feat: sanitize error for security

Author: coratgerl

spec/AudienceRouter.spec.js

@@ -269,7 +269,7 @@ describe('AudiencesRouter', () => {
     }).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -279,7 +279,7 @@ describe('AudiencesRouter', () => {
     Parse._request('GET', 'push_audiences', {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -289,7 +289,7 @@ describe('AudiencesRouter', () => {
     Parse._request('GET', `push_audiences/someId`, {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -301,7 +301,7 @@ describe('AudiencesRouter', () => {
     }).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );
@@ -311,7 +311,7 @@ describe('AudiencesRouter', () => {
     Parse._request('DELETE', `push_audiences/someId`, {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );

spec/LogsRouter.spec.js

@@ -61,7 +61,7 @@ describe_only(() => {
     }).then(fail, response => {
       const body = response.data;
       expect(response.status).toEqual(403);
-      expect(body.error).toEqual('unauthorized: master key is required');
+      expect(body.error).toEqual('Permission denied');
       done();
     });
   });

spec/ParseAPI.spec.js

@@ -1724,7 +1724,7 @@ describe('miscellaneous', () => {
         fail('Should not succeed');
       })
       .catch(response => {
-        expect(response.data.error).toEqual('unauthorized: master key is required');
+        expect(response.data.error).toEqual('Permission denied');
         done();
       });
   });

spec/ParseFile.spec.js

@@ -156,7 +156,7 @@ describe('Parse.File testing', () => {
         }).then(fail, response => {
           const del_b = response.data;
           expect(response.status).toEqual(403);
-          expect(del_b.error).toMatch(/unauthorized/);
+          expect(del_b.error).toBe('Permission denied');
           // incorrect X-Parse-Master-Key header
           request({
             method: 'DELETE',
@@ -169,7 +169,7 @@ describe('Parse.File testing', () => {
           }).then(fail, response => {
             const del_b2 = response.data;
             expect(response.status).toEqual(403);
-            expect(del_b2.error).toMatch(/unauthorized/);
+            expect(del_b2.error).toBe('Permission denied');
             done();
           });
         });
@@ -760,7 +760,7 @@ describe('Parse.File testing', () => {
         url: 'http://localhost:8378/1/files/invalid-id/invalid-file.txt',
       }).catch(e => e);
       expect(res1.status).toBe(403);
-      expect(res1.data).toEqual({ code: 119, error: 'Invalid application ID.' });
+      expect(res1.data).toEqual({ code: 119, error: 'Permission denied' });
       // Ensure server did not crash
       const res2 = await request({ url: 'http://localhost:8378/1/health' });
       expect(res2.status).toEqual(200);

spec/ParseGlobalConfig.spec.js

@@ -233,7 +233,7 @@ describe('a GlobalConfig', () => {
     }).then(fail, response => {
       const body = response.data;
       expect(response.status).toEqual(403);
-      expect(body.error).toEqual('unauthorized: master key is required');
+      expect(body.error).toEqual('Permission denied');
       done();
     });
   });

spec/ParseGraphQLServer.spec.js

@@ -3501,7 +3501,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -3871,7 +3871,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -4096,7 +4096,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -4137,7 +4137,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
 
@@ -4155,7 +4155,7 @@ describe('ParseGraphQLServer', () => {
             fail('should fail');
           } catch (e) {
             expect(e.graphQLErrors[0].extensions.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-            expect(e.graphQLErrors[0].message).toEqual('unauthorized: master key is required');
+            expect(e.graphQLErrors[0].message).toEqual('Permission denied');
           }
         });
       });
@@ -6081,7 +6081,7 @@ describe('ParseGraphQLServer', () => {
             }
 
             await expectAsync(createObject('GraphQLClass')).toBeRejectedWith(
-              jasmine.stringMatching('Permission denied for action create on class GraphQLClass')
+              jasmine.stringMatching('Permission denied')
             );
             await expectAsync(createObject('PublicClass')).toBeResolved();
             await expectAsync(
@@ -6115,7 +6115,7 @@ describe('ParseGraphQLServer', () => {
                 'X-Parse-Session-Token': user4.getSessionToken(),
               })
             ).toBeRejectedWith(
-              jasmine.stringMatching('Permission denied for action create on class GraphQLClass')
+              jasmine.stringMatching('Permission denied')
             );
             await expectAsync(
               createObject('PublicClass', {

spec/ParseInstallation.spec.js

@@ -176,7 +176,7 @@ describe('Installations', () => {
       .catch(error => {
         expect(error.code).toBe(119);
         expect(error.message).toBe(
-          "Clients aren't allowed to perform the find operation on the installation collection."
+          'Permission denied'
         );
         done();
       });

spec/ParseQuery.Aggregate.spec.js

@@ -77,7 +77,7 @@ describe('Parse.Query Aggregate testing', () => {
     Parse._request('GET', `aggregate/someClass`, {}).then(
       () => {},
       error => {
-        expect(error.message).toEqual('unauthorized: master key is required');
+        expect(error.message).toEqual('Permission denied');
         done();
       }
     );

spec/ParseUser.spec.js

@@ -2661,7 +2661,7 @@ describe('Parse.User testing', () => {
           }).then(fail, response => {
             const b = response.data;
             expect(b.code).toEqual(209);
-            expect(b.error).toBe('Invalid session token');
+            expect(b.error).toBe('Permission denied');
             done();
           });
         });
@@ -3379,7 +3379,7 @@ describe('Parse.User testing', () => {
         done();
       })
       .catch(err => {
-        expect(err.message).toBe("Clients aren't allowed to manually update email verification.");
+        expect(err.message).toBe('Permission denied');
         done();
       });
   });
@@ -4393,7 +4393,7 @@ describe('login as other user', () => {
       done();
     } catch (err) {
       expect(err.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
-      expect(err.data.error).toBe('master key is required');
+      expect(err.data.error).toBe('Permission denied');
     }
 
     const sessionsQuery = new Parse.Query(Parse.Session);

spec/RestQuery.spec.js

@@ -165,9 +165,7 @@ describe('rest query', () => {
       },
       err => {
         expect(err.code).toEqual(Parse.Error.OPERATION_FORBIDDEN);
-        expect(err.message).toEqual(
-          'This user is not allowed to access ' + 'non-existent class: ClientClassCreation'
-        );
+        expect(err.message).toEqual('Permission denied');
         done();
       }
     );
@@ -243,7 +241,7 @@ describe('rest query', () => {
       expectAsync(new Parse.Query('Test').exists('zip').find()).toBeRejectedWith(
         new Parse.Error(
           Parse.Error.OPERATION_FORBIDDEN,
-          'This user is not allowed to query zip on class Test'
+          'Permission denied'
         )
       ),
     ]);