fix: Relation $relatedTo query bypasses protectedFields and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) (parse-community#10493)

Author: mtrezza

benchmark/performance.js

@@ -829,6 +829,40 @@ async function benchmarkObjectCreateNestedDenylist(name) {
   });
 }
 
+/**
+ * Benchmark: $relatedTo relation query (public, non-master)
+ *
+ * Measures a public `$relatedTo` query, which now performs an owning-object
+ * read-access check before reading the relation join table (GHSA-wmwx-jr2p-4j4r).
+ * This captures the cost of that added authorization read on the relation path.
+ */
+async function benchmarkRelatedToQuery(name) {
+  const Child = Parse.Object.extend('BenchmarkRelChild');
+  const children = [];
+  for (let i = 0; i < 50; i++) {
+    children.push(new Child({ value: i }));
+  }
+  await Parse.Object.saveAll(children, { useMasterKey: true });
+
+  // Publicly readable owning object, so the authorized relation path runs fully.
+  const Parent = Parse.Object.extend('BenchmarkRelParent');
+  const parent = new Parent({ name: 'benchmark-parent' });
+  const acl = new Parse.ACL();
+  acl.setPublicReadAccess(true);
+  parent.setACL(acl);
+  parent.relation('members').add(children);
+  await parent.save(null, { useMasterKey: true });
+
+  return measureOperation({
+    name,
+    iterations: 1_000,
+    operation: async () => {
+      // Non-master query exercises the owning-object read-access check.
+      await parent.relation('members').query().find();
+    },
+  });
+}
+
 /**
  * Run all benchmarks
  */
@@ -856,6 +890,7 @@ async function runBenchmarks() {
       { name: 'Object.saveAll (batch save)', fn: benchmarkBatchSave },
       { name: 'Query.get (by objectId)', fn: benchmarkObjectRead },
       { name: 'Query.find (simple query)', fn: benchmarkSimpleQuery },
+      { name: 'Query.find ($relatedTo relation)', fn: benchmarkRelatedToQuery },
       { name: 'User.signUp', fn: benchmarkUserSignup },
       { name: 'User.login', fn: benchmarkUserLogin },
       { name: 'Query.include (parallel pointers)', fn: benchmarkQueryWithIncludeParallel },

spec/vulnerabilities.spec.js

@@ -2307,6 +2307,207 @@ describe('Vulnerabilities', () => {
     });
   });
 
