feat: Add Parse Server option enableSanitizedErrorResponse to remove detailed error messages from responses sent to clients (#9944)

coratgerl · web-flow · commit 47521974aeaf · 2025-11-28T19:48:35.000+01:00
diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js
@@ -767,13 +767,11 @@ describe('Parse.File testing', () => {
 
   describe('getting files', () => {
     it('does not crash on file request with invalid app ID', async () => {
-      loggerErrorSpy.calls.reset();
       const res1 = await request({
         url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt',
       }).catch(e => e);
       expect(res1.status).toBe(403);
-      expect(res1.data).toEqual({ code: 119, error: 'Permission denied' });
-      expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('Invalid application ID.'));
+      expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' });
       // Ensure server did not crash
       const res2 = await request({ url: 'http://localhost:8378/1/health' });
       expect(res2.status).toEqual(200);
diff --git a/spec/Utils.spec.js b/spec/Utils.spec.js
@@ -1,4 +1,5 @@
-const Utils = require('../src/Utils');
+const Utils = require('../lib/Utils');
+const { createSanitizedError, createSanitizedHttpError } = require("../lib/Error")
 
 describe('Utils', () => {
   describe('encodeForUrl', () => {
@@ -173,4 +174,42 @@ describe('Utils', () => {
       expect(Utils.getNestedProperty(obj, 'database.name')).toBe('');
     });
   });
+
+  describe('createSanitizedError', () => {
+    it('should return "Permission denied" when enableSanitizedErrorResponse is true', () => {
+      const config = { enableSanitizedErrorResponse: true };
+      const error = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Detailed error message', config);
+      expect(error.message).toBe('Permission denied');
+    });
+
+    it('should not crash with config undefined', () => {
+      const error = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Detailed error message', undefined);
+      expect(error.message).toBe('Permission denied');
+    });
+
+    it('should return the detailed message when enableSanitizedErrorResponse is false', () => {
+      const config = { enableSanitizedErrorResponse: false };
+      const error = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Detailed error message', config);
+      expect(error.message).toBe('Detailed error message');
+    });
+  });
+
+  describe('createSanitizedHttpError', () => {
+    it('should return "Permission denied" when enableSanitizedErrorResponse is true', () => {
+      const config = { enableSanitizedErrorResponse: true };
+      const error = createSanitizedHttpError(403, 'Detailed error message', config);
+      expect(error.message).toBe('Permission denied');
+    });
+
+    it('should not crash with config undefined', () => {
+      const error = createSanitizedHttpError(403, 'Detailed error message', undefined);
+      expect(error.message).toBe('Permission denied');
+    });
+
+    it('should return the detailed message when enableSanitizedErrorResponse is false', () => {
+      const config = { enableSanitizedErrorResponse: false };
+      const error = createSanitizedHttpError(403, 'Detailed error message', config);
+      expect(error.message).toBe('Detailed error message');
+    });
+  });
 });
diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js
@@ -1399,19 +1399,22 @@ export default class SchemaController {
       return true;
     }
     const perms = classPermissions[operation];
+    const config = Config.get(Parse.applicationId)
     // If only for authenticated users
     // make sure we have an aclGroup
     if (perms['requiresAuthentication']) {
       // If aclGroup has * (public)
       if (!aclGroup || aclGroup.length == 0) {
         throw createSanitizedError(
           Parse.Error.OBJECT_NOT_FOUND,
-          'Permission denied, user needs to be authenticated.'
+          'Permission denied, user needs to be authenticated.',
+          config
         );
       } else if (aclGroup.indexOf('*') > -1 && aclGroup.length == 1) {
         throw createSanitizedError(
           Parse.Error.OBJECT_NOT_FOUND,
-          'Permission denied, user needs to be authenticated.'
+          'Permission denied, user needs to be authenticated.',
+          config
         );
       }
       // requiresAuthentication passed, just move forward
@@ -1428,7 +1431,8 @@ export default class SchemaController {
     if (permissionField == 'writeUserFields' && operation == 'create') {
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
-        `Permission denied for action ${operation} on class ${className}.`
+        `Permission denied for action ${operation} on class ${className}.`,
+        config
       );
     }
 
