fix: sensitive keyword detection may produce false positives (#7881)

src/Controllers/DatabaseController.js

@@ -11,6 +11,7 @@ import intersect from 'intersect';
 // @flow-disable-next
 import deepcopy from 'deepcopy';
 import logger from '../logger';
+import Utils from '../Utils';
 import * as SchemaController from './SchemaController';
 import { StorageAdapter } from '../Adapters/Storage/StorageAdapter';
 import MongoStorageAdapter from '../Adapters/Storage/Mongo/MongoStorageAdapter';
@@ -1763,8 +1764,8 @@ class DatabaseController {
     if (this.options && this.options.requestKeywordDenylist) {
       // Scan request data for denied keywords
       for (const keyword of this.options.requestKeywordDenylist) {
-        const isMatch = (a, b) => (typeof a === 'string' && new RegExp(a).test(b)) || a === b;
-        if (isMatch(firstKey, keyword.key)) {
+        const match = Utils.objectContainsKeyValue({ firstKey: undefined }, keyword.key, undefined);
+        if (match) {
           throw new Parse.Error(
             Parse.Error.INVALID_KEY_NAME,
             `Prohibited keyword in request data: ${JSON.stringify(keyword)}.`

src/Utils.js

@@ -341,9 +341,9 @@ class Utils {
    * @returns {Boolean} True if a match was found, false otherwise.
    */
   static objectContainsKeyValue(obj, key, value) {
-    const isMatch = (a, b) => (typeof a === 'string' && new RegExp(a).test(b)) || a === b;
-    const isKeyMatch = k => isMatch(key, k);
-    const isValueMatch = v => isMatch(value, v);
+    const isMatch = (a, b) => (typeof a === 'string' && new RegExp(b).test(a)) || a === b;
+    const isKeyMatch = k => isMatch(k, key);
+    const isValueMatch = v => isMatch(v, value);
     for (const [k, v] of Object.entries(obj)) {
       if (key !== undefined && value === undefined && isKeyMatch(k)) {
         return true;