fix: LiveQuery subscription with invalid regular expression crashes server (GHSA-827p-g5x5-h86c)

[mtrezza]

Issue

LiveQuery subscription with invalid regular expression crashes server (GHSA-827p-g5x5-h86c)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, in-code descriptions)

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds validation and safe handling for invalid/malformed $regex in LiveQuery: tests, QueryTools change to return false on regex errors, and ParseLiveQueryServer updates to validate query constraints and catch per-subscription match errors to avoid crashing.

Changes

Cohort / File(s)	Summary
LiveQuery tests spec/ParseLiveQuery.spec.js	Adds three tests for LiveQuery subscription behavior with invalid/non-string/malformed $regex, ensuring errors are reported and server does not crash while valid subscriptions continue.
QueryTools tests spec/QueryTools.spec.js	Adds three tests verifying matchesQuery/safeRegexTest return false (not throw) on invalid regex syntax, invalid flags, and when regexTimeout is enabled.
LiveQuery server changes src/LiveQuery/ParseLiveQueryServer.ts	Adds _validateQueryConstraints(where) to validate $regex (and nested $or/$and/$nor) and invokes it during subscribe/save/delete flows; wraps per-subscription matching in try/catch to log errors and continue processing.
Regex runtime safety src/LiveQuery/QueryTools.js	Modifies safeRegexTest() to run regex execution inside try/catch and return false on errors (including timeouts) instead of throwing, while preserving timeout warning behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: Regular Expression Denial of Service (ReDoS) via $regex query in LiveQuery (GHSA-mf3j-86qx-cq5j) #10118 — Similar changes to LiveQuery regex handling and QueryTools safe regex behavior.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is completely empty, with no issue reference, approach explanation, or task checklist completion despite a template being available.	Add a comprehensive description following the template: include the security advisory reference (GHSA-827p-g5x5-h86c), explain the approach to fixing regex validation in LiveQuery, and check completed tasks (tests and security checks appear to be addressed).
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the fix for a security vulnerability (GHSA-827p-g5x5-h86c) related to LiveQuery subscriptions crashing when invalid regular expressions are used, which directly matches the pull request's core changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 67.39130% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.55%. Comparing base (b04ca5e) to head (39596f5).
⚠️ Report is 3 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/LiveQuery/ParseLiveQueryServer.ts	53.12%	11 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10197      +/-   ##
==========================================
- Coverage   92.61%   92.55%   -0.07%     
==========================================
  Files         192      192              
  Lines       16259    16288      +29     
  Branches      190      199       +9     
==========================================
+ Hits        15059    15076      +17     
- Misses       1187     1195       +8     
- Partials       13       17       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/ParseLiveQuery.spec.js`:
- Around line 664-694: The test only creates a valid subscription
(validSubscription) so it never exercises the invalid-subscription path; update
the spec to either (a) seed a malformed subscription on the LiveQuery server
before saving the object (for example by creating a subscription that contains
an invalid $regex query for class 'TestObject') or (b) stub the LiveQuery
class's _matchesSubscription (or the _onAfterSave hook) to throw once when
checking subscriptions while leaving the valid Parse.Query.subscribe() active,
then assert the validSubscription still receives the 'update' event; locate and
modify the test around the validSubscription creation and the updatePromise so
the malformed subscription or stub is added before object.save() to ensure the
server code path handling bad subscriptions is exercised.

In `@spec/QueryTools.spec.js`:
- Around line 583-596: The test sets module-global regex timeout via
setRegexTimeout(100) but doesn't guarantee reset on failure; wrap the assertions
that call matchesQuery(...) in a try/finally block and move setRegexTimeout(0)
into the finally so setRegexTimeout is always called (restore to 0) even if an
expectation throws; locate the test case using setRegexTimeout and matchesQuery
in the spec and update it accordingly.

In `@src/LiveQuery/ParseLiveQueryServer.ts`:
- Around line 543-556: The regex validation currently only checks compilability
but doesn't reject non-string scalars (e.g. { $regex: 123 }); update the
validation in ParseLiveQueryServer (the block that inspects constraint.$regex)
to first enforce type guards: allow either a string or an object with a string
`source` (and optional string `flags`), and if not, throw new
Parse.Error(Parse.Error.INVALID_QUERY, 'Invalid regular expression: $regex must
be a string or { source: string, flags?: string }'); for the object branch also
validate that `constraint.$regex.source` is a string and
`constraint.$regex.flags` (if present) is a string before attempting new
RegExp(pattern, flags) so malformed payloads are rejected before being stored
(this aligns with how QueryTools.js expects string behavior).
- Around line 559-565: The forEach callbacks currently use expression-bodied
arrows that implicitly return the result of
this._validateQueryConstraints(subQuery), triggering the lint rule; update both
forEach usages (the one iterating constraint[op] inside the loop over
['$or','$and','$nor'] and the one iterating where[key]) to use block-bodied
callbacks that call this._validateQueryConstraints(subQuery); without returning
anything (e.g. change subQuery => this._validateQueryConstraints(subQuery) to
subQuery => { this._validateQueryConstraints(subQuery); }).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cfcf62d2-b054-4ad4-a53d-701cbb5ffc79

📥 Commits

Reviewing files that changed from the base of the PR and between 10854f4 and 35580b6.

📒 Files selected for processing (4)

• spec/ParseLiveQuery.spec.js
• spec/QueryTools.spec.js
• src/LiveQuery/ParseLiveQueryServer.ts
• src/LiveQuery/QueryTools.js

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.19