@@ -1451,7 +1455,8 @@ export default class SchemaController {
 
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
-      `Permission denied for action ${operation} on class ${className}.`
+      `Permission denied for action ${operation} on class ${className}.`,
+      config
     );
   }
 
diff --git a/src/Error.js b/src/Error.js
@@ -8,15 +8,15 @@ import defaultLogger from './logger';
  * @param {string} detailedMessage - The detailed error message to log server-side
  * @returns {Parse.Error} A Parse.Error with sanitized message
  */
-function createSanitizedError(errorCode, detailedMessage) {
+function createSanitizedError(errorCode, detailedMessage, config) {
   // On testing we need to add a prefix to the message to allow to find the correct call in the TestUtils.js file
   if (process.env.TESTING) {
     defaultLogger.error('Sanitized error:', detailedMessage);
   } else {
     defaultLogger.error(detailedMessage);
   }
 
-  return new Parse.Error(errorCode, 'Permission denied');
+  return new Parse.Error(errorCode, config?.enableSanitizedErrorResponse !== false ? 'Permission denied' : detailedMessage);
 }
 
 /**
@@ -27,7 +27,7 @@ function createSanitizedError(errorCode, detailedMessage) {
  * @param {string} detailedMessage - The detailed error message to log server-side
  * @returns {Error} An Error with sanitized message
  */
-function createSanitizedHttpError(statusCode, detailedMessage) {
+function createSanitizedHttpError(statusCode, detailedMessage, config) {
   // On testing we need to add a prefix to the message to allow to find the correct call in the TestUtils.js file
   if (process.env.TESTING) {
     defaultLogger.error('Sanitized error:', detailedMessage);
@@ -37,7 +37,7 @@ function createSanitizedHttpError(statusCode, detailedMessage) {
 
   const error = new Error();
   error.status = statusCode;
-  error.message = 'Permission denied';
+  error.message = config?.enableSanitizedErrorResponse !== false ? 'Permission denied' : detailedMessage;
   return error;
 }
 
diff --git a/src/GraphQL/loaders/schemaMutations.js b/src/GraphQL/loaders/schemaMutations.js
@@ -31,12 +31,13 @@ const load = parseGraphQLSchema => {
         const { name, schemaFields } = deepcopy(args);
         const { config, auth } = context;
 
-        enforceMasterKeyAccess(auth);
+        enforceMasterKeyAccess(auth, config);
 
         if (auth.isReadOnly) {
           throw createSanitizedError(
             Parse.Error.OPERATION_FORBIDDEN,
             "read-only masterKey isn't allowed to create a schema.",
+            config
           );
         }
 
@@ -80,12 +81,13 @@ const load = parseGraphQLSchema => {
         const { name, schemaFields } = deepcopy(args);
         const { config, auth } = context;
 
-        enforceMasterKeyAccess(auth);
+        enforceMasterKeyAccess(auth, config);
 
         if (auth.isReadOnly) {
           throw createSanitizedError(
             Parse.Error.OPERATION_FORBIDDEN,
-            "read-only masterKey isn't allowed to update a schema."
+            "read-only masterKey isn't allowed to update a schema.",
+            config
           );
         }
 
@@ -131,12 +133,13 @@ const load = parseGraphQLSchema => {
         const { name } = deepcopy(args);
         const { config, auth } = context;
 
-        enforceMasterKeyAccess(auth);
+        enforceMasterKeyAccess(auth, config);
 
         if (auth.isReadOnly) {
           throw createSanitizedError(
             Parse.Error.OPERATION_FORBIDDEN,
             "read-only masterKey isn't allowed to delete a schema.",
+            config
           );
         }
 
diff --git a/src/GraphQL/loaders/schemaQueries.js b/src/GraphQL/loaders/schemaQueries.js
@@ -31,7 +31,7 @@ const load = parseGraphQLSchema => {
           const { name } = deepcopy(args);
           const { config, auth } = context;
 
-          enforceMasterKeyAccess(auth);
+          enforceMasterKeyAccess(auth, config);
 
           const schema = await config.database.loadSchema({ clearCache: true });
           const parseClass = await getClass(name, schema);
@@ -57,7 +57,7 @@ const load = parseGraphQLSchema => {
         try {
           const { config, auth } = context;
 
