feat: Add Parse Server option enableSanitizedErrorResponse to remove detailed error messages from responses sent to clients (#9944)

2025-11-28 19:48:35 +01:00
parent 73e78127c2
commit 47521974ae
24 changed files with 121 additions and 49 deletions
--- a/src/Routers/ClassesRouter.js
+++ b/src/Routers/ClassesRouter.js
@@ -112,7 +112,7 @@ export class ClassesRouter extends PromiseRouter {
      typeof req.body?.objectId === 'string' &&
      req.body.objectId.startsWith('role:')
    ) {
-      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.');
+      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.', req.config);
    }
    return rest.create(
      req.config,
--- a/src/Routers/FilesRouter.js
+++ b/src/Routers/FilesRouter.js
@@ -5,7 +5,6 @@ import Config from '../Config';
 import logger from '../logger';
 const triggers = require('../triggers');
 const Utils = require('../Utils');
-import { createSanitizedError } from '../Error';

 export class FilesRouter {
  expressRouter({ maxUploadSize = '20Mb' } = {}) {
@@ -44,8 +43,7 @@ export class FilesRouter {
    const config = Config.get(req.params.appId);
    if (!config) {
      res.status(403);
-      const err = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.');
-      res.json({ code: err.code, error: err.message });
+      res.json({ code: Parse.Error.OPERATION_FORBIDDEN, error: 'Invalid application ID.' });
      return;
    }

--- a/src/Routers/GlobalConfigRouter.js
+++ b/src/Routers/GlobalConfigRouter.js
@@ -45,6 +45,7 @@ export class GlobalConfigRouter extends PromiseRouter {
      throw createSanitizedError(
        Parse.Error.OPERATION_FORBIDDEN,
        "read-only masterKey isn't allowed to update the config.",
+        req.config
      );
    }
    const params = req.body.params || {};
--- a/src/Routers/GraphQLRouter.js
+++ b/src/Routers/GraphQLRouter.js
@@ -18,6 +18,7 @@ export class GraphQLRouter extends PromiseRouter {
      throw createSanitizedError(
        Parse.Error.OPERATION_FORBIDDEN,
        "read-only masterKey isn't allowed to update the GraphQL config.",
+        req.config
      );
    }
    const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body?.params || {});
--- a/src/Routers/PurgeRouter.js
+++ b/src/Routers/PurgeRouter.js
@@ -9,6 +9,7 @@ export class PurgeRouter extends PromiseRouter {
      throw createSanitizedError(
        Parse.Error.OPERATION_FORBIDDEN,
        "read-only masterKey isn't allowed to purge a schema.",
+        req.config
      );
    }
    return req.config.database
--- a/src/Routers/PushRouter.js
+++ b/src/Routers/PushRouter.js
@@ -13,6 +13,7 @@ export class PushRouter extends PromiseRouter {
      throw createSanitizedError(
        Parse.Error.OPERATION_FORBIDDEN,
        "read-only masterKey isn't allowed to send push notifications.",
+        req.config
      );
    }
    const pushController = req.config.pushController;
--- a/src/Routers/SchemasRouter.js
+++ b/src/Routers/SchemasRouter.js
@@ -76,6 +76,7 @@ async function createSchema(req) {
    throw createSanitizedError(
      Parse.Error.OPERATION_FORBIDDEN,
      "read-only masterKey isn't allowed to create a schema.",
+      req.config
    );
  }
  if (req.params.className && req.body?.className) {
@@ -98,6 +99,7 @@ function modifySchema(req) {
    throw createSanitizedError(
      Parse.Error.OPERATION_FORBIDDEN,
      "read-only masterKey isn't allowed to update a schema.",
+      req.config
    );
  }
  if (req.body?.className && req.body.className != req.params.className) {
@@ -113,6 +115,7 @@ const deleteSchema = req => {
    throw createSanitizedError(
      Parse.Error.OPERATION_FORBIDDEN,
      "read-only masterKey isn't allowed to delete a schema.",
+      req.config
    );
  }
  if (!SchemaController.classNameIsValid(req.params.className)) {
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -172,7 +172,7 @@ export class UsersRouter extends ClassesRouter {

  handleMe(req) {
    if (!req.info || !req.info.sessionToken) {
-      throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
+      throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config);
    }
    const sessionToken = req.info.sessionToken;
    return rest
@@ -187,7 +187,7 @@ export class UsersRouter extends ClassesRouter {
      )
      .then(response => {
        if (!response.results || response.results.length == 0 || !response.results[0].user) {
-          throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
+          throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config);
        } else {
          const user = response.results[0].user;
          // Send token back on the login, because SDKs expect that.
@@ -338,6 +338,7 @@ export class UsersRouter extends ClassesRouter {
      throw createSanitizedError(
        Parse.Error.OPERATION_FORBIDDEN,
        'master key is required',
+        req.config
      );
    }