fix: Server crash via deeply nested query condition operators (GHSA-9xp9-j92r-p88v)

[mtrezza]

Issue

Server crash via deeply nested query condition operators (GHSA-9xp9-j92r-p88v)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Added a configurable queryDepth limit to cap nesting of logical query operators; -1 disables. Master and maintenance keys bypass the limit.

• Bug Fixes

  • Prevents stack overflow/crash from deeply nested query operators by enforcing the nesting limit.

• Documentation

  • Updated configuration docs to include queryDepth and its default (-1).

• Tests

  • Added coverage validating queryDepth behavior, limits, bypasses, and unlimited mode.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new RequestComplexity option queryDepth (default -1 to disable) and enforces a maximum nesting depth for logical query operators ($or, $and, $nor) by tracking depth in DatabaseController.validateQuery; tests, options, docs, and server-config validation updated accordingly.

Changes

Cohort / File(s)	Summary
Tests spec/RequestComplexity.spec.js, spec/vulnerabilities.spec.js	Adds helpers to build nested $or/$and/$nor queries, a "query depth" test suite validating accept/reject rules and bypass for master/maintenance keys, and a vulnerability test asserting deep nesting is rejected when a limit is set.
Query validation src/Controllers/DatabaseController.js	Extends validateQuery signature to accept options and _depth; increments and enforces nesting depth for $or/$and/$nor using options.requestComplexity.queryDepth; propagates options and depth in recursive calls.
Options & docs src/Options/Definitions.js, src/Options/index.js, src/Options/docs.js	Adds queryDepth to RequestComplexity options/type/docs with env PARSE_SERVER_REQUEST_COMPLEXITY_QUERY_DEPTH, numeric parser, default -1 (disable), and help text.
Server config validation src/Security/CheckGroups/CheckGroupServerConfig.js, spec/SecurityCheckGroups.spec.js	Includes queryDepth in requestComplexity fields validated for -1 disables; test expectations updated to include queryDepth.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant DBController as DatabaseController
  participant Options
  participant DB as Database

  Client->>DBController: send query (contains $or/$and/$nor)
  DBController->>Options: read requestComplexity.queryDepth
  DBController->>DBController: validateQuery(query, ..., options, _depth=0)
  alt depth <= queryDepth or queryDepth == -1
    DBController->>DB: execute query
    DB-->>DBController: results
    DBController-->>Client: return results
  else depth > queryDepth
    DBController-->>Client: throw INVALID_QUERY (nesting depth exceeded)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: Denial-of-service via unbounded query complexity in REST and GraphQL API (GHSA-cmj3-wx7h-ffvg) #10130 — Modifies RequestComplexity options surface and adds depth-limiting request complexity controls (adds queryDepth to RequestComplexityOptions).

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description includes the Issue section (linking to GHSA-9xp9-j92r-p88v) and Tasks section with appropriate completion status. However, it is missing the Approach section which should describe the technical changes made.	Add an Approach section describing how the queryDepth limit is implemented, how it prevents deeply nested queries, and which files contain the core changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the primary change: fixing a server crash caused by deeply nested query operators and references the security advisory GHSA-9xp9-j92r-p88v. It directly relates to the main security fix in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.55%. Comparing base (b321423) to head (cef01c3).
⚠️ Report is 5 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10202   +/-   ##
=======================================
  Coverage   92.55%   92.55%           
=======================================
  Files         192      192           
  Lines       16281    16284    +3     
  Branches      199      199           
=======================================
+ Hits        15069    15072    +3     
  Misses       1195     1195           
  Partials       17       17           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

spec/RequestComplexity.spec.js (1)

72-87: Add explicit invalid-value tests for queryDepth.

Consider adding rejection assertions for queryDepth: 0 and a non-integer, mirroring the existing includeDepth validation checks, to lock down this new config path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/RequestComplexity.spec.js` around lines 72 - 87, Add explicit
invalid-value tests for requestComplexity.queryDepth in the spec by mirroring
the existing includeDepth checks: add assertions that reconfigureServer({
requestComplexity: { queryDepth: 0 } }) is rejected and that reconfigureServer({
requestComplexity: { queryDepth: 1.5 } }) (or a non-integer like 'a') is
rejected. Locate the test block using reconfigureServer and the
requestComplexity config keys and use the same expectAsync(...).toBeRejected()
(or equivalent) pattern used for includeDepth validation to ensure queryDepth
rejects zero and non-integer values.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/RequestComplexity.spec.js`:
- Around line 72-87: Add explicit invalid-value tests for
requestComplexity.queryDepth in the spec by mirroring the existing includeDepth
checks: add assertions that reconfigureServer({ requestComplexity: { queryDepth:
0 } }) is rejected and that reconfigureServer({ requestComplexity: { queryDepth:
1.5 } }) (or a non-integer like 'a') is rejected. Locate the test block using
reconfigureServer and the requestComplexity config keys and use the same
expectAsync(...).toBeRejected() (or equivalent) pattern used for includeDepth
validation to ensure queryDepth rejects zero and non-integer values.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7f5bfb19-98ca-428b-b39d-165b02ffa95b

📥 Commits

Reviewing files that changed from the base of the PR and between f701bca and 1a0ff79.

📒 Files selected for processing (5)

• spec/RequestComplexity.spec.js
• spec/vulnerabilities.spec.js
• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js

🚧 Files skipped from review as they are similar to previous changes (2)

• src/Options/Definitions.js
• spec/vulnerabilities.spec.js

[coderabbitai]

🧹 Nitpick comments (1)

spec/SecurityCheckGroups.spec.js (1)

40-40: Consider making the success fixture fully explicit for request-complexity keys.

This currently depends on implicit/default behavior for the other limits. Setting all request-complexity properties explicitly in this test would make intent and future behavior clearer.

Proposed test-fixture refinement

-      config.requestComplexity = { queryDepth: 10 };
+      config.requestComplexity = {
+        includeDepth: 10,
+        includeCount: 100,
+        subqueryDepth: 10,
+        queryDepth: 10,
+        graphQLDepth: 10,
+        graphQLFields: 1000,
+      };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/SecurityCheckGroups.spec.js` at line 40, The test currently sets only
config.requestComplexity = { queryDepth: 10 } which relies on implicit defaults
for other request-complexity keys; update the fixture to explicitly set all
requestComplexity properties (e.g., queryDepth, queryScore, maxDepthPerField or
whatever keys the config supports) so the spec (SecurityCheckGroups.spec.js) is
fully explicit about every limit; modify the object assigned to
config.requestComplexity used in the test to include each supported key with
intended values rather than a single queryDepth entry.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/SecurityCheckGroups.spec.js`:
- Line 40: The test currently sets only config.requestComplexity = { queryDepth:
10 } which relies on implicit defaults for other request-complexity keys; update
the fixture to explicitly set all requestComplexity properties (e.g.,
queryDepth, queryScore, maxDepthPerField or whatever keys the config supports)
so the spec (SecurityCheckGroups.spec.js) is fully explicit about every limit;
modify the object assigned to config.requestComplexity used in the test to
include each supported key with intended values rather than a single queryDepth
entry.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b933b70a-ef80-4f42-a848-ddc2fbd60f85

📥 Commits

Reviewing files that changed from the base of the PR and between 1a0ff79 and cef01c3.

📒 Files selected for processing (1)

• spec/SecurityCheckGroups.spec.js

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.21