fix: Rate limit bypass via HTTP method override and batch method spoofing (#10234)

Author: mtrezza

spec/RateLimit.spec.js

@@ -863,6 +863,169 @@ describe('rate limit', () => {
     });
   });
 
+  describe('method override bypass', () => {
+    it('should enforce rate limit when _method override attempts to change POST to GET', async () => {
+      Parse.Cloud.beforeLogin(() => {}, {
+        rateLimit: {
+          requestTimeWindow: 10000,
+          requestCount: 1,
+          errorResponseMessage: 'Too many requests',
+          includeInternalRequests: true,
+        },
+      });
+      await Parse.User.signUp('testuser', 'password');
+      // First login via POST — should succeed
+      const res1 = await request({
+        method: 'POST',
+        headers,
+        url: 'http://localhost:8378/1/login',
+        body: JSON.stringify({ username: 'testuser', password: 'password' }),
+      });
+      expect(res1.data.username).toBe('testuser');
+      // Second login via POST with _method:GET — should still be rate limited
+      const res2 = await request({
+        method: 'POST',
+        headers,
+        url: 'http://localhost:8378/1/login',
+        body: JSON.stringify({ _method: 'GET', username: 'testuser', password: 'password' }),
+      }).catch(e => e);
+      expect(res2.data).toEqual({
+        code: Parse.Error.CONNECTION_FAILED,
+        error: 'Too many requests',
+      });
+    });
+
+    it('should allow _method override with PUT', async () => {
+      await reconfigureServer({
+        rateLimit: [
+          {
+            requestPath: '/classes/Test/*path',
+            requestTimeWindow: 10000,
+            requestCount: 1,
+            requestMethods: 'PUT',
+            errorResponseMessage: 'Too many requests',
+            includeInternalRequests: true,
+          },
+        ],
+      });
+      const obj = new Parse.Object('Test');
+      await obj.save();
+      // Update via POST with _method:PUT — should succeed and count toward rate limit
+      await request({
+        method: 'POST',
+        headers,
+        url: `http://localhost:8378/1/classes/Test/${obj.id}`,
+        body: JSON.stringify({ _method: 'PUT', key: 'value1' }),
+      });
+      // Second update via POST with _method:PUT — should be rate limited
+      const res = await request({
+        method: 'POST',
+        headers,
+        url: `http://localhost:8378/1/classes/Test/${obj.id}`,
+        body: JSON.stringify({ _method: 'PUT', key: 'value2' }),
+      }).catch(e => e);
+      expect(res.data).toEqual({
+        code: Parse.Error.CONNECTION_FAILED,
+        error: 'Too many requests',
+      });
+    });
+
+    it('should allow _method override with DELETE', async () => {
+      await reconfigureServer({
+        rateLimit: [
+          {
+            requestPath: '/classes/Test/*path',
+            requestTimeWindow: 10000,
+            requestCount: 1,
+            requestMethods: 'DELETE',
+            errorResponseMessage: 'Too many requests',
+            includeInternalRequests: true,
+          },
+        ],
+      });
+      const obj1 = new Parse.Object('Test');
+      await obj1.save();
+      const obj2 = new Parse.Object('Test');
+      await obj2.save();
+      // Delete via POST with _method:DELETE — should succeed
+      await request({
+        method: 'POST',
+        headers,
+        url: `http://localhost:8378/1/classes/Test/${obj1.id}`,
+        body: JSON.stringify({ _method: 'DELETE' }),
+      });
+      // Second delete via POST with _method:DELETE — should be rate limited
+      const res = await request({
+        method: 'POST',
+        headers,
+        url: `http://localhost:8378/1/classes/Test/${obj2.id}`,
+        body: JSON.stringify({ _method: 'DELETE' }),
+      }).catch(e => e);
+      expect(res.data).toEqual({
+        code: Parse.Error.CONNECTION_FAILED,
+        error: 'Too many requests',
+      });
+    });
+
+    it('should ignore _method override with non-string type', async () => {
+      await reconfigureServer({
+        rateLimit: [
+          {
+            requestPath: '/classes/*path',
+            requestTimeWindow: 10000,
+            requestCount: 1,
+            requestMethods: 'POST',
+            errorResponseMessage: 'Too many requests',
+            includeInternalRequests: true,
+          },
+        ],
+      });
+      // POST with _method as number — should be ignored and treated as POST
+      const obj = new Parse.Object('Test');
+      await obj.save();
+      const res = await request({
+        method: 'POST',
+        headers,
+        url: 'http://localhost:8378/1/classes/Test',
+        body: JSON.stringify({ _method: 123, key: 'value' }),
+      }).catch(e => e);
+      expect(res.data).toEqual({
+        code: Parse.Error.CONNECTION_FAILED,
+        error: 'Too many requests',
+      });
+    });
+  });
+
+  describe('batch method bypass', () => {
+    it('should enforce POST rate limit on batch sub-requests using GET method for login', async () => {
+      Parse.Cloud.beforeLogin(() => {}, {
+        rateLimit: {
+          requestTimeWindow: 10000,
+          requestCount: 1,
+          errorResponseMessage: 'Too many requests',
+          includeInternalRequests: true,
+        },
+      });
+      await Parse.User.signUp('testuser', 'password');
+      // Batch with 2 login sub-requests using GET — should be rate limited
+      const res = await request({
+        method: 'POST',
+        headers,
+        url: 'http://localhost:8378/1/batch',
+        body: JSON.stringify({
+          requests: [
+            { method: 'GET', path: '/1/login', body: { username: 'testuser', password: 'password' } },
+            { method: 'GET', path: '/1/login', body: { username: 'testuser', password: 'password' } },
+          ],
+        }),
+      }).catch(e => e);
+      expect(res.data).toEqual({
+        code: Parse.Error.CONNECTION_FAILED,
+        error: 'Too many requests',
+      });
+    });
+  });
+
   describe_only(() => {
     return process.env.PARSE_SERVER_TEST_CACHE === 'redis';
   })('with RedisCache', function () {

