fix: Server internal error details leaking in error messages returned to clients (#9937)

src/SharedRest.js

@@ -6,12 +6,16 @@ const classesWithMasterOnlyAccess = [
   '_JobSchedule',
   '_Idempotency',
 ];
+const { createSanitizedError } = require('./Error');
+
 // Disallowing access to the _Role collection except by master key
 function enforceRoleSecurity(method, className, auth) {
   if (className === '_Installation' && !auth.isMaster && !auth.isMaintenance) {
     if (method === 'delete' || method === 'find') {
-      const error = `Clients aren't allowed to perform the ${method} operation on the installation collection.`;
-      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
+      throw createSanitizedError(
+        Parse.Error.OPERATION_FORBIDDEN,
+        `Clients aren't allowed to perform the ${method} operation on the installation collection.`
+      );
     }
   }
 
@@ -21,14 +25,18 @@ function enforceRoleSecurity(method, className, auth) {
     !auth.isMaster &&
     !auth.isMaintenance
   ) {
-    const error = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`;
-    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
+    throw createSanitizedError(
+      Parse.Error.OPERATION_FORBIDDEN,
+      `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`
+    );
   }
 
   // readOnly masterKey is not allowed
   if (auth.isReadOnly && (method === 'delete' || method === 'create' || method === 'update')) {
-    const error = `read-only masterKey isn't allowed to perform the ${method} operation.`;
-    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
+    throw createSanitizedError(
+      Parse.Error.OPERATION_FORBIDDEN,
+      `read-only masterKey isn't allowed to perform the ${method} operation.`
+    );
   }
 }