fix: LiveQuery discloses object data to a subscriber across an ACL read-access change (GHSA-97pr-9hgg-3p8r)

[mtrezza]

Issue

LiveQuery discloses object data to a subscriber across an ACL read-access change (GHSA-97pr-9hgg-3p8r)

Tasks

• Add tests

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

📝 Walkthrough

Walkthrough

ParseLiveQueryServer._onAfterSave is updated to check subscriber ACL read access before emitting leave and enter event payloads. For leave, it falls back to the last authorized snapshot when ACL is revoked; for enter, it nulls out the pre-update body when ACL was not yet granted. Three integration tests are added to verify these scenarios.

Changes

LiveQuery ACL Transition Disclosure Prevention

Layer / File(s)	Summary
ACL-aware leave/enter payload filtering src/LiveQuery/ParseLiveQueryServer.ts	In _onAfterSave, adds matchesACL checks for leave and enter transitions. For leave, when the post-save ACL revokes subscriber read access, the current object state is replaced with the last authorized original snapshot. For enter, when the pre-save ACL denied read access, the original snapshot is set to null before sending.
Integration test suite, helpers, and three scenarios spec/ParseLiveQuery.spec.js	Adds a new ParseLiveQuery ACL transition disclosure suite with per-test socket teardown and an openClient helper that opens authenticated raw WebSocket connections with message polling. Three tests cover: leave-on-ACL-revocation (field value must not disclose post-revocation state), enter-on-ACL-grant (original must be absent), and query-mismatch leave with retained read access (current object state is delivered).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is completely empty with no content provided against the required template structure.	Add a comprehensive description following the template, including Issue link, Approach explaining the ACL/LiveQuery security fix, and indicate completed tasks (tests and security checks appear to be included).

✅ Passed checks (6 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Security implementation is correct. PR properly addresses ACL transition disclosure vulnerability by distinguishing query-mismatch from ACL-change cases in leave/enter events, cloning objects, perf...
Engage In Review Feedback	✅ Passed	No substantive review feedback was exchanged on this PR - only an automated review request to CodeRabbit with no actual feedback comments to engage with or address.
Title check	✅ Passed	The PR title begins with the required 'fix:' prefix and clearly describes the main security fix addressing a LiveQuery ACL disclosure vulnerability.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.48%. Comparing base (97c6a78) to head (dd99c1f).
⚠️ Report is 3 commits behind head on release-8.x.x.

Additional details and impacted files

@@                Coverage Diff                @@
##           release-8.x.x   #10516      +/-   ##
=================================================
+ Coverage          92.43%   92.48%   +0.05%     
=================================================
  Files                192      192              
  Lines              16160    16175      +15     
  Branches             226      234       +8     
=================================================
+ Hits               14937    14959      +22     
+ Misses              1201     1196       -5     
+ Partials              22       20       -2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 8.6.83