-          enforceMasterKeyAccess(auth);
+          enforceMasterKeyAccess(auth, config);
 
           const schema = await config.database.loadSchema({ clearCache: true });
           return (await schema.getAllClasses(true)).map(parseClass => ({
diff --git a/src/GraphQL/loaders/usersQueries.js b/src/GraphQL/loaders/usersQueries.js
@@ -9,7 +9,7 @@ import { createSanitizedError } from '../../Error';
 const getUserFromSessionToken = async (context, queryInfo, keysPrefix, userId) => {
   const { info, config } = context;
   if (!info || !info.sessionToken) {
-    throw  createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
+    throw  createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', config);
   }
   const sessionToken = info.sessionToken;
   const selectedFields = getFieldNames(queryInfo)
@@ -63,7 +63,7 @@ const getUserFromSessionToken = async (context, queryInfo, keysPrefix, userId) =
     info.context
   );
   if (!response.results || response.results.length == 0) {
-    throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
+    throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', config);
   } else {
     const user = response.results[0];
     return {
diff --git a/src/GraphQL/parseGraphQLUtils.js b/src/GraphQL/parseGraphQLUtils.js
@@ -2,11 +2,12 @@ import Parse from 'parse/node';
 import { GraphQLError } from 'graphql';
 import { createSanitizedError } from '../Error';
 
-export function enforceMasterKeyAccess(auth) {
+export function enforceMasterKeyAccess(auth, config) {
   if (!auth.isMaster) {
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
       'unauthorized: master key is required',
+      config
     );
   }
 }
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -247,6 +247,13 @@ module.exports.ParseServerOptions = {
     action: parsers.booleanParser,
     default: true,
   },
+  enableSanitizedErrorResponse: {
+    env: 'PARSE_SERVER_ENABLE_SANITIZED_ERROR_RESPONSE',
+    help:
+      'If set to `true`, error details are removed from error messages in responses to client requests, and instead a generic error message is sent. Default is `true`.',
+    action: parsers.booleanParser,
+    default: true,
+  },
   encodeParseObjectInCloudFunction: {
     env: 'PARSE_SERVER_ENCODE_PARSE_OBJECT_IN_CLOUD_FUNCTION',
     help:
diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -347,6 +347,9 @@ export interface ParseServerOptions {
   rateLimit: ?(RateLimitOptions[]);
   /* Options to customize the request context using inversion of control/dependency injection.*/
   requestContextMiddleware: ?(req: any, res: any, next: any) => void;
+  /* If set to `true`, error details are removed from error messages in responses to client requests, and instead a generic error message is sent. Default is `true`.
+  :DEFAULT: true */
+  enableSanitizedErrorResponse: ?boolean;
 }
 
 export interface RateLimitOptions {
diff --git a/src/RestQuery.js b/src/RestQuery.js
@@ -52,7 +52,7 @@ async function RestQuery({
     throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad query type');
   }
   const isGet = method === RestQuery.Method.get;
-  enforceRoleSecurity(method, className, auth);
+  enforceRoleSecurity(method, className, auth, config);
   const result = runBeforeFind
     ? await triggers.maybeRunQueryTrigger(
       triggers.Types.beforeFind,
@@ -121,7 +121,7 @@ function _UnsafeRestQuery(
   if (!this.auth.isMaster) {
     if (this.className == '_Session') {
       if (!this.auth.user) {
-        throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
+        throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', config);
       }
       this.restWhere = {
         $and: [
@@ -424,7 +424,8 @@ _UnsafeRestQuery.prototype.validateClientClassCreation = function () {
         if (hasClass !== true) {
           throw createSanitizedError(
             Parse.Error.OPERATION_FORBIDDEN,
-            'This user is not allowed to access ' + 'non-existent class: ' + this.className
+            'This user is not allowed to access ' + 'non-existent class: ' + this.className,
+            this.config
           );
         }
       });
@@ -803,7 +804,8 @@ _UnsafeRestQuery.prototype.denyProtectedFields = async function () {
     if (this.restWhere[key]) {
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
-        `This user is not allowed to query ${key} on class ${this.className}`
+        `This user is not allowed to query ${key} on class ${this.className}`,
+        this.config
       );
     }
   }
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -33,6 +33,7 @@ function RestWrite(config, auth, className, query, data, originalData, clientSDK
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
       'Cannot perform a write operation when using readOnlyMasterKey',
+      config
     );
   }
   this.config = config;
@@ -203,6 +204,7 @@ RestWrite.prototype.validateClientClassCreation = function () {
           throw createSanitizedError(
             Parse.Error.OPERATION_FORBIDDEN,
             'This user is not allowed to access non-existent class: ' + this.className,
+            this.config
           );
         }
       });
@@ -662,7 +664,8 @@ RestWrite.prototype.checkRestrictedFields = async function () {
   if (!this.auth.isMaintenance && !this.auth.isMaster && 'emailVerified' in this.data) {
     throw createSanitizedError(
       Parse.Error.OPERATION_FORBIDDEN,
-      "Clients aren't allowed to manually update email verification."
+      "Clients aren't allowed to manually update email verification.",
+      this.config
     );
   }
 };
@@ -1454,7 +1457,8 @@ RestWrite.prototype.runDatabaseOperation = function () {
   if (this.className === '_User' && this.query && this.auth.isUnauthenticated()) {
     throw createSanitizedError(
       Parse.Error.SESSION_MISSING,
-      `Cannot modify user ${this.query.objectId}.`
+      `Cannot modify user ${this.query.objectId}.`,
+      this.config
     );
   }
 
