fix: LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576)#10250
Merged
mtrezza merged 4 commits intoparse-community:alphafrom Mar 20, 2026
Merged
Conversation
|
🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review. Tip
Note Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect. Caution Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. |
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
📝 WalkthroughWalkthroughImplements pointer-based CLP checks in LiveQuery delivery: ParseLiveQueryServer now evaluates class-level pointer permissions (readUserFields/writeUserFields and pointerFields) and can block event delivery when the subscribing user is not referenced; tests validating multiple pointer/CLP scenarios were added. Changes
Sequence DiagramsequenceDiagram
participant Client as Client / Subscriber
participant LQ as LiveQuery Server
participant SC as SchemaController
participant DB as Database
Client->>LQ: Subscribe (with/without session token)
DB->>LQ: Emit create/update/delete event (write occurred)
LQ->>SC: Fetch schema & CLP for class
SC-->>LQ: Return schema & CLP
alt CLP includes pointer restrictions
LQ->>LQ: Resolve subscriber userId from token (if present)
LQ->>LQ: Determine permissionField (readUserFields/writeUserFields)
LQ->>LQ: Merge pointerFields from CLP and permission arrays
LQ->>LQ: Inspect object pointer values (.get / field / .id / .objectId / arrays)
alt master key OR pointer references subscriber
LQ->>Client: Deliver event
else
LQ-->>LQ: Withhold event (do not deliver)
end
else
LQ->>Client: Deliver event
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## alpha #10250 +/- ##
==========================================
- Coverage 92.60% 92.13% -0.48%
==========================================
Files 192 192
Lines 16358 16394 +36
Branches 201 219 +18
==========================================
- Hits 15149 15105 -44
- Misses 1192 1266 +74
- Partials 17 23 +6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
spec/vulnerabilities.spec.js (1)
3353-3637: Reset the default LiveQuery client around this suite.These tests reconfigure the LiveQuery server on every case but keep using the Parse SDK singleton client. Other LiveQuery suites in this file clear it in
beforeEachand close it inafterEach; without that, socket/subscription state can leak across cases and make the suite order-dependent.Suggested cleanup pattern
describe('(GHSA-fph2-r4qg-9576) LiveQuery bypasses CLP pointer permission enforcement', () => { const { sleep } = require('../lib/TestUtils'); + + beforeEach(() => { + Parse.CoreManager.getLiveQueryController().setDefaultLiveQueryClient(null); + }); + + afterEach(async () => { + const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient(); + if (client) { + await client.close(); + } + });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@spec/vulnerabilities.spec.js` around lines 3353 - 3637, Add setup/teardown to this describe('(GHSA-fph2-r4qg-9576) LiveQuery bypasses CLP pointer permission enforcement', ...) block that mirrors other LiveQuery suites: in a beforeEach call, reset/clear the Parse SDK's default LiveQuery client (close any existing socket/subscriptions) and in an afterEach call, close and null out the singleton so subsequent tests get a fresh client; use the standard beforeEach/afterEach hooks and the same methods used elsewhere to close the default LiveQuery client and clear the singleton to prevent socket/subscription state leaking across cases.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/LiveQuery/ParseLiveQueryServer.ts`:
- Around line 676-739: The current pointer-CLP check in ParseLiveQueryServer
(inside the block that uses SchemaController.testPermissions and pointerFields)
actively throws Parse.Error.OPERATION_FORBIDDEN for object-specific denials,
which breaks live-query transitions; instead treat pointer CLPs as visibility
filters: convert this check (and similar checks) to return a boolean match
(e.g., via a helper like _matchesCLP) that quietly returns false when the
current user should not see the object rather than throwing; update callers such
as _onAfterSave/_onUpdate/_onCreate to skip emitting events when _matchesCLP
returns false, keep master-key bypass (client.hasMasterKey) as-is, and remove
the throw-paths that raise OPERATION_FORBIDDEN for pointer-based denials so
ACL-like misses are silently ignored.
---
Nitpick comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 3353-3637: Add setup/teardown to this
describe('(GHSA-fph2-r4qg-9576) LiveQuery bypasses CLP pointer permission
enforcement', ...) block that mirrors other LiveQuery suites: in a beforeEach
call, reset/clear the Parse SDK's default LiveQuery client (close any existing
socket/subscriptions) and in an afterEach call, close and null out the singleton
so subsequent tests get a fresh client; use the standard beforeEach/afterEach
hooks and the same methods used elsewhere to close the default LiveQuery client
and clear the singleton to prevent socket/subscription state leaking across
cases.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 24d45539-a0d2-4dec-a368-0933fa255068
📒 Files selected for processing (2)
spec/vulnerabilities.spec.jssrc/LiveQuery/ParseLiveQueryServer.ts
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 3353-3358: Add an afterEach that cleans up the LiveQuery client:
retrieve the client via
Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient(), and if
it exists await its close() method and then call
Parse.CoreManager.getLiveQueryController().setDefaultLiveQueryClient(null);
ensure the afterEach is async so the await works and prevent connection leaks
between tests.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bc20c177-3429-456e-9d13-af69aed07003
📒 Files selected for processing (2)
spec/vulnerabilities.spec.jssrc/LiveQuery/ParseLiveQueryServer.ts
mtrezza
changed the title
parseplatformorg
pushed a commit
that referenced
this pull request
Mar 20, 2026
# [9.6.0-alpha.42](9.6.0-alpha.41...9.6.0-alpha.42) (2026-03-20) ### Bug Fixes * LiveQuery bypasses CLP pointer permission enforcement ([GHSA-fph2-r4qg-9576](https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576)) ([#10250](#10250)) ([6c3317a](6c3317a))
Contributor
|
🎉 This change has been released in version 9.6.0-alpha.42 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576)
Tasks