fix: Server internal error details leaking in error messages returned to clients (#9937)

2025-11-23 13:51:42 +01:00
parent 38c9d2e359
commit 50edb5ab4b
35 changed files with 390 additions and 125 deletions
--- a/src/GraphQL/loaders/schemaMutations.js
+++ b/src/GraphQL/loaders/schemaMutations.js
@@ -6,6 +6,7 @@ import * as schemaTypes from './schemaTypes';
 import { transformToParse, transformToGraphQL } from '../transformers/schemaFields';
 import { enforceMasterKeyAccess } from '../parseGraphQLUtils';
 import { getClass } from './schemaQueries';
+import { createSanitizedError } from '../../Error';

 const load = parseGraphQLSchema => {
  const createClassMutation = mutationWithClientMutationId({
@@ -33,9 +34,9 @@ const load = parseGraphQLSchema => {
        enforceMasterKeyAccess(auth);

        if (auth.isReadOnly) {
-          throw new Parse.Error(
+          throw createSanitizedError(
            Parse.Error.OPERATION_FORBIDDEN,
-            "read-only masterKey isn't allowed to create a schema."
+            "read-only masterKey isn't allowed to create a schema.",
          );
        }

@@ -82,7 +83,7 @@ const load = parseGraphQLSchema => {
        enforceMasterKeyAccess(auth);

        if (auth.isReadOnly) {
-          throw new Parse.Error(
+          throw createSanitizedError(
            Parse.Error.OPERATION_FORBIDDEN,
            "read-only masterKey isn't allowed to update a schema."
          );
@@ -133,9 +134,9 @@ const load = parseGraphQLSchema => {
        enforceMasterKeyAccess(auth);

        if (auth.isReadOnly) {
-          throw new Parse.Error(
+          throw createSanitizedError(
            Parse.Error.OPERATION_FORBIDDEN,
-            "read-only masterKey isn't allowed to delete a schema."
+            "read-only masterKey isn't allowed to delete a schema.",
          );
        }

--- a/src/GraphQL/loaders/usersQueries.js
+++ b/src/GraphQL/loaders/usersQueries.js
@@ -4,11 +4,12 @@ import Parse from 'parse/node';
 import rest from '../../rest';
 import { extractKeysAndInclude } from './parseClassTypes';
 import { Auth } from '../../Auth';
+import { createSanitizedError } from '../../Error';

 const getUserFromSessionToken = async (context, queryInfo, keysPrefix, userId) => {
  const { info, config } = context;
  if (!info || !info.sessionToken) {
-    throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
+    throw  createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
  }
  const sessionToken = info.sessionToken;
  const selectedFields = getFieldNames(queryInfo)
@@ -62,7 +63,7 @@ const getUserFromSessionToken = async (context, queryInfo, keysPrefix, userId) =
    info.context
  );
  if (!response.results || response.results.length == 0) {
-    throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
+    throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
  } else {
    const user = response.results[0];
    return {
--- a/src/GraphQL/parseGraphQLUtils.js
+++ b/src/GraphQL/parseGraphQLUtils.js
@@ -1,9 +1,13 @@
 import Parse from 'parse/node';
 import { GraphQLError } from 'graphql';
+import { createSanitizedError } from '../Error';

 export function enforceMasterKeyAccess(auth) {
  if (!auth.isMaster) {
-    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'unauthorized: master key is required');
+    throw createSanitizedError(
+      Parse.Error.OPERATION_FORBIDDEN,
+      'unauthorized: master key is required',
+    );
  }
 }