src/Options/Definitions.js

@@ -489,7 +489,7 @@ module.exports.ParseServerOptions = {
   },
   rateLimit: {
     env: 'PARSE_SERVER_RATE_LIMIT',
-    help: "Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>\u2139\uFE0F Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.",
+    help: "Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>\u2139\uFE0F Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and use case.",
     action: parsers.arrayParser,
     type: 'RateLimitOptions[]',
     default: [],

src/Options/docs.js

@@ -385,7 +385,7 @@ export interface ParseServerOptions {
   /* An array of keys and values that are prohibited in database read and write requests to prevent potential security vulnerabilities. It is possible to specify only a key (`{"key":"..."}`), only a value (`{"value":"..."}`) or a key-value pair (`{"key":"...","value":"..."}`). The specification can use the following types: `boolean`, `numeric` or `string`, where `string` will be interpreted as a regex notation. Request data is deep-scanned for matching definitions to detect also any nested occurrences. Defaults are patterns that are likely to be used in malicious requests. Setting this option will override the default patterns.
   :DEFAULT: [{"key":"_bsontype","value":"Code"},{"key":"constructor"},{"key":"__proto__"}] */
   requestKeywordDenylist: ?(RequestKeywordDenylist[]);
-  /* Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>ℹ️ Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.
+  /* Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>ℹ️ Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and use case.
   :DEFAULT: [] */
   rateLimit: ?(RateLimitOptions[]);
   /* Options to customize the request context using inversion of control/dependency injection.*/

src/Options/index.js

@@ -102,6 +102,7 @@ async function handleBatch(router, req) {
       const fakeReq = {
         ip: req.ip || req.config?.ip || '127.0.0.1',
         method: (restRequest.method || 'GET').toUpperCase(),
+        _batchOriginalMethod: 'POST',
         config: req.config,
         auth: req.auth,
         info: req.info,

src/batch.js

@@ -310,7 +310,7 @@ ParseCloud.beforeLogin = function (handler, validationHandler) {
   triggers.addTrigger(triggers.Types.beforeLogin, className, handler, Parse.applicationId);
   if (validationHandler && validationHandler.rateLimit) {
     addRateLimit(
-      { requestPath: `/login`, requestMethods: 'POST', ...validationHandler.rateLimit },
+      { requestPath: `/login`, requestMethods: ['POST', 'GET'], ...validationHandler.rateLimit },
       Parse.applicationId,
       true
     );

src/cloud-code/Parse.Cloud.js

@@ -482,8 +482,10 @@ export function allowCrossDomain(appId) {
 
 export function allowMethodOverride(req, res, next) {
   if (req.method === 'POST' && req.body?._method) {
-    req.originalMethod = req.method;
-    req.method = req.body._method;
+    if (typeof req.body._method === 'string') {
+      req.originalMethod = req.method;
+      req.method = req.body._method;
+    }
     delete req.body._method;
   }
   next();
@@ -626,13 +628,17 @@ export const addRateLimit = (route, config, cloud) => {
           return false;
         }
         if (route.requestMethods) {
+          const methodsToCheck = new Set([request.method]);
+          if (request._batchOriginalMethod) {
+            methodsToCheck.add(request._batchOriginalMethod);
+          }
           if (Array.isArray(route.requestMethods)) {
-            if (!route.requestMethods.includes(request.method)) {
+            if (!route.requestMethods.some(m => methodsToCheck.has(m))) {
               return true;
             }
           } else {
             const regExp = new RegExp(route.requestMethods);
-            if (!regExp.test(request.method)) {
+            if (![...methodsToCheck].some(m => regExp.test(m))) {
               return true;
             }
           }