fix: LiveQuery protected-field guard bypass via array-like object

Author: mtrezza

spec/vulnerabilities.spec.js

@@ -4828,3 +4828,123 @@ describe('(GHSA-wp76-gg32-8258) /verifyPassword leaks raw authData via missing a
     });
   });
 });
+
+describe('(GHSA-mmg8-87c5-jrc2) LiveQuery protected-field guard bypass via array-like $or/$and/$nor', () => {
+  const { sleep } = require('../lib/TestUtils');
+  let obj;
+
+  beforeEach(async () => {
+    Parse.CoreManager.getLiveQueryController().setDefaultLiveQueryClient(null);
+    await reconfigureServer({
+      liveQuery: { classNames: ['SecretClass'] },
+      startLiveQueryServer: true,
+      verbose: false,
+      silent: true,
+    });
+    const config = Config.get(Parse.applicationId);
+    const schemaController = await config.database.loadSchema();
+    await schemaController.addClassIfNotExists(
+      'SecretClass',
+      { secretObj: { type: 'Object' }, publicField: { type: 'String' } },
+    );
+    await schemaController.updateClass(
+      'SecretClass',
+      {},
+      {
+        find: { '*': true },
+        get: { '*': true },
+        create: { '*': true },
+        update: { '*': true },
+        delete: { '*': true },
+        addField: {},
+        protectedFields: { '*': ['secretObj'] },
+      }
+    );
+
+    obj = new Parse.Object('SecretClass');
+    obj.set('secretObj', { apiKey: 'SENSITIVE_KEY_123', score: 42 });
+    obj.set('publicField', 'visible');
+    await obj.save(null, { useMasterKey: true });
+  });
+
+  afterEach(async () => {
+    const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient();
+    if (client) {
+      await client.close();
+    }
+  });
+
+  it('should reject subscription with array-like $or containing protected field', async () => {
+    const query = new Parse.Query('SecretClass');
+    query._where = {
+      $or: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
+    };
+    await expectAsync(query.subscribe()).toBeRejectedWith(
+      jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+    );
+  });
+
+  it('should reject subscription with array-like $and containing protected field', async () => {
+    const query = new Parse.Query('SecretClass');
+    query._where = {
+      $and: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, '1': { publicField: 'visible' }, length: 2 },
+    };
+    await expectAsync(query.subscribe()).toBeRejectedWith(
+      jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+    );
+  });
+
+  it('should reject subscription with array-like $nor containing protected field', async () => {
+    const query = new Parse.Query('SecretClass');
+    query._where = {
+      $nor: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
+    };
+    await expectAsync(query.subscribe()).toBeRejectedWith(
+      jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+    );
+  });
+
+  it('should reject subscription with array-like $or even on non-protected fields', async () => {
+    const query = new Parse.Query('SecretClass');
+    query._where = {
+      $or: { '0': { publicField: 'visible' }, length: 1 },
+    };
+    await expectAsync(query.subscribe()).toBeRejectedWith(
+      jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+    );
+  });
+
+  it('should not create oracle via array-like $or bypass on protected fields', async () => {
+    const query = new Parse.Query('SecretClass');
+    query._where = {
+      $or: { '0': { 'secretObj.apiKey': 'SENSITIVE_KEY_123' }, length: 1 },
+    };
+
+    // Subscription must be rejected; no event oracle should be possible
+    let subscriptionError;
+    let subscription;
+    try {
+      subscription = await query.subscribe();
+    } catch (e) {
+      subscriptionError = e;
+    }
+
+    if (!subscriptionError) {
+      const updateSpy = jasmine.createSpy('update');
+      subscription.on('create', updateSpy);
+      subscription.on('update', updateSpy);
+
+      // Trigger an object change
+      obj.set('publicField', 'changed');
+      await obj.save(null, { useMasterKey: true });
+      await sleep(500);
+
+      // If subscription somehow accepted, verify no events fired (evaluator defense)
+      expect(updateSpy).not.toHaveBeenCalled();
+      fail('Expected subscription to be rejected');
+    }
+    expect(subscriptionError).toEqual(
+      jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+    );
+  });
+});