+  describe('(GHSA-wmwx-jr2p-4j4r) $relatedTo bypasses protectedFields and parent ACL for Relation fields', () => {
+    let childLinked;
+    let parentProtectedKey;
+    let parentPrivate;
+    let parentPublic;
+
+    const relatedToWhere = (parentId, key, extra = {}) => ({
+      $relatedTo: {
+        object: { __type: 'Pointer', className: 'RelParent', objectId: parentId },
+        key,
+      },
+      ...extra,
+    });
+
+    const queryChild = (where, headers = {}) =>
+      request({
+        method: 'GET',
+        url: `${Parse.serverURL}/classes/RelChild`,
+        headers: {
+          'X-Parse-Application-Id': Parse.applicationId,
+          'X-Parse-REST-API-Key': 'rest',
+          ...headers,
+        },
+        qs: { where: JSON.stringify(where) },
+      }).catch(e => e);
+
+    beforeEach(async () => {
+      const schema = new Parse.Schema('RelParent');
+      schema.addString('name');
+      schema.addRelation('secretRel', 'RelChild');
+      schema.addRelation('openRel', 'RelChild');
+      schema.setCLP({
+        find: { '*': true },
+        get: { '*': true },
+        create: { '*': true },
+        update: { '*': true },
+        delete: { '*': true },
+        addField: {},
+        // secretRel is a protected Relation field for public clients
+        protectedFields: { '*': ['secretRel'] },
+      });
+      await schema.save();
+
+      childLinked = new Parse.Object('RelChild', { value: 'linked child' });
+      await childLinked.save(null, { useMasterKey: true });
+
+      const publicAcl = new Parse.ACL();
+      publicAcl.setPublicReadAccess(true);
+
+      const privateAcl = new Parse.ACL();
+      privateAcl.setPublicReadAccess(false);
+      privateAcl.setPublicWriteAccess(false);
+
+      // Publicly readable parent whose relation key is protected (isolates the
+      // protectedFields facet).
+      parentProtectedKey = new Parse.Object('RelParent', { name: 'protected-key parent' });
+      parentProtectedKey.setACL(publicAcl);
+      parentProtectedKey.relation('secretRel').add(childLinked);
+      await parentProtectedKey.save(null, { useMasterKey: true });
+
+      // Parent that is not readable by the public, queried via a non-protected
+      // relation key (isolates the parent-ACL facet).
+      parentPrivate = new Parse.Object('RelParent', { name: 'private parent' });
+      parentPrivate.setACL(privateAcl);
+      parentPrivate.relation('openRel').add(childLinked);
+      await parentPrivate.save(null, { useMasterKey: true });
+
+      // Publicly readable parent with a non-protected relation key (legitimate
+      // use that must keep working).
+      parentPublic = new Parse.Object('RelParent', { name: 'public parent' });
+      parentPublic.setACL(publicAcl);
+      parentPublic.relation('openRel').add(childLinked);
+      await parentPublic.save(null, { useMasterKey: true });
+    });
+
+    it('denies $relatedTo query that references a protected relation field', async () => {
+      const res = await queryChild(relatedToWhere(parentProtectedKey.id, 'secretRel'));
+      expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.data.error).toBe('Permission denied');
+    });
+
+    it('denies $relatedTo on a protected relation field nested in $or', async () => {
+      const res = await queryChild({
+        $or: [relatedToWhere(parentProtectedKey.id, 'secretRel')],
+      });
+      expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.data.error).toBe('Permission denied');
+    });
+
+    it('denies $relatedTo on a protected relation field nested in $and', async () => {
+      const res = await queryChild({
+        $and: [relatedToWhere(parentProtectedKey.id, 'secretRel')],
+      });
+      expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.data.error).toBe('Permission denied');
+    });
+
+    it('denies $relatedTo on a protected relation field nested in $nor', async () => {
+      const res = await queryChild({
+        $nor: [relatedToWhere(parentProtectedKey.id, 'secretRel')],
+      });
+      expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.data.error).toBe('Permission denied');
+    });
+
+    it('returns no results when the owning object is not readable by the caller', async () => {
+      const res = await queryChild(relatedToWhere(parentPrivate.id, 'openRel'));
+      expect(res.data.results).toEqual([]);
+    });
+
+    it('does not act as a membership oracle for an unreadable owning object', async () => {
+      const res = await queryChild(
+        relatedToWhere(parentPrivate.id, 'openRel', { objectId: childLinked.id })
+      );
+      expect(res.data.results).toEqual([]);
+    });
+
+    it('still returns related objects for a readable parent and non-protected key', async () => {
+      const res = await queryChild(relatedToWhere(parentPublic.id, 'openRel'));
+      expect(res.data.results.length).toBe(1);
+      expect(res.data.results[0].objectId).toBe(childLinked.id);
+    });
+
+    it('allows master key to query a protected relation and an unreadable parent', async () => {
+      const masterHeaders = { 'X-Parse-Master-Key': Parse.masterKey };
+      const resProtected = await queryChild(
+        relatedToWhere(parentProtectedKey.id, 'secretRel'),
+        masterHeaders
+      );
+      expect(resProtected.data.results.length).toBe(1);
+      const resPrivate = await queryChild(
+        relatedToWhere(parentPrivate.id, 'openRel'),
+        masterHeaders
+      );
+      expect(resPrivate.data.results.length).toBe(1);
+    });
+
+    it('respects user-level read access to the owning object', async () => {
+      const userA = await Parse.User.signUp('relUserA', 'pw');
+      const userB = await Parse.User.signUp('relUserB', 'pw');
+
+      const acl = new Parse.ACL();
+      acl.setReadAccess(userA, true);
+      const parent = new Parse.Object('RelParent', { name: 'user-scoped parent' });
+      parent.setACL(acl);
+      parent.relation('openRel').add(childLinked);
+      await parent.save(null, { useMasterKey: true });
+
+      const resA = await queryChild(relatedToWhere(parent.id, 'openRel'), {
+        'X-Parse-Session-Token': userA.getSessionToken(),
+      });
+      expect(resA.data.results.length).toBe(1);
+
+      const resB = await queryChild(relatedToWhere(parent.id, 'openRel'), {
+        'X-Parse-Session-Token': userB.getSessionToken(),
+      });
+      expect(resB.data.results).toEqual([]);
+    });
+
+    it('returns no results when the owning class denies get permission (CLP)', async () => {
+      // Owning class denies public `get`, so the owning-object read throws
+      // OPERATION_FORBIDDEN; the relation must then return no results.
+      const schema = new Parse.Schema('RelParentNoGet');
+      schema.addRelation('members', 'RelChild');
+      schema.setCLP({
+        find: { '*': true },
+        get: {},
+        create: { '*': true },
+        update: { '*': true },
+        delete: { '*': true },
+        addField: {},
+      });
+      await schema.save();
+
+      const acl = new Parse.ACL();
+      acl.setPublicReadAccess(true);
+      const parent = new Parse.Object('RelParentNoGet', { name: 'no-get parent' });
+      parent.setACL(acl);
+      parent.relation('members').add(childLinked);
+      await parent.save(null, { useMasterKey: true });
+
+      const res = await request({
+        method: 'GET',
+        url: `${Parse.serverURL}/classes/RelChild`,
+        headers: {
+          'X-Parse-Application-Id': Parse.applicationId,
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        qs: {
+          where: JSON.stringify({
+            $relatedTo: {
+              object: { __type: 'Pointer', className: 'RelParentNoGet', objectId: parent.id },
+              key: 'members',
+            },
+          }),
+        },
+      }).catch(e => e);
+      expect(res.data.results).toEqual([]);
+    });
+  });
+
   describe('(GHSA-j7mm-f4rv-6q6q) Protected fields bypass via LiveQuery dot-notation WHERE', () => {
     let obj;