fix: Server crashes due to insufficient schema validation when schema type is not a string

[rgunindi]

Added a type check in mongoFieldToParseSchemaField to ensure type is a string before calling startsWith. This prevents crashes when Parse Server processes MongoDB schema fields with undefined, null, or unexpected type values.

Closes #9847

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

• Link to issue issue

Approach

Tasks

• Add tests

Summary by CodeRabbit

• Bug Fixes

  • Improved schema validation for Mongo-backed storage: invalid or empty field types now produce clear, user-facing errors instead of crashes or TypeErrors.

• Tests

  • Added comprehensive tests covering valid field-type mappings and confirming invalid inputs reliably throw the expected errors.

• Chores

  • Strengthened input guards to reduce ambiguous failures and improve reliability during schema setup and migrations.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an upfront input guard in mongoFieldToParseSchemaField that validates type is a non-empty string and throws Parse.Error(INVALID_SCHEMA_OPERATION) for invalid inputs; introduces unit tests covering valid mappings and invalid/non-string inputs. No public API signatures changed.

Changes

Cohort / File(s)	Summary
Mongo schema field type validation src/Adapters/Storage/Mongo/MongoSchemaCollection.js	Added an input guard at the start of mongoFieldToParseSchemaField that throws Parse.Error with INVALID_SCHEMA_OPERATION and a descriptive message when type is falsy or not a string; existing mapping logic unchanged.
Tests: mongoFieldToParseSchemaField spec/MongoSchemaCollectionAdapter.spec.js	Added tests verifying mappings for many Mongo field types and asserting that invalid inputs (null, undefined, non-string, empty string, numeric, boolean, object, array) throw Parse.Error with code 255 and a message containing "Invalid field type".

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Init as Initializer
  participant MSC as MongoSchemaCollection
  participant Mapper as Mapping logic

  Init->>MSC: mongoFieldToParseSchemaField(type)
  alt type is falsy or not a string
    MSC-->>Init: throw Parse.Error(INVALID_SCHEMA_OPERATION, "Invalid field type: ... Expected a string.")
  else
    MSC->>Mapper: evaluate mapping branches (relation<>, pointer, basic types, arrays, geo, file, bytes, polygon)
    Mapper-->>MSC: return parsed field descriptor
    MSC-->>Init: return parsed field descriptor
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Prevent TypeError by ensuring type is a string before calling startsWith (#9847)	✅
Handle malformed or unexpected schema type values gracefully on startup (#9847)	✅

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8710966 and a882ffe.

📒 Files selected for processing (2)

• spec/MongoSchemaCollectionAdapter.spec.js (1 hunks)
• src/Adapters/Storage/Mongo/MongoSchemaCollection.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• spec/MongoSchemaCollectionAdapter.spec.js
• src/Adapters/Storage/Mongo/MongoSchemaCollection.js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[parseplatformorg]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

src/Adapters/Storage/Mongo/MongoSchemaCollection.js (4)

54-55: Optional: add field context to the error for easier debugging

If we keep throwing inside mongoFieldToParseSchemaField, wrapping this call to append className/fieldName context improves operator UX when boot fails on bad schemas.

-    obj[fieldName] = mongoFieldToParseSchemaField(schema[fieldName]);
+    try {
+      obj[fieldName] = mongoFieldToParseSchemaField(schema[fieldName]);
+    } catch (e) {
+      if (e && e.code != null) {
+        // Preserve code; enrich message
+        e.message = `Invalid field type for "${fieldName}" in class "${schema._id}": ${e.message}`;
+      }
+      throw e;
+    }

---

5-11: Add regression tests for non-string/whitespace input types

To lock this down, please add tests covering:

• type: undefined, null, number, boolean, object, array, function
• type: '' and ' ' (whitespace)
• type: 'number ' (trailing space) → with the trim change, should map to Number; without it, it silently fails

If helpful, I can draft a spec in spec/schemas.spec.js that exercises mongoSchemaFieldsToParseSchemaFields with a mocked schema input.

---

25-47: Add a default case in mongoFieldToParseSchemaField to reject unsupported types

I’ve confirmed that the only call site for mongoFieldToParseSchemaField is within mongoSchemaFieldsToParseSchemaFields, and no code relies on it returning undefined. Failing fast on unrecognized types will surface schema misconfigurations immediately without breaking existing behavior.

