fix: Endpoint /sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64)

[mtrezza]

Issue

/sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64)

Tasks

• Add tests
• Add changes

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

📝 Walkthrough

Walkthrough

A security fix implements a two-step session lookup in handleMe to apply protectedFields validation using caller's auth context. A corresponding test validates that protected session fields like createdWith are properly sanitized in responses.

Changes

Cohort / File(s)	Summary
Test for GHSA-g4v2-qx3q-4p64 Vulnerability spec/vulnerabilities.spec.js	Added test block validating that _Session.createdWith protected field is properly sanitized (undefined) in GET /sessions/me and GET /sessions responses, and that other session data remains intact.
Sessions Router Enhancement src/Routers/SessionsRouter.js	Refactored handleMe to be async with two-step lookup: master-key find by sessionToken to locate session and validate user presence, then get using caller's auth context to apply protectedFields and CLP. Updated error handling to throw INVALID_SESSION_TOKEN when lookup or validation fails.

Sequence Diagram

sequenceDiagram
    actor Client
    participant SessionsRouter
    participant Auth
    participant REST as REST Layer
    participant DB as Database

    Client->>SessionsRouter: GET /sessions/me (with sessionToken)
    SessionsRouter->>Auth: Create master Auth context
    Auth-->>SessionsRouter: Master Auth
    SessionsRouter->>REST: find(_Session) with master Auth (by sessionToken)
    REST->>DB: Query _Session
    DB-->>REST: _Session record
    REST-->>SessionsRouter: results[0]
    
    alt Session exists and has user
        SessionsRouter->>SessionsRouter: Extract session objectId & user objectId
        SessionsRouter->>Auth: Create non-master Auth for user
        Auth-->>SessionsRouter: User Auth context
        SessionsRouter->>REST: get(session objectId) with User Auth
        REST->>DB: Query _Session (apply protectedFields/CLP)
        DB-->>REST: Sanitized _Session
        REST-->>SessionsRouter: Sanitized response
        SessionsRouter-->>Client: {response: sanitized session}
    else Session missing or user missing
        SessionsRouter-->>Client: Parse.Error(INVALID_SESSION_TOKEN)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96) #10278: Implements identical two-step handleMe pattern (master-key lookup followed by re-fetch with caller's auth to apply protectedFields/CLP) in another endpoint context.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request has no description provided, missing all required template sections including Issue, Approach, and Tasks.	Add a comprehensive description including the issue/security advisory link, approach explaining the vulnerability fix and implementation details, and checklist items for tests and documentation.
Security Check	⚠️ Warning	Code creates Auth.Auth with hardcoded isMaster:false, causing privilege downgrade vulnerability instead of using req.auth.	Replace userAuth with req.auth in rest.get call to preserve caller's authentication level and privileges.
Engage In Review Feedback	⚠️ Warning	The PR author has not engaged with review feedback regarding the hardcoded Auth.Auth instance; code remains unchanged and no discussion evidence exists.	Implement suggested change to use req.auth or respond with detailed explanation of why hardcoded approach is necessary.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The pull request title begins with the required 'fix:' prefix and clearly describes the security fix being implemented, matching the main change in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 81.81818% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.49%. Comparing base (9168e69) to head (e1936f0).
⚠️ Report is 2 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Routers/SessionsRouter.js	81.81%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10406      +/-   ##
==========================================
- Coverage   92.50%   92.49%   -0.01%     
==========================================
  Files         192      192              
  Lines       16725    16732       +7     
  Branches      229      229              
==========================================
+ Hits        15471    15477       +6     
- Misses       1232     1233       +1     
  Partials       22       22              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Routers/SessionsRouter.js`:
- Around line 35-46: The second fetch for the _Session currently constructs a
new regular-user Auth (userAuth) which can downgrade any elevated privileges;
instead reuse the incoming request auth (req.auth) when calling rest.get for the
session (or if rebuilding Auth, copy all auth flags from req.auth such as
isMaster, installationId, and any other role/session context) so the call that
uses userId maintains the original caller's auth context; update the call site
that currently passes userAuth to pass req.auth (or a cloned Auth built from
req.auth) and remove the hardcoded new Auth instantiation around userId.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 81ebe326-ea32-4a90-a16f-57a6222e3621

📥 Commits

Reviewing files that changed from the base of the PR and between 9168e69 and e1936f0.

📒 Files selected for processing (2)

• spec/vulnerabilities.spec.js
• src/Routers/SessionsRouter.js

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[mtrezza]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.

[parseplatformorg]

🎉 This change has been released in version 9.8.0-alpha.7