diff --git a/src/Routers/ClassesRouter.js b/src/Routers/ClassesRouter.js
@@ -112,7 +112,7 @@ export class ClassesRouter extends PromiseRouter {
       typeof req.body?.objectId === 'string' &&
       req.body.objectId.startsWith('role:')
     ) {
-      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.');
+      throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.', req.config);
     }
     return rest.create(
       req.config,
diff --git a/src/Routers/FilesRouter.js b/src/Routers/FilesRouter.js
@@ -5,7 +5,6 @@ import Config from '../Config';
 import logger from '../logger';
 const triggers = require('../triggers');
 const Utils = require('../Utils');
-import { createSanitizedError } from '../Error';
 
 export class FilesRouter {
   expressRouter({ maxUploadSize = '20Mb' } = {}) {
@@ -44,8 +43,7 @@ export class FilesRouter {
     const config = Config.get(req.params.appId);
     if (!config) {
       res.status(403);
-      const err = createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, 'Invalid application ID.');
-      res.json({ code: err.code, error: err.message });
+      res.json({ code: Parse.Error.OPERATION_FORBIDDEN, error: 'Invalid application ID.' });
       return;
     }
 
diff --git a/src/Routers/GlobalConfigRouter.js b/src/Routers/GlobalConfigRouter.js
@@ -45,6 +45,7 @@ export class GlobalConfigRouter extends PromiseRouter {
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         "read-only masterKey isn't allowed to update the config.",
+        req.config
       );
     }
     const params = req.body.params || {};
diff --git a/src/Routers/GraphQLRouter.js b/src/Routers/GraphQLRouter.js
@@ -18,6 +18,7 @@ export class GraphQLRouter extends PromiseRouter {
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         "read-only masterKey isn't allowed to update the GraphQL config.",
+        req.config
       );
     }
     const data = await req.config.parseGraphQLController.updateGraphQLConfig(req.body?.params || {});
diff --git a/src/Routers/PurgeRouter.js b/src/Routers/PurgeRouter.js
@@ -9,6 +9,7 @@ export class PurgeRouter extends PromiseRouter {
       throw createSanitizedError(
         Parse.Error.OPERATION_FORBIDDEN,
         "read-only masterKey isn't allowed to purge a schema.",
+        req.config
       );
     }
     return req.config.database
diff --git a/src/Routers/PushRouter.js b/src/Routers/PushRouter.js
diff --git a/src/Routers/SchemasRouter.js b/src/Routers/SchemasRouter.js
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
diff --git a/src/SharedRest.js b/src/SharedRest.js
diff --git a/src/middlewares.js b/src/middlewares.js
diff --git a/src/rest.js b/src/rest.js

Original file line number	Diff line number	Diff line change
`@@ -2,11 +2,12 @@ import Parse from 'parse/node';`
`2`	`2`	`import { GraphQLError } from 'graphql';`
`3`	`3`	`import { createSanitizedError } from '../Error';`
`4`	`4`
`5`		`-export function enforceMasterKeyAccess(auth) {`
	`5`	`+export function enforceMasterKeyAccess(auth, config) {`
`6`	`6`	`if (!auth.isMaster) {`
`7`	`7`	`throw createSanitizedError(`
`8`	`8`	`Parse.Error.OPERATION_FORBIDDEN,`
`9`	`9`	`'unauthorized: master key is required',`
	`10`	`+ config`
`10`	`11`	`);`
`11`	`12`	`}`
`12`	`13`	`}`