Merge pull request from GHSA-2479-qvv7-47qq

dplewis · web-flow · commit 8709daf698ea · 2019-06-12T16:12:11.000-05:00
* Failing test

* provide fix

* clearer test

* failing expect
diff --git a/spec/AudienceRouter.spec.js b/spec/AudienceRouter.spec.js
@@ -1,6 +1,7 @@
 const auth = require('../lib/Auth');
 const Config = require('../lib/Config');
 const rest = require('../lib/rest');
+const request = require('../lib/request');
 const AudiencesRouter = require('../lib/Routers/AudiencesRouter')
   .AudiencesRouter;
 
@@ -438,4 +439,28 @@ describe('AudiencesRouter', () => {
         });
     });
   });
+
+  it('should handle _Audience invalid fields via rest', async () => {
+    await reconfigureServer({
+      appId: 'test',
+      restAPIKey: 'test',
+      publicServerURL: 'http://localhost:8378/1',
+    });
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/classes/_Audience',
+        body: { lorem: 'ipsum', _method: 'POST' },
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'test',
+          'Content-Type': 'application/json',
+        },
+      });
+      expect(true).toBeFalsy();
+    } catch (e) {
+      expect(e.data.code).toBe(107);
+      expect(e.data.error).toBe('Could not add field lorem');
+    }
+  });
 });
diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js
@@ -228,9 +228,7 @@ function validateCLP(perms: ClassLevelPermissions, fields: SchemaFields) {
         // @flow-disable-next
         throw new Parse.Error(
           Parse.Error.INVALID_JSON,
-          `'${
-            perms[operation]
-          }' is not a valid value for class level permissions ${operation}`
+          `'${perms[operation]}' is not a valid value for class level permissions ${operation}`
         );
       } else {
         perms[operation].forEach(key => {
@@ -395,6 +393,9 @@ class SchemaData {
     this.__data = {};
     this.__protectedFields = protectedFields;
     allSchemas.forEach(schema => {
+      if (volatileClasses.includes(schema.className)) {
+        return;
+      }
       Object.defineProperty(this, schema.className, {
         get: () => {
           if (!this.__data[schema.className]) {
