feat: Add requestComplexity.allowRegex option to disable $regex query operator (#10418)

mtrezza · web-flow · commit 18482e386c1e · 2026-04-09T18:12:12.000+01:00
diff --git a/spec/RequestComplexity.spec.js b/spec/RequestComplexity.spec.js
@@ -112,6 +112,16 @@ describe('request complexity', () => {
       );
     });
 
+    it('should reject non-boolean value for allowRegex', async () => {
+      await expectAsync(
+        reconfigureServer({
+          requestComplexity: { allowRegex: 'yes' },
+        })
+      ).toBeRejectedWith(
+        new Error('requestComplexity.allowRegex must be a boolean.')
+      );
+    });
+
     it('should reject unknown properties', async () => {
       await expectAsync(
         reconfigureServer({
@@ -147,6 +157,7 @@ describe('request complexity', () => {
       await reconfigureServer({});
       const config = Config.get('test');
       expect(config.requestComplexity).toEqual({
+        allowRegex: true,
         batchRequestLimit: -1,
         includeDepth: -1,
         includeCount: -1,
@@ -540,4 +551,185 @@ describe('request complexity', () => {
       ).toBeResolved();
     });
   });
+
+  describe('allowRegex', () => {
+    let config;
+
+    beforeEach(async () => {
+      await reconfigureServer({
+        requestComplexity: { allowRegex: false },
+      });
+      config = Config.get('test');
+    });
+
+    it('should reject $regex query when allowRegex is false (unauthenticated)', async () => {
+      const where = { username: { $regex: 'test' } };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          message: '$regex operator is not allowed',
+        })
+      );
+    });
+
+    it('should reject $regex query when allowRegex is false (authenticated user)', async () => {
+      const user = new Parse.User();
+      user.setUsername('testuser');
+      user.setPassword('testpass');
+      await user.signUp();
+      const userAuth = new auth.Auth({
+        config,
+        isMaster: false,
+        user,
+      });
+      const where = { username: { $regex: 'test' } };
+      await expectAsync(
+        rest.find(config, userAuth, '_User', where)
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          message: '$regex operator is not allowed',
+        })
+      );
+    });
+
+    it('should allow $regex query when allowRegex is false with master key', async () => {
+      const where = { username: { $regex: 'test' } };
+      await expectAsync(
+        rest.find(config, auth.master(config), '_User', where)
+      ).toBeResolved();
+    });
+
+    it('should allow $regex query when allowRegex is true (default)', async () => {
+      await reconfigureServer({
+        requestComplexity: { allowRegex: true },
+      });
+      config = Config.get('test');
+      const where = { username: { $regex: 'test' } };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeResolved();
+    });
+
+    it('should reject $regex inside $or when allowRegex is false', async () => {
+      const where = {
+        $or: [
+          { username: { $regex: 'test' } },
+          { username: 'exact' },
+        ],
+      };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          message: '$regex operator is not allowed',
+        })
+      );
+    });
+
+    it('should reject $regex inside $and when allowRegex is false', async () => {
+      const where = {
+        $and: [
+          { username: { $regex: 'test' } },
+          { username: 'exact' },
+        ],
+      };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          message: '$regex operator is not allowed',
+        })
+      );
+    });
+
+    it('should reject $regex inside $nor when allowRegex is false', async () => {
+      const where = {
+        $nor: [
+          { username: { $regex: 'test' } },
+        ],
+      };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          message: '$regex operator is not allowed',
+        })
+      );
+    });
+
+    it('should allow $regex by default when allowRegex is not configured', async () => {
+      await reconfigureServer({});
+      config = Config.get('test');
+      const where = { username: { $regex: 'test' } };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeResolved();
+    });
+
+    it('should reject empty-string $regex when allowRegex is false', async () => {
+      const where = { username: { $regex: '' } };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          message: '$regex operator is not allowed',
+        })
+      );
+    });
+
+    it('should allow $regex with maintenance key when allowRegex is false', async () => {
+      const where = { username: { $regex: 'test' } };
+      await expectAsync(
+        rest.find(config, auth.maintenance(config), '_User', where)
+      ).toBeResolved();
+    });
+
+    describe('LiveQuery', () => {
+      beforeEach(async () => {
+        await reconfigureServer({
+          requestComplexity: { allowRegex: false },
+          liveQuery: { classNames: ['TestObject'] },
+          startLiveQueryServer: true,
+        });
+        config = Config.get('test');
+      });
+
+      afterEach(async () => {
+        const client = await Parse.CoreManager.getLiveQueryController().getDefaultLiveQueryClient();
+        if (client) {
+          await client.close();
+        }
+      });
+
+      it('should reject LiveQuery subscription with $regex when allowRegex is false', async () => {
+        const query = new Parse.Query('TestObject');
+        query.matches('field', /test/);
+        await expectAsync(query.subscribe()).toBeRejectedWith(
+          jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+        );
+      });
+
+      it('should reject LiveQuery subscription with $regex inside $or when allowRegex is false', async () => {
+        const query = new Parse.Query('TestObject');
+        query._where = {
+          $or: [
+            { field: { $regex: 'test' } },
+            { field: 'exact' },
+          ],
+        };
+        await expectAsync(query.subscribe()).toBeRejectedWith(
+          jasmine.objectContaining({ code: Parse.Error.INVALID_QUERY })
+        );
+      });
+
+      it('should allow LiveQuery subscription without $regex when allowRegex is false', async () => {
+        const query = new Parse.Query('TestObject');
+        query.equalTo('field', 'test');
+        const subscription = await query.subscribe();
+        expect(subscription).toBeDefined();
+        subscription.unsubscribe();
+      });
+    });
+  });
 });
diff --git a/src/Config.js b/src/Config.js
@@ -697,7 +697,12 @@ export class Config {
     for (const key of validKeys) {
       if (requestComplexity[key] !== undefined) {
         const value = requestComplexity[key];
-        if (!Number.isInteger(value) || (value < 1 && value !== -1)) {
+        const def = RequestComplexityOptions[key];
+        if (typeof def.default === 'boolean') {
+          if (typeof value !== 'boolean') {
+            throw new Error(`requestComplexity.${key} must be a boolean.`);
+          }
+        } else if (!Number.isInteger(value) || (value < 1 && value !== -1)) {
           throw new Error(`requestComplexity.${key} must be a positive integer or -1 to disable.`);
         }
       } else {
diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -159,7 +159,10 @@ const validateQuery = (
   }
 
