fix: LiveQuery protected-field guard bypass via array-like object

mtrezza · mtrezza · commit 7b6335fd4e26 · 2026-03-29T18:56:17.000+01:00
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -842,6 +842,126 @@ describe('Vulnerabilities', () => {
       await expectAsync(obj.save()).toBeResolved();
     });
   });
+
+  describe('(GHSA-mmg8-87c5-jrc2) LiveQuery protected-field guard bypass via array-like $or/$and/$nor', () => {
+    const { sleep } = require('../lib/TestUtils');
+    let obj;
+
+    beforeEach(async () => {
+      Parse.CoreManager.getLiveQueryController().setDefaultLiveQueryClient(null);
+      await reconfigureServer({
+        liveQuery: { classNames: ['SecretClass'] },
+        startLiveQueryServer: true,
+        verbose: false,
+        silent: true,
+      });
+      const config = Config.get(Parse.applicationId);
+      const schemaController = await config.database.loadSchema();
+      await schemaController.addClassIfNotExists(
+        'SecretClass',
+        { secretObj: { type: 'Object' }, publicField: { type: 'String' } },
+      );
+      await schemaController.updateClass(
+        'SecretClass',
+        {},
+        {
+          find: { '*': true },
+          get: { '*': true },
+          create: { '*': true },
+          update: { '*': true },
+          delete: { '*': true },
+          addField: {},
+          protectedFields: { '*': ['secretObj'] },
+        }
+      );
+
+      obj = new Parse.Object('SecretClass');
+      obj.set('secretObj', { apiKey: 'SENSITIVE_KEY_123', score: 42 });
+      obj.set('publicField', 'visible');
+      await obj.save(null, { useMasterKey: true });
+    });
+
+    afterEach(async () => {
+      const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient();
+      if (client) {
+        await client.close();
+      }
+    });
+
+    it('should reject subscription with array-like $or containing protected field', async () => {
+      const query = new Parse.Query('SecretClass');
+      query._where = {
+        $or: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
+      };
+      await expectAsync(query.subscribe()).toBeRejectedWith(
+        jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+      );
+    });
+
+    it('should reject subscription with array-like $and containing protected field', async () => {
+      const query = new Parse.Query('SecretClass');
+      query._where = {
+        $and: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, '1': { publicField: 'visible' }, length: 2 },
+      };
+      await expectAsync(query.subscribe()).toBeRejectedWith(
+        jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+      );
+    });
+
+    it('should reject subscription with array-like $nor containing protected field', async () => {
+      const query = new Parse.Query('SecretClass');
+      query._where = {
+        $nor: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
+      };
+      await expectAsync(query.subscribe()).toBeRejectedWith(
+        jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+      );
+    });
+
+    it('should reject subscription with array-like $or even on non-protected fields', async () => {
+      const query = new Parse.Query('SecretClass');
+      query._where = {
+        $or: { '0': { publicField: 'visible' }, length: 1 },
+      };
+      await expectAsync(query.subscribe()).toBeRejectedWith(
+        jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+      );
+    });
+
+    it('should not create oracle via array-like $or bypass on protected fields', async () => {
+      const query = new Parse.Query('SecretClass');
+      query._where = {
+        $or: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
+      };
+
+      // Subscription must be rejected; no event oracle should be possible
