fix: brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8144)

src/RestQuery.js

@@ -202,6 +202,9 @@ RestQuery.prototype.execute = function (executeOptions) {
     .then(() => {
       return this.buildRestWhere();
     })
+    .then(() => {
+      return this.denyProtectedFields();
+    })
     .then(() => {
       return this.handleIncludeAll();
     })
@@ -688,6 +691,30 @@ RestQuery.prototype.runCount = function () {
   });
 };
 
+RestQuery.prototype.denyProtectedFields = async function () {
+  if (this.auth.isMaster) {
+    return;
+  }
+  const schemaController = await this.config.database.loadSchema();
+  const protectedFields =
+    this.config.database.addProtectedFields(
+      schemaController,
+      this.className,
+      this.restWhere,
+      this.findOptions.acl,
+      this.auth,
+      this.findOptions
+    ) || [];
+  for (const key of protectedFields) {
+    if (this.restWhere[key]) {
+      throw new Parse.Error(
+        Parse.Error.OPERATION_FORBIDDEN,
+        `This user is not allowed to query ${key} on class ${this.className}`
+      );
+    }
+  }
+};
+
 // Augments this.response with all pointers on an object
 RestQuery.prototype.handleIncludeAll = function () {
   if (!this.includeAll) {