• File: src/Adapters/Storage/Mongo/MongoSchemaCollection.js
• Location: inside the switch (type) in mongoFieldToParseSchemaField

Recommended diff:

   switch (type) {
     // …existing cases…
     case 'polygon':
       return { type: 'Polygon' };
+    default:
+      throw new Parse.Error(
+        Parse.Error.INVALID_SCHEMA_OPERATION,
+        `Unsupported field type: "${type}".`
+      );
   }

---

5-13: Tighten type validation and normalize input

Great addition to guard against TypeError. Two optional hardening tweaks:

• Reject empty or whitespace-only strings by using type.trim().
• Trim type before downstream checks so trailing (or leading) spaces can’t sneak through.

Proposed diff in src/Adapters/Storage/Mongo/MongoSchemaCollection.js (lines 5–13):

   // Add type validation to prevent TypeError
-  if (!type || typeof type !== 'string') {
+  if (typeof type !== 'string' || type.trim() === '') {
     throw new Parse.Error(
       Parse.Error.INVALID_SCHEMA_OPERATION,
-      `Invalid field type: ${type}. Expected a string. Field type must be one of: string, number, boolean, date, map, object, array, geopoint, file, bytes, polygon, or a valid relation/pointer format.`
+      `Invalid field type: ${String(type)}. Expected a non-empty string. Field type must be one of: string, number, boolean, date, map, object, array, geopoint, file, bytes, polygon, or a valid relation/pointer format.`
     );
   }
+
+  // Normalize input
+  type = type.trim();

Follow-up question:

• All other “invalid field type” guards (e.g. in SchemaController) use Parse.Error.INCORRECT_TYPE. Should we switch from INVALID_SCHEMA_OPERATION to INCORRECT_TYPE here for consistency?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4b3f10b and 8d90d30.

📒 Files selected for processing (1)

• src/Adapters/Storage/Mongo/MongoSchemaCollection.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/Adapters/Storage/Mongo/MongoSchemaCollection.js (7)

spec/schemas.spec.js (1)

• Parse (3-3)

src/Controllers/SchemaController.js (1)

• Parse (18-18)

src/Adapters/Auth/apple.js (1)

• Parse (48-48)

src/Adapters/Auth/facebook.js (1)

• Parse (62-62)

src/Adapters/Auth/ldap.js (1)

• Parse (77-77)

src/SchemaMigrations/DefinedSchemas.js (1)

• Parse (3-3)

spec/ReadPreferenceOption.spec.js (1)

• Parse (3-3)

[mtrezza]

Please add a test to demonstrate the issue. You experienced this in Parse Server 6, we also want to make sure this bug still exists in PS 8.

[rgunindi]

Please add a test to demonstrate the issue. You experienced this in Parse Server 6, we also want to make sure this bug still exists in PS 8.

@mtrezza
Thanks for the suggestion. I’ve added tests that demonstrate the issue and verified them against also current version ps8.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

spec/MongoSchemaCollectionAdapter.spec.js (2)

3-3: Align Parse import with repo convention to ensure Parse.Error is available

Other specs import Parse via .Parse; this avoids ambiguity with the module export shape and is consistent across the repo.

-const Parse = require('parse/node');
+const Parse = require('parse/node').Parse;

---

101-131: Good coverage of valid type mappings

The table-driven checks for string/number/boolean/date/object/array/geo/file/bytes/polygon/pointer/relation look solid.

Optional: add role-based cases to catch regressions around special classes.

       const testCases = [
         { input: 'string', expected: { type: 'String' } },
@@
         { input: 'relation<_User>', expected: { type: 'Relation', targetClass: '_User' } },
         { input: 'relation<Post>', expected: { type: 'Relation', targetClass: 'Post' } },
+        { input: '*_Role', expected: { type: 'Pointer', targetClass: '_Role' } },
+        { input: 'relation<_Role>', expected: { type: 'Relation', targetClass: '_Role' } },
       ];

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1f9b6fe and f629526.

📒 Files selected for processing (1)

• spec/MongoSchemaCollectionAdapter.spec.js (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
PR: parse-community/parse-server#9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/MongoSchemaCollectionAdapter.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/MongoSchemaCollectionAdapter.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/MongoSchemaCollectionAdapter.spec.js

🧬 Code graph analysis (1)

spec/MongoSchemaCollectionAdapter.spec.js (2)

spec/schemas.spec.js (1)

• Parse (3-3)

src/Controllers/SchemaController.js (1)

• Parse (18-18)

🔇 Additional comments (1)

spec/MongoSchemaCollectionAdapter.spec.js (1)

155-189: The script is running; I’ll review the full implementation once available.

[mtrezza]

Thanks, did you mean that you verified that the bug exists in PS8?

[rgunindi]

Thanks, did you mean that you verified that the bug exists in PS8?

Yes, of course. This bug exists in Ps8.