fix: Use $regex key presence check instead of truthiness to handle empty-string patterns

mtrezza · mtrezza · commit 5d1f3b023909 · 2026-04-09T17:27:43.000+01:00
diff --git a/spec/RequestComplexity.spec.js b/spec/RequestComplexity.spec.js
@@ -657,6 +657,17 @@ describe('request complexity', () => {
       ).toBeResolved();
     });
 
+    it('should reject empty-string $regex when allowRegex is false', async () => {
+      const where = { username: { $regex: '' } };
+      await expectAsync(
+        rest.find(config, auth.nobody(config), '_User', where)
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          message: '$regex operator is not allowed',
+        })
+      );
+    });
+
     it('should allow $regex with maintenance key when allowRegex is false', async () => {
       const where = { username: { $regex: 'test' } };
       await expectAsync(
diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -159,7 +159,7 @@ const validateQuery = (
   }
 
   Object.keys(query).forEach(key => {
-    if (query && query[key] && query[key].$regex) {
+    if (query && query[key] && query[key].$regex !== undefined) {
       if (!isMaster && rc && rc.allowRegex === false) {
         throw new Parse.Error(Parse.Error.INVALID_QUERY, '$regex operator is not allowed');
       }

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ const validateQuery = (`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`Object.keys(query).forEach(key => {`
`162`		`- if (query && query[key] && query[key].$regex) {`
	`162`	`+ if (query && query[key] && query[key].$regex !== undefined) {`
`163`	`163`	`if (!isMaster && rc && rc.allowRegex === false) {`
`164`	`164`	`throw new Parse.Error(Parse.Error.INVALID_QUERY, '$regex operator is not allowed');`
`165`	`165`	`}`