   Object.keys(query).forEach(key => {
-    if (query && query[key] && query[key].$regex) {
+    if (query && query[key] && query[key].$regex !== undefined) {
+      if (!isMaster && rc && rc.allowRegex === false) {
+        throw new Parse.Error(Parse.Error.INVALID_QUERY, '$regex operator is not allowed');
+      }
       if (typeof query[key].$regex !== 'string') {
         throw new Parse.Error(Parse.Error.INVALID_QUERY, '$regex value must be a string');
       }
diff --git a/src/LiveQuery/ParseLiveQueryServer.ts b/src/LiveQuery/ParseLiveQueryServer.ts
@@ -1060,6 +1060,32 @@ class ParseLiveQueryServer {
         }
       }
 
+      // Validate allowRegex
+      if (!client.hasMasterKey) {
+        const rc = appConfig.requestComplexity;
+        if (rc && rc.allowRegex === false) {
+          const checkRegex = (where: any) => {
+            if (typeof where !== 'object' || where === null) {
+              return;
+            }
+            for (const key of Object.keys(where)) {
+              const constraint = where[key];
+              if (typeof constraint === 'object' && constraint !== null && constraint.$regex !== undefined) {
+                throw new Parse.Error(Parse.Error.INVALID_QUERY, '$regex operator is not allowed');
+              }
+            }
+            for (const op of ['$or', '$and', '$nor']) {
+              if (Array.isArray(where[op])) {
+                for (const subQuery of where[op]) {
+                  checkRegex(subQuery);
+                }
+              }
+            }
+          };
+          checkRegex(request.query.where);
+        }
+      }
+
       // Check CLP for subscribe operation
       const schemaController = await appConfig.database.loadSchema();
       const classLevelPermissions = schemaController.getClassLevelPermissions(className);
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -704,6 +704,12 @@ module.exports.RateLimitOptions = {
   },
 };
 module.exports.RequestComplexityOptions = {
+  allowRegex: {
+    env: 'PARSE_SERVER_REQUEST_COMPLEXITY_ALLOW_REGEX',
+    help: 'Whether to allow the `$regex` query operator. Set to `false` to reject `$regex` in queries for non-master-key users. Default is `true`.',
+    action: parsers.booleanParser,
+    default: true,
+  },
   batchRequestLimit: {
     env: 'PARSE_SERVER_REQUEST_COMPLEXITY_BATCH_REQUEST_LIMIT',
     help: 'Maximum number of sub-requests in a single batch request. Set to `-1` to disable. Default is `-1`.',
diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -447,6 +447,10 @@ export interface RateLimitOptions {
 }
 
 export interface RequestComplexityOptions {
+  /* Whether to allow the `$regex` query operator. Set to `false` to reject `$regex` in queries for non-master-key users. Default is `true`.
+  :ENV: PARSE_SERVER_REQUEST_COMPLEXITY_ALLOW_REGEX
+  :DEFAULT: true */
+  allowRegex: ?boolean;
   /* Maximum depth of include pointer chains (e.g. `a.b.c` = depth 3). Set to `-1` to disable. Default is `-1`.
   :DEFAULT: -1 */
   includeDepth: ?number;

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,10 @@ const validateQuery = (`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`Object.keys(query).forEach(key => {`
`162`		`- if (query && query[key] && query[key].$regex) {`
	`162`	`+ if (query && query[key] && query[key].$regex !== undefined) {`
	`163`	`+ if (!isMaster && rc && rc.allowRegex === false) {`
	`164`	`+ throw new Parse.Error(Parse.Error.INVALID_QUERY, '$regex operator is not allowed');`
	`165`	`+ }`
`163`	`166`	`if (typeof query[key].$regex !== 'string') {`
`164`	`167`	`throw new Parse.Error(Parse.Error.INVALID_QUERY, '$regex value must be a string');`
`165`	`168`	`}`