{{ message }}
feat: Add requestComplexity.allowRegex option to disable $regex query operator#10418
Merged
mtrezza merged 3 commits intoparse-community:alphafrom Apr 9, 2026
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughAdds an option Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant ParseServer
participant LiveQueryServer
participant Database
Client->>ParseServer: REST query (may contain $regex)
ParseServer->>ParseServer: lookup requestComplexity.allowRegex
alt allowRegex === false and not master
ParseServer->>ParseServer: detect $regex in query
ParseServer-->>Client: Error INVALID_QUERY ('$regex operator is not allowed')
else master or allowRegex === true
ParseServer->>Database: execute query
Database-->>ParseServer: results
ParseServer-->>Client: 200 + results
end
Client->>LiveQueryServer: subscribe (where may contain $regex)
LiveQueryServer->>LiveQueryServer: lookup requestComplexity.allowRegex
alt allowRegex === false and not master
LiveQueryServer->>LiveQueryServer: traverse where for $regex (including $or/$and/$nor)
LiveQueryServer-->>Client: Error INVALID_QUERY
else master or allowRegex === true
LiveQueryServer->>Database: start subscription
Database-->>LiveQueryServer: events
LiveQueryServer-->>Client: real-time events
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 2 | ❌ 3❌ Failed checks (2 warnings, 1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/Controllers/DatabaseController.js`:
- Around line 163-165: The regex-allow check can be bypassed by an empty-string
pattern because it relies on truthiness of query[key].$regex; update the guard
around the block that throws the error to detect the presence of the $regex key
instead of its truthiness (e.g., use
Object.prototype.hasOwnProperty.call(query[key], '$regex') or typeof
query[key].$regex !== 'undefined') so that when !isMaster and rc &&
rc.allowRegex === false and the query contains a $regex (even an empty string)
the existing Parse.Error throw is executed; refer to the isMaster/rc.allowRegex
check and the query[key].$regex usage to locate where to change the condition.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fa6027d8-062c-430f-87be-f8281fe5ef14
📒 Files selected for processing (7)
spec/RequestComplexity.spec.jssrc/Config.jssrc/Controllers/DatabaseController.jssrc/LiveQuery/ParseLiveQueryServer.tssrc/Options/Definitions.jssrc/Options/docs.jssrc/Options/index.js
…pty-string patterns
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## alpha #10418 +/- ##
==========================================
- Coverage 92.50% 92.49% -0.02%
==========================================
Files 192 192
Lines 16749 16770 +21
Branches 229 234 +5
==========================================
+ Hits 15494 15511 +17
- Misses 1233 1236 +3
- Partials 22 23 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
parseplatformorg
pushed a commit
that referenced
this pull request
Apr 9, 2026
# [9.8.0-alpha.11](9.8.0-alpha.10...9.8.0-alpha.11) (2026-04-09) ### Features * Add `requestComplexity.allowRegex` option to disable `$regex` query operator ([#10418](#10418)) ([18482e3](18482e3))
Contributor
|
🎉 This change has been released in version 9.8.0-alpha.11 |
parseplatformorg
pushed a commit
that referenced
this pull request
Apr 12, 2026
# [9.8.0](9.7.0...9.8.0) (2026-04-12) ### Bug Fixes * Bump lodash from 4.17.23 to 4.18.1 ([#10393](#10393)) ([19716ad](19716ad)) * Endpoint `/sessions/me` bypasses `_Session` `protectedFields` ([GHSA-g4v2-qx3q-4p64](GHSA-g4v2-qx3q-4p64)) ([#10406](#10406)) ([d507575](d507575)) * Endpoint `/upgradeToRevocableSession` ignores `_Session` `protectedFields` ([#10408](#10408)) ([c136e2b](c136e2b)) * Endpoints `/login` and `/verifyPassword` ignore `_User` `protectedFields` ([#10409](#10409)) ([8a3db3b](8a3db3b)) * Facebook Standard Login missing app ID validation ([#10429](#10429)) ([fd31159](fd31159)) * File upload Content-Type override via extension mismatch ([GHSA-vr5f-2r24-w5hc](GHSA-vr5f-2r24-w5hc)) ([#10383](#10383)) ([dd7cc41](dd7cc41)) * Login timing side-channel reveals user existence ([GHSA-mmpq-5hcv-hf2v](GHSA-mmpq-5hcv-hf2v)) ([#10398](#10398)) ([531b9ab](531b9ab)) * Maintenance key IP mismatch silently downgrades to regular auth instead of rejecting ([#10391](#10391)) ([7d8b367](7d8b367)) * Master key does not bypass `protectedFields` on various endpoints ([#10412](#10412)) ([c0889c8](c0889c8)) * Nested batch sub-requests cause unclear error ([#10371](#10371)) ([6635096](6635096)) * Session field guard bypass via falsy values for ACL and user fields ([#10382](#10382)) ([ead12bd](ead12bd)) * Streaming file download bypasses afterFind file trigger authorization ([GHSA-hpm8-9qx6-jvwv](GHSA-hpm8-9qx6-jvwv)) ([#10361](#10361)) ([a0b0c69](a0b0c69)) ### Features * Add `requestComplexity.allowRegex` option to disable `$regex` query operator ([#10418](#10418)) ([18482e3](18482e3)) * Add `requestComplexity.subqueryLimit` option to limit subquery results ([#10420](#10420)) ([bf40004](bf40004)) * Add route block with new server option `routeAllowList` ([#10389](#10389)) ([f2d06e7](f2d06e7)) * Add server option `fileDownload` to restrict file download ([#10394](#10394)) ([fc117ef](fc117ef)) * Add support for invoking Cloud Function with `multipart/form-data` protocol ([#10395](#10395)) ([a3f36a2](a3f36a2))
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Add option to disable regex query operator
Tasks
Summary by CodeRabbit
New Features
Bug Fixes
Documentation
Tests