and class-level-permissions objects; removed deepcopy imports.
LiveQuery src/LiveQuery/ParseLiveQueryServer.ts	Switched object cloning from deepcopy to structuredClone when matching queries.
Push subsystem src/Push/PushWorker.js, src/Push/utils.js	Replaced deepcopy with structuredClone for payload/where cloning in badge dispatch and locale transformations; removed imports.
Request handling src/RestWrite.js	Replaced multiple deepcopy usages with structuredClone for query/data, ACL, user cloning, and sanitized/build flows. Removed deepcopy import.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: Denylist requestKeywordDenylist keyword scan bypass through nested object placement (GHSA-q342-9w2p-57fp) #10123 — Overlaps test changes in spec/vulnerabilities.spec.js regarding __proto__ denial and schema protection.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing schema poisoning via prototype pollution in deep copy, with reference to the security advisory GHSA-9ccr-fpp6-78qf.
Description check	✅ Passed	The description includes the issue reference and completes key tasks (tests, changes), though the changelog entry task is pending and some template sections are not filled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.20

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.14%. Comparing base (0ae0eee) to head (1de3fa4).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10200      +/-   ##
==========================================
- Coverage   92.55%   92.14%   -0.42%     
==========================================
  Files         192      192              
  Lines       16288    16281       -7     
  Branches      199      199              
==========================================
- Hits        15076    15002      -74     
- Misses       1195     1258      +63     
- Partials       17       21       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.