fix: auto review

coratgerl · coratgerl · commit 16cf79393293 · 2025-11-19T18:25:13.000+01:00
diff --git a/spec/ParseInstallation.spec.js b/spec/ParseInstallation.spec.js
@@ -7,6 +7,7 @@ const Config = require('../lib/Config');
 const Parse = require('parse/node').Parse;
 const rest = require('../lib/rest');
 const request = require('../lib/request');
+const { getSanitizedErrorCall } = require('../lib/TestUtils');
 
 let config;
 let database;
@@ -157,6 +158,9 @@ describe('Installations', () => {
   });
 
   it('should properly fail queying installations', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
+
     const installId = '12345678-abcd-abcd-abcd-123456789abc';
     const device = 'android';
     const input = {
@@ -174,10 +178,11 @@ describe('Installations', () => {
         done();
       })
       .catch(error => {
-        expect(error.code).toBe(119);
+        expect(error.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
         expect(error.message).toBe(
           'Permission denied'
         );
+        sanitizedErrorCall.checkMessage("Clients aren't allowed to perform the find operation on the installation collection.", callCountBefore);
         done();
       });
   });
diff --git a/spec/rest.spec.js b/spec/rest.spec.js
@@ -775,6 +775,8 @@ describe('rest create', () => {
   });
 
   it('cannot get object in volatileClasses if not masterKey through pointer', async () => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     const masterKeyOnlyClassObject = new Parse.Object('_PushStatus');
     await masterKeyOnlyClassObject.save(null, { useMasterKey: true });
     const obj2 = new Parse.Object('TestObject');
@@ -788,9 +790,12 @@ describe('rest create', () => {
     await expectAsync(query.get(obj2.id)).toBeRejectedWithError(
       'Permission denied'
     );
+    sanitizedErrorCall.checkMessage("Clients aren't allowed to perform the get operation on the _PushStatus collection.", callCountBefore);
   });
 
   it_id('3ce563bf-93aa-4d0b-9af9-c5fb246ac9fc')(it)('cannot get object in _GlobalConfig if not masterKey through pointer', async () => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     await Parse.Config.save({ privateData: 'secret' }, { privateData: true });
     const obj2 = new Parse.Object('TestObject');
     obj2.set('globalConfigPointer', {
@@ -804,6 +809,7 @@ describe('rest create', () => {
     await expectAsync(query.get(obj2.id)).toBeRejectedWithError(
       'Permission denied'
     );
+    sanitizedErrorCall.checkMessage("Clients aren't allowed to perform the get operation on the _GlobalConfig collection.", callCountBefore);
   });
 
   it('locks down session', done => {
@@ -949,6 +955,8 @@ describe('rest update', () => {
 
 describe('read-only masterKey', () => {
   it('properly throws on rest.create, rest.update and rest.del', () => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     const config = Config.get('test');
     const readOnly = auth.readOnly(config);
     expect(() => {
@@ -959,6 +967,7 @@ describe('read-only masterKey', () => {
         'Permission denied'
       )
     );
+    sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to perform the create operation.", callCountBefore);
     expect(() => {
       rest.update(config, readOnly, 'AnObject', {});
     }).toThrow();
@@ -971,6 +980,8 @@ describe('read-only masterKey', () => {
     await reconfigureServer({
       readOnlyMasterKey: 'yolo-read-only',
     });
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     try {
       await request({
         url: `${Parse.serverURL}/classes/MyYolo`,
@@ -988,6 +999,7 @@ describe('read-only masterKey', () => {
       expect(res.data.error).toBe(
         'Permission denied'
       );
+      sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to perform the create operation.", callCountBefore);
     }
     await reconfigureServer();
   });
@@ -1015,18 +1027,20 @@ describe('read-only masterKey', () => {
   });
 
   it('should throw when trying to create RestWrite', () => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     const config = Config.get('test');
     expect(() => {
       new RestWrite(config, auth.readOnly(config));
     }).toThrow(
-      new Parse.Error(
-        Parse.Error.OPERATION_FORBIDDEN,
-        'Cannot perform a write operation when using readOnlyMasterKey'
-      )
+      new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Permission denied')
     );
+    sanitizedErrorCall.checkMessage("Cannot perform a write operation when using readOnlyMasterKey", callCountBefore);
   });
 
   it('should throw when trying to create schema', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       method: 'POST',
       url: `${Parse.serverURL}/schemas`,
@@ -1041,11 +1055,14 @@ describe('read-only masterKey', () => {
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
         expect(res.data.error).toBe('Permission denied');
+        sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to create a schema.", callCountBefore);
         done();
       });
   });
 