+      let subscriptionError;
+      let subscription;
+      try {
+        subscription = await query.subscribe();
+      } catch (e) {
+        subscriptionError = e;
+      }
+
+      if (!subscriptionError) {
+        const updateSpy = jasmine.createSpy('update');
+        subscription.on('create', updateSpy);
+        subscription.on('update', updateSpy);
+
+        // Trigger an object change
+        obj.set('publicField', 'changed');
+        await obj.save(null, { useMasterKey: true });
+        await sleep(500);
+
+        // If subscription somehow accepted, verify no events fired (evaluator defense)
+        expect(updateSpy).not.toHaveBeenCalled();
+        fail('Expected subscription to be rejected');
+      }
+      expect(subscriptionError).toEqual(
+        jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+      );
+    });
+  });
 });
 
 describe('(GHSA-mf3j-86qx-cq5j) ReDoS via $regex in LiveQuery subscription', () => {
diff --git a/src/LiveQuery/ParseLiveQueryServer.ts b/src/LiveQuery/ParseLiveQueryServer.ts
@@ -555,6 +555,16 @@ class ParseLiveQueryServer {
     if (typeof where !== 'object' || where === null) {
       return;
     }
+    for (const op of ['$or', '$and', '$nor']) {
+      if (where[op] !== undefined && !Array.isArray(where[op])) {
+        throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
+      }
+      if (Array.isArray(where[op])) {
+        where[op].forEach((subQuery: any) => {
+          this._validateQueryConstraints(subQuery);
+        });
+      }
+    }
     for (const key of Object.keys(where)) {
       const constraint = where[key];
       if (typeof constraint === 'object' && constraint !== null) {
@@ -582,18 +592,6 @@ class ParseLiveQueryServer {
             );
           }
         }
-        for (const op of ['$or', '$and', '$nor']) {
-          if (Array.isArray(constraint[op])) {
-            constraint[op].forEach((subQuery: any) => {
-              this._validateQueryConstraints(subQuery);
-            });
-          }
-        }
-        if (Array.isArray(where[key])) {
-          where[key].forEach((subQuery: any) => {
-            this._validateQueryConstraints(subQuery);
-          });
-        }
       }
     }
   }
@@ -1048,6 +1046,9 @@ class ParseLiveQueryServer {
               return;
             }
             for (const op of ['$or', '$and', '$nor']) {
+              if (where[op] !== undefined && !Array.isArray(where[op])) {
+                throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
+              }
               if (Array.isArray(where[op])) {
                 for (const subQuery of where[op]) {
                   checkDepth(subQuery, depth + 1);
@@ -1111,6 +1112,9 @@ class ParseLiveQueryServer {
               }
             }
             for (const op of ['$or', '$and', '$nor']) {
+              if (where[op] !== undefined && !Array.isArray(where[op])) {
+                throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
+              }
               if (Array.isArray(where[op])) {
                 where[op].forEach((subQuery: any) => checkWhere(subQuery));
               }
diff --git a/src/LiveQuery/QueryTools.js b/src/LiveQuery/QueryTools.js
@@ -206,6 +206,9 @@ function matchesKeyConstraints(object, key, constraints) {
   }
   var i;
   if (key === '$or') {
+    if (!Array.isArray(constraints)) {
+      return false;
+    }
     for (i = 0; i < constraints.length; i++) {
       if (matchesQuery(object, constraints[i])) {
         return true;
@@ -214,6 +217,9 @@ function matchesKeyConstraints(object, key, constraints) {
     return false;
   }
   if (key === '$and') {
+    if (!Array.isArray(constraints)) {
+      return false;
+    }
     for (i = 0; i < constraints.length; i++) {
