test: LiveQuery regex timeout and context isolation are not exploitable

[mtrezza]

Issue

LiveQuery regex timeout and context isolation are not exploitable

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds 114 lines of test cases to spec/QueryTools.spec.js to validate regex timeout protections against catastrophic backtracking, verify default 100ms regexTimeout application, and ensure query isolation without context leakage or cross-contamination across evaluations.

Changes

Cohort / File(s)	Summary
Test Coverage for Regex Timeout Protections spec/QueryTools.spec.js	Adds comprehensive test cases covering: catastrophic backtracking regex termination within configurable regexTimeout bounds, default 100ms regexTimeout verification on liveQuery config updates, shared vmContext isolation between sequential query evaluations, and cross-field regex evaluation isolation with timeout enabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• parse-community/parse-server#10118: Introduces regex timeout protections and isolation behaviors in QueryTools that these test cases directly validate.
• parse-community/parse-server#10156: Establishes default 100ms regexTimeout for LiveQuery configuration that the new tests verify is applied correctly.
• parse-community/parse-server#10197: Modifies QueryTools.js safeRegexTest implementation for timeout handling and errors, which these tests complement with comprehensive validation.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and lacks required template sections like Approach and Tasks checklist.	Complete the PR description using the template: add detailed Approach section explaining the test changes, and include the Tasks checklist with relevant items marked.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title directly and clearly describes the main purpose of the changeset: adding tests to validate that LiveQuery regex timeout protections and context isolation mechanisms cannot be exploited.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

spec/QueryTools.spec.js (1)

1028-1037: Redundant assertion on line 1036.

The assertion expect(config.liveQuery.regexTimeout).toBeGreaterThan(0) is redundant since line 1035 already asserts the value equals 100.

🔧 Suggested fix

   const Config = require('../lib/Config');
   const config = Config.get('test');
   // Default regexTimeout is 100ms, providing ReDoS protection out-of-the-box
   expect(config.liveQuery.regexTimeout).toBe(100);
-  expect(config.liveQuery.regexTimeout).toBeGreaterThan(0);
 });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/QueryTools.spec.js` around lines 1028 - 1037, Remove the redundant
positive-range assertion in the test "applies default regexTimeout of 100ms
protecting against ReDoS (GHSA-qxh4-6wmx-rhg9)": after verifying
config.liveQuery.regexTimeout equals 100 (using Config.get('test') and the local
variable config), delete the extra
expect(config.liveQuery.regexTimeout).toBeGreaterThan(0) assertion so the test
only asserts the single exact value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/QueryTools.spec.js`:
- Around line 1028-1037: Remove the redundant positive-range assertion in the
test "applies default regexTimeout of 100ms protecting against ReDoS
(GHSA-qxh4-6wmx-rhg9)": after verifying config.liveQuery.regexTimeout equals 100
(using Config.get('test') and the local variable config), delete the extra
expect(config.liveQuery.regexTimeout).toBeGreaterThan(0) assertion so the test
only asserts the single exact value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 79699684-1d06-4a91-97f9-bd6067c02ec0

📥 Commits

Reviewing files that changed from the base of the PR and between eecd953 and 8564eb4.

📒 Files selected for processing (1)

• spec/QueryTools.spec.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.60%. Comparing base (51efb1e) to head (8564eb4).
⚠️ Report is 5 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10226   +/-   ##
=======================================
  Coverage   92.60%   92.60%           
=======================================
  Files         192      192           
  Lines       16322    16322           
  Branches      199      199           
=======================================
  Hits        15115    15115           
  Misses       1190     1190           
  Partials       17       17           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.33