   it('should throw when trying to create schema with a name', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       url: `${Parse.serverURL}/schemas/MyClass`,
       method: 'POST',
@@ -1060,11 +1077,14 @@ describe('read-only masterKey', () => {
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
         expect(res.data.error).toBe('Permission denied');
+        sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to create a schema.", callCountBefore);
         done();
       });
   });
 
   it('should throw when trying to update schema', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       url: `${Parse.serverURL}/schemas/MyClass`,
       method: 'PUT',
@@ -1079,11 +1099,14 @@ describe('read-only masterKey', () => {
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
         expect(res.data.error).toBe('Permission denied');
+        sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to update a schema.", callCountBefore);
         done();
       });
   });
 
   it('should throw when trying to delete schema', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       url: `${Parse.serverURL}/schemas/MyClass`,
       method: 'DELETE',
@@ -1098,11 +1121,14 @@ describe('read-only masterKey', () => {
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
         expect(res.data.error).toBe('Permission denied');
+        sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to delete a schema.", callCountBefore);
         done();
       });
   });
 
   it('should throw when trying to update the global config', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       url: `${Parse.serverURL}/config`,
       method: 'PUT',
@@ -1117,11 +1143,14 @@ describe('read-only masterKey', () => {
       .catch(res => {
         expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
         expect(res.data.error).toBe('Permission denied');
+        sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to update the config.", callCountBefore);
         done();
       });
   });
 
   it('should throw when trying to send push', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       url: `${Parse.serverURL}/push`,
       method: 'POST',
@@ -1138,6 +1167,7 @@ describe('read-only masterKey', () => {
         expect(res.data.error).toBe(
           'Permission denied'
         );
+        sanitizedErrorCall.checkMessage("read-only masterKey isn't allowed to send push notifications.", callCountBefore);
         done();
       });
   });
diff --git a/spec/schemas.spec.js b/spec/schemas.spec.js
@@ -168,25 +168,31 @@ describe('schemas', () => {
   });
 
   it('requires the master key to get one schema', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       url: 'http://localhost:8378/1/schemas/SomeSchema',
       json: true,
       headers: restKeyHeaders,
     }).then(fail, response => {
       expect(response.status).toEqual(403);
       expect(response.data.error).toEqual('Permission denied');
+      sanitizedErrorCall.checkMessage("unauthorized: master key is required", callCountBefore);
       done();
     });
   });
 
   it('asks for the master key if you use the rest key', done => {
+    const sanitizedErrorCall = getSanitizedErrorCall();
+    const callCountBefore = sanitizedErrorCall.callCountBefore();
     request({
       url: 'http://localhost:8378/1/schemas',
       json: true,
       headers: restKeyHeaders,
     }).then(fail, response => {
       expect(response.status).toEqual(403);
       expect(response.data.error).toEqual('Permission denied');
+      sanitizedErrorCall.checkMessage("unauthorized: master key is required", callCountBefore);
       done();
     });
   });
diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
@@ -1,4 +1,5 @@
 const request = require('../lib/request');
+const { getSanitizedErrorCall } = require('../lib/TestUtils');
 
 describe('Vulnerabilities', () => {
   describe('(GHSA-8xq9-g7ch-35hg) Custom object ID allows to acquire role privilege', () => {
@@ -13,9 +14,12 @@ describe('Vulnerabilities', () => {
     });
 
     it('denies user creation with poisoned object ID', async () => {
+      const sanitizedErrorCall = getSanitizedErrorCall();
+      const callCountBefore = sanitizedErrorCall.callCountBefore();
       await expectAsync(
         new Parse.User({ id: 'role:a', username: 'a', password: '123' }).save()
       ).toBeRejectedWith(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Permission denied'));
+      sanitizedErrorCall.checkMessage("Invalid object ID.", callCountBefore);
     });
 
     describe('existing sessions for users with poisoned object ID', () => {
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -31,9 +31,9 @@ import defaultLogger from './logger';
 // for the _User class.
 function RestWrite(config, auth, className, query, data, originalData, clientSDK, context, action) {
   if (auth.isReadOnly) {
-    throw new Parse.Error(
+    throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
-      'Cannot perform a write operation when using readOnlyMasterKey'
+      'Cannot perform a write operation when using readOnlyMasterKey',
     );
   }
   this.config = config;
