Merge branch 'alpha' into fix/directaccess-undefined-to-null

Author: yog27ray

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,17 @@
+## [9.9.1-alpha.2](https://github.com/parse-community/parse-server/compare/9.9.1-alpha.1...9.9.1-alpha.2) (2026-05-18)
+
+
+### Bug Fixes
+
+* GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers ([GHSA-8cph-rgr4-g5vj](https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj)) ([#10467](https://github.com/parse-community/parse-server/issues/10467)) ([155123a](https://github.com/parse-community/parse-server/commit/155123ade9bc88cdf4807cf267ea1196f9274773))
+
+## [9.9.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.9.0...9.9.1-alpha.1) (2026-05-17)
+
+
+### Bug Fixes
+
+* Pre-authentication denial of service via client version header regex backtracking ([GHSA-38m6-82c8-4xfm](https://github.com/parse-community/parse-server/security/advisories/GHSA-38m6-82c8-4xfm)) ([#10463](https://github.com/parse-community/parse-server/issues/10463)) ([56c159e](https://github.com/parse-community/parse-server/commit/56c159ec962d729df09ccaa5cc2537751511e375))
+
 # [9.9.0-alpha.3](https://github.com/parse-community/parse-server/compare/9.9.0-alpha.2...9.9.0-alpha.3) (2026-04-30)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "9.9.0",
+  "version": "9.9.1-alpha.2",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

package.json

@@ -113,7 +113,6 @@ describe('middlewares', () => {
   });
 
   const BodyParams = {
-    clientVersion: '_ClientVersion',
     installationId: '_InstallationId',
     sessionToken: '_SessionToken',
     masterKey: '_MasterKey',
@@ -468,12 +467,6 @@ describe('middlewares', () => {
       expect(fakeRes.status).toHaveBeenCalledWith(403);
     });
 
-    it('should reject non-string _ClientVersion in body', async () => {
-      fakeReq.body._ClientVersion = { toLowerCase: 'evil' };
-      await middlewares.handleParseHeaders(fakeReq, fakeRes);
-      expect(fakeRes.status).toHaveBeenCalledWith(403);
-    });
-
     it('should reject non-string _InstallationId in body', async () => {
       fakeReq.body._InstallationId = { toString: 'evil' };
       await middlewares.handleParseHeaders(fakeReq, fakeRes);
@@ -502,7 +495,6 @@ describe('middlewares', () => {
       // Each request should be handled independently without affecting server stability.
       const payloads = [
         { _SessionToken: { toString: 'evil' } },
-        { _ClientVersion: { toLowerCase: 'evil' } },
         { _InstallationId: [1, 2, 3] },
         { _ContentType: { toString: 'evil' } },
       ];
@@ -539,12 +531,10 @@ describe('middlewares', () => {
 
     it('should still accept valid string body fields', done => {
       fakeReq.body._SessionToken = 'r:validtoken';
-      fakeReq.body._ClientVersion = 'js1.0.0';
       fakeReq.body._InstallationId = 'install123';
       fakeReq.body._ContentType = 'application/json';
       middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
         expect(fakeReq.info.sessionToken).toEqual('r:validtoken');
-        expect(fakeReq.info.clientVersion).toEqual('js1.0.0');
         expect(fakeReq.info.installationId).toEqual('install123');
         expect(fakeReq.headers['content-type']).toEqual('application/json');
         done();

spec/ClientSDK.spec.js

@@ -1016,6 +1016,115 @@ describe('ParseGraphQLServer', () => {
           expect(introspection.data).toBeDefined();
           expect(introspection.data.__type).toBeDefined();
         });
+
+        it('should strip "Did you mean" field suggestions from validation errors without master or maintenance key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query Typo {
+                  healt
+                }
+              `,
+            });
+            fail('should have thrown a validation error');
+          } catch (e) {
+            const message = e.networkError.result.errors[0].message;
+            expect(message).toContain('Cannot query field "healt"');
+            expect(message).not.toMatch(/Did you mean/);
+            expect(message).not.toContain('health');
+          }
+        });
+
+        it('should strip "Did you mean" argument suggestions from validation errors without master or maintenance key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query UnknownArg {
+                  users(wher: {}) {
+                    edges {
+                      node {
+                        id
+                      }
+                    }
+                  }
+                }
+              `,
+            });
+            fail('should have thrown a validation error');
+          } catch (e) {
+            const message = e.networkError.result.errors[0].message;
+            expect(message).toContain('Unknown argument "wher"');
+            expect(message).not.toMatch(/Did you mean/);
+            expect(message).not.toContain('"where"');
+          }
+        });
+
+        it('should keep "Did you mean" suggestions with master key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query Typo {
+                  healt
+                }
+              `,
+              context: {
+                headers: {
+                  'X-Parse-Master-Key': 'test',
+                },
+              },
+            });
+            fail('should have thrown a validation error');
+          } catch (e) {
+            const message = e.networkError.result.errors[0].message;
+            expect(message).toContain('Cannot query field "healt"');
+            expect(message).toMatch(/Did you mean/);
+            expect(message).toContain('health');
+          }
+        });
+
+        it('should keep "Did you mean" suggestions with maintenance key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query Typo {
+                  healt
+                }
+              `,
+              context: {
+                headers: {
+                  'X-Parse-Maintenance-Key': 'test2',
+                },
+              },
+            });
+            fail('should have thrown a validation error');
+          } catch (e) {
+            const message = e.networkError.result.errors[0].message;
+            expect(message).toContain('Cannot query field "healt"');
+            expect(message).toMatch(/Did you mean/);
+            expect(message).toContain('health');
+          }
+        });
+
+        it('should keep "Did you mean" suggestions when public introspection is enabled', async () => {
+          const parseServer = await reconfigureServer();
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
+
+          try {
+            await apolloClient.query({
+              query: gql`
+                query Typo {
+                  healt
+                }
+              `,
+            });
+            fail('should have thrown a validation error');
+          } catch (e) {
+            const message = e.networkError.result.errors[0].message;
+            expect(message).toContain('Cannot query field "healt"');
+            expect(message).toMatch(/Did you mean/);
+            expect(message).toContain('health');
+          }
+        });
       });
 