src/LiveQuery/ParseLiveQueryServer.ts

@@ -555,6 +555,16 @@ class ParseLiveQueryServer {
     if (typeof where !== 'object' || where === null) {
       return;
     }
+    for (const op of ['$or', '$and', '$nor']) {
+      if (where[op] !== undefined && !Array.isArray(where[op])) {
+        throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
+      }
+      if (Array.isArray(where[op])) {
+        where[op].forEach((subQuery: any) => {
+          this._validateQueryConstraints(subQuery);
+        });
+      }
+    }
     for (const key of Object.keys(where)) {
       const constraint = where[key];
       if (typeof constraint === 'object' && constraint !== null) {
@@ -582,18 +592,6 @@ class ParseLiveQueryServer {
             );
           }
         }
-        for (const op of ['$or', '$and', '$nor']) {
-          if (Array.isArray(constraint[op])) {
-            constraint[op].forEach((subQuery: any) => {
-              this._validateQueryConstraints(subQuery);
-            });
-          }
-        }
-        if (Array.isArray(where[key])) {
-          where[key].forEach((subQuery: any) => {
-            this._validateQueryConstraints(subQuery);
-          });
-        }
       }
     }
   }
@@ -1048,6 +1046,9 @@ class ParseLiveQueryServer {
               return;
             }
             for (const op of ['$or', '$and', '$nor']) {
+              if (where[op] !== undefined && !Array.isArray(where[op])) {
+                throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
+              }
               if (Array.isArray(where[op])) {
                 for (const subQuery of where[op]) {
                   checkDepth(subQuery, depth + 1);
@@ -1111,6 +1112,9 @@ class ParseLiveQueryServer {
               }
             }
             for (const op of ['$or', '$and', '$nor']) {
+              if (where[op] !== undefined && !Array.isArray(where[op])) {
+                throw new Parse.Error(Parse.Error.INVALID_QUERY, `${op} must be an array`);
+              }
               if (Array.isArray(where[op])) {
                 where[op].forEach((subQuery: any) => checkWhere(subQuery));
               }

src/LiveQuery/QueryTools.js

@@ -206,6 +206,9 @@ function matchesKeyConstraints(object, key, constraints) {
   }
   var i;
   if (key === '$or') {
+    if (!Array.isArray(constraints)) {
+      return false;
+    }
     for (i = 0; i < constraints.length; i++) {
       if (matchesQuery(object, constraints[i])) {
         return true;
@@ -214,6 +217,9 @@ function matchesKeyConstraints(object, key, constraints) {
     return false;
   }
   if (key === '$and') {
+    if (!Array.isArray(constraints)) {
+      return false;
+    }
     for (i = 0; i < constraints.length; i++) {
       if (!matchesQuery(object, constraints[i])) {
         return false;
@@ -222,6 +228,9 @@ function matchesKeyConstraints(object, key, constraints) {
     return true;
   }
   if (key === '$nor') {
+    if (!Array.isArray(constraints)) {
+      return false;
+    }
     for (i = 0; i < constraints.length; i++) {
       if (matchesQuery(object, constraints[i])) {
         return false;

src/RestQuery.js

@@ -904,6 +904,13 @@ _UnsafeRestQuery.prototype.denyProtectedFields = async function () {
       }
     }
     for (const op of ['$or', '$and', '$nor']) {
+      if (where[op] !== undefined && !Array.isArray(where[op])) {
+        throw createSanitizedError(
+          Parse.Error.INVALID_QUERY,
+          `${op} must be an array`,
+          this.config
+        );
+      }
       if (Array.isArray(where[op])) {
         where[op].forEach(subQuery => checkWhere(subQuery));
       }