       if (!matchesQuery(object, constraints[i])) {
         return false;
@@ -222,6 +228,9 @@ function matchesKeyConstraints(object, key, constraints) {
     return true;
   }
   if (key === '$nor') {
+    if (!Array.isArray(constraints)) {
+      return false;
+    }
     for (i = 0; i < constraints.length; i++) {
       if (matchesQuery(object, constraints[i])) {
         return false;
diff --git a/src/RestQuery.js b/src/RestQuery.js
@@ -904,6 +904,13 @@ _UnsafeRestQuery.prototype.denyProtectedFields = async function () {
       }
     }
     for (const op of ['$or', '$and', '$nor']) {
+      if (where[op] !== undefined && !Array.isArray(where[op])) {
+        throw createSanitizedError(
+          Parse.Error.INVALID_QUERY,
+          `${op} must be an array`,
+          this.config
+        );
+      }
       if (Array.isArray(where[op])) {
         where[op].forEach(subQuery => checkWhere(subQuery));
       }

Original file line number	Diff line number	Diff line change
`@@ -555,6 +555,16 @@ class ParseLiveQueryServer {`
`555`	`555`	`if (typeof where !== 'object' \|\| where === null) {`
`556`	`556`	`return;`
`557`	`557`	`}`
	`558`	`+ for (const op of ['$or', '$and', '$nor']) {`
	`559`	`+ if (where[op] !== undefined && !Array.isArray(where[op])) {`
	`560`	+ throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
	`561`	`+ }`
	`562`	`+ if (Array.isArray(where[op])) {`
	`563`	`+ where[op].forEach((subQuery: any) => {`
	`564`	`+ this._validateQueryConstraints(subQuery);`
	`565`	`+ });`
	`566`	`+ }`
	`567`	`+ }`
`558`	`568`	`for (const key of Object.keys(where)) {`
`559`	`569`	`const constraint = where[key];`
`560`	`570`	`if (typeof constraint === 'object' && constraint !== null) {`
`@@ -582,18 +592,6 @@ class ParseLiveQueryServer {`
`582`	`592`	`);`
`583`	`593`	`}`
`584`	`594`	`}`
`585`		`- for (const op of ['$or', '$and', '$nor']) {`
`586`		`- if (Array.isArray(constraint[op])) {`
`587`		`- constraint[op].forEach((subQuery: any) => {`
`588`		`- this._validateQueryConstraints(subQuery);`
`589`		`- });`
`590`		`- }`
`591`		`- }`
`592`		`- if (Array.isArray(where[key])) {`
`593`		`- where[key].forEach((subQuery: any) => {`
`594`		`- this._validateQueryConstraints(subQuery);`
`595`		`- });`
`596`		`- }`
`597`	`595`	`}`
`598`	`596`	`}`
`599`	`597`	`}`
`@@ -1048,6 +1046,9 @@ class ParseLiveQueryServer {`
`1048`	`1046`	`return;`
`1049`	`1047`	`}`
`1050`	`1048`	`for (const op of ['$or', '$and', '$nor']) {`
	`1049`	`+ if (where[op] !== undefined && !Array.isArray(where[op])) {`
	`1050`	+ throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
	`1051`	`+ }`
`1051`	`1052`	`if (Array.isArray(where[op])) {`
`1052`	`1053`	`for (const subQuery of where[op]) {`
`1053`	`1054`	`checkDepth(subQuery, depth + 1);`
`@@ -1111,6 +1112,9 @@ class ParseLiveQueryServer {`
`1111`	`1112`	`}`
`1112`	`1113`	`}`
`1113`	`1114`	`for (const op of ['$or', '$and', '$nor']) {`
	`1115`	`+ if (where[op] !== undefined && !Array.isArray(where[op])) {`
	`1116`	+ throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
	`1117`	`+ }`
`1114`	`1118`	`if (Array.isArray(where[op])) {`
`1115`	`1119`	`where[op].forEach((subQuery: any) => checkWhere(subQuery));`
`1116`	`1120`	`}`
Original file line number	Diff line number	Diff line change
`@@ -904,6 +904,13 @@ _UnsafeRestQuery.prototype.denyProtectedFields = async function () {`
`904`	`904`	`}`
`905`	`905`	`}`
`906`	`906`	`for (const op of ['$or', '$and', '$nor']) {`
	`907`	`+ if (where[op] !== undefined && !Array.isArray(where[op])) {`
	`908`	`+ throw createSanitizedError(`
	`909`	`+ Parse.Error.INVALID_QUERY,`
	`910`	+ `${op} must be an array`,
	`911`	`+ this.config`
	`912`	`+ );`
	`913`	`+ }`
`907`	`914`	`if (Array.isArray(where[op])) {`
`908`	`915`	`where[op].forEach(subQuery => checkWhere(subQuery));`
`909`	`916`	`}`