fix: Cloud Hooks and Cloud Jobs bypass readOnlyMasterKey write restriction (GHSA-vc89-5g3r-cmhh)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Cloud Hooks and Cloud Jobs bypass readOnlyMasterKey write restriction (GHSA-vc89-5g3r-cmhh).

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Implemented read-only master key restrictions preventing creation, modification, and deletion of hooks and job execution. Read-only master keys retain read access to existing hooks.

• Tests

  • Added comprehensive test coverage validating permission enforcement for read-only master keys across hook and job operations with proper error responses.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces read-only masterKey permission validation to prevent hook creation/modification and job execution. Guard clauses in HooksRouter and FunctionsRouter check req.auth.isReadOnly and throw OPERATION_FORBIDDEN errors. Tests verify expected error responses across affected endpoints.

Changes

Cohort / File(s)	Summary
Permission Validation Tests spec/rest.spec.js	Adds test suite validating read-only masterKey restrictions on hook creation, modification, deletion, and job execution. Verifies error responses contain OPERATION_FORBIDDEN code and error messages, and confirms read operations are allowed.
Router Permission Guards src/Routers/HooksRouter.js, src/Routers/FunctionsRouter.js	Adds read-only masterKey checks to prevent hook creation/modification (HooksRouter) and job execution (FunctionsRouter). Throws sanitized OPERATION_FORBIDDEN errors with descriptive messages when read-only keys attempt restricted operations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the security fix addressing read-only master key bypass vulnerability in Cloud Hooks and Cloud Jobs, directly matching the changeset.
Description check	✅ Passed	PR description is mostly complete with issue identification and tasks checklist, but lacks detailed explanation of changes and approach.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

spec/rest.spec.js (1)

1176-1307: Consider extracting a small request helper for repeated read-only headers/payload setup.

This block has repeated request construction; a helper would reduce duplication and make future endpoint additions easier.

♻️ Optional refactor sketch

+  const readOnlyHeaders = {
+    'X-Parse-Application-Id': Parse.applicationId,
+    'X-Parse-Master-Key': 'read-only-test',
+    'Content-Type': 'application/json',
+  };
+
+  async function expectReadOnlyForbidden({ url, method, body }) {
+    try {
+      await request({ url, method, headers: readOnlyHeaders, body });
+      fail('should have thrown');
+    } catch (res) {
+      expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
+      expect(res.data.error).toBe('Permission denied');
+    }
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/rest.spec.js` around lines 1176 - 1307, The tests repeat identical
request construction with the same read-only master key headers and JSON body
setup (multiple calls to request({...}) for endpoints like '/hooks/functions',
'/hooks/triggers', '/jobs/readOnlyTestJob'), so extract a small helper (e.g.,
requestWithReadOnlyMasterKey or makeReadOnlyRequest) that wraps request and
injects 'X-Parse-Application-Id', 'X-Parse-Master-Key': 'read-only-test', and
'Content-Type': 'application/json' plus optional method, url, and body; update
the tests (the it blocks that call request({...})) to call this helper to remove
duplication and centralize header/body defaults.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/rest.spec.js`:
- Around line 1176-1307: The tests repeat identical request construction with
the same read-only master key headers and JSON body setup (multiple calls to
request({...}) for endpoints like '/hooks/functions', '/hooks/triggers',
'/jobs/readOnlyTestJob'), so extract a small helper (e.g.,
requestWithReadOnlyMasterKey or makeReadOnlyRequest) that wraps request and
injects 'X-Parse-Application-Id', 'X-Parse-Master-Key': 'read-only-test', and
'Content-Type': 'application/json' plus optional method, url, and body; update
the tests (the it blocks that call request({...})) to call this helper to remove
duplication and centralize header/body defaults.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f28ff5 and 64d27d7.

📒 Files selected for processing (3)

• spec/rest.spec.js
• src/Routers/FunctionsRouter.js
• src/Routers/HooksRouter.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.59%. Comparing base (9b94083) to head (64d27d7).
⚠️ Report is 3 commits behind head on release-8.x.x.

Additional details and impacted files

@@                Coverage Diff                @@
##           release-8.x.x   #10089      +/-   ##
=================================================
- Coverage          92.61%   92.59%   -0.02%     
=================================================
  Files                191      191              
  Lines              15509    15517       +8     
  Branches             177      177              
=================================================
+ Hits               14363    14368       +5     
- Misses              1134     1137       +3     
  Partials              12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 8.6.4