 

spec/Middlewares.spec.js

@@ -5885,4 +5885,102 @@ describe('Vulnerabilities', () => {
       expect(meResponse.data.sessionToken).toBe(sessionToken);
     });
   });
+
+  describe('(GHSA-38m6-82c8-4xfm) Pre-auth polynomial ReDoS via client version parsing', () => {
+    const middlewares = require('../lib/middlewares');
+    const AppCache = require('../lib/cache').AppCache;
+
+    const AppCachePut = (appId, config) =>
+      AppCache.put(appId, {
+        ...config,
+        maintenanceKeyIpsStore: new Map(),
+        masterKeyIpsStore: new Map(),
+        readOnlyMasterKeyIpsStore: new Map(),
+      });
+
+    const buildFakeReq = ({ headers = {}, body = {} } = {}) => {
+      const req = {
+        ip: '127.0.0.1',
+        originalUrl: 'http://example.com/parse/',
+        url: 'http://example.com/',
+        body: { _ApplicationId: 'FakeAppId', ...body },
+        headers,
+        get: key => req.headers[key.toLowerCase()],
+      };
+      return req;
+    };
+
+    beforeEach(() => {
+      AppCachePut('FakeAppId', {
+        masterKeyIps: ['0.0.0.0/0'],
+      });
+    });
+
+    afterEach(() => {
+      AppCache.del('FakeAppId');
+    });
+
+    it('does not capture client version from X-Parse-Client-Version header into req.info', async () => {
+      const req = buildFakeReq({ headers: { 'x-parse-client-version': 'js5.0.0' } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      let nextCalled = false;
+      await middlewares.handleParseHeaders(req, res, () => {
+        nextCalled = true;
+      });
+      expect(nextCalled).toBe(true);
+      expect(res.status).not.toHaveBeenCalled();
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+    });
+
+    it('does not capture client version from _ClientVersion body field into req.info', async () => {
+      const req = buildFakeReq({ body: { _ClientVersion: 'js5.0.0' } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      let nextCalled = false;
+      await middlewares.handleParseHeaders(req, res, () => {
+        nextCalled = true;
+      });
+      expect(nextCalled).toBe(true);
+      expect(res.status).not.toHaveBeenCalled();
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+      expect(req.body._ClientVersion).toBeUndefined();
+    });
+
+    it('does not invoke any regex on adversarial X-Parse-Client-Version header (16 KB of dashes)', async () => {
+      const adversarial = '-'.repeat(16000);
+      const req = buildFakeReq({ headers: { 'x-parse-client-version': adversarial } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      await middlewares.handleParseHeaders(req, res, () => {});
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+    });
+
+    it('does not invoke any regex on adversarial _ClientVersion body field (200 KB of dashes)', async () => {
+      const adversarial = '-'.repeat(200000);
+      const req = buildFakeReq({ body: { _ClientVersion: adversarial } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      const t0 = process.hrtime.bigint();
+      await middlewares.handleParseHeaders(req, res, () => {});
+      const elapsedMs = Number(process.hrtime.bigint() - t0) / 1e6;
+      expect(elapsedMs).toBeLessThan(3000);
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+      expect(req.body._ClientVersion).toBeUndefined();
+    });
+
+    it('strips _ClientVersion from req.body even when value is non-string (no rejection, no capture)', async () => {
+      const req = buildFakeReq({ body: { _ClientVersion: { toLowerCase: 'evil' } } });
+      const res = jasmine.createSpyObj('res', ['end', 'status']);
+      let nextCalled = false;
+      await middlewares.handleParseHeaders(req, res, () => {
+        nextCalled = true;
+      });
+      expect(nextCalled).toBe(true);
+      expect(res.status).not.toHaveBeenCalled();
+      expect(req.body._ClientVersion).toBeUndefined();
+      expect(req.info.clientVersion).toBeUndefined();
+      expect(req.info.clientSDK).toBeUndefined();
+    });
+  });
 });