parse-stack-next 5.5.0 → 5.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 21be0f771a719c1df464556b7b4757d23266e4446a0636887cbc7b0ca079e3db
-  data.tar.gz: e130b4255384a8fb3b0a1be0e44d6fa8a345ee120851c9596285e44a4c9ec81b
+  metadata.gz: 8fed615f71ab3b45bd9f10e2947c50ebbcba075b15b0a8786f0a269d4e59ebd6
+  data.tar.gz: e9528b3f4bc811cef21494089f6e5eb5aaed43732ddf926a64ccc2a050d8742d
 SHA512:
-  metadata.gz: '008496f006ad4c6026675be14f50be0189e4d64fa8ba1b5102bf781ef85e0d851507c6eb7c3ad3fadb9796e09f983e0609d220e0f580f2589ba0cea1471668c9'
-  data.tar.gz: 1ccb000d645ad338c5cafb98c7d7dbc8610d5cf9ce0c2fac84595c6fb8e6c27dc66c9c14678a834180a1ad57b653f242bb64fe8139383a979921a10a13d84953
+  metadata.gz: 0d1d0ee29e3787585f246e8b006f81aa514bc85732fe32c1c175f5734d60b8fadbf5f2d127f7d7fa6df38e49303e334ad2c31a10d85cb3b7e7f8eba1a1bf836d
+  data.tar.gz: 8c032babfcc42f16327a874d4cbf358ed7aade09157da7e29dd879578454b23cff7e7cbc3e860fec7891c8e43c12b1362778039550bf3371c63786d122fb9ae7

data/CHANGELOG.md

@@ -1,5 +1,150 @@
 ## parse-stack-next Changelog
 
+### 5.5.1
+
+#### Mongo-direct reads inside `Parse.with_session` are now scoped, not master
+
+- **FIXED**: A query that auto-routes to the mongo-direct path because of a
+  direct-only constraint (for example a geo `$near` / `$geoIntersects` query)
+  now honors the ambient session token set by `Parse.with_session(token)`.
+  Previously the mongo-direct auth resolver consulted only the query's own
+  `session_token=` / `scope_to_user` / `scope_to_role` and ignored the
+  fiber-local ambient session, so in server mode it fell through to a
+  master-key read with no ACL/CLP enforcement — returning rows the session was
+  not permitted to see, even though every REST query in the same
+  `with_session` block was correctly scoped. The resolver now mirrors
+  `Parse::Client#request` precedence: an explicit per-query token wins, then
+  the ambient session, then the master-key fallback; an explicit
+  `use_master_key: true` is a deliberate admin call and still skips the
+  ambient. Routing also accepts the ambient on non-master clients
+  (`Parse.client_mode` or a user-scoped client), so such a query runs scoped
+  rather than raising.
+
+#### Boolean property coercion no longer treats the string "false" as true
+
+- **FIXED**: A `:boolean` property assigned a string now coerces via
+  ActiveModel's boolean caster instead of raw Ruby truthiness. Previously the
+  coercion was `val ? true : false`, so the strings `"false"`, `"0"`, and
+  `"off"` — exactly what arrives on a Rails-form or query-string ingestion
+  path — all coerced to `true`, silently flipping a boolean the wrong way (for
+  example an `archived` flag or an application-defined access gate). String
+  forms now map correctly (`"false"`/`"0"`/`"off"` to `false`), a blank string
+  is treated as unset (`nil`), and native booleans from Parse wire JSON pass
+  through unchanged.
+
+#### Deprecation warning for setting ACL via mass-assignment
+
+- **DEPRECATED**: Setting `acl`/`ACL` through mass-assignment
+  (`Parse::Object#attributes=`) now emits a one-time security warning. Mass-
+  assigning an ACL from a caller-supplied hash — for example a controller doing
+  `record.attributes = params` without StrongParameters — lets an attacker
+  grant unintended access by sending an `ACL` key
+  (`{"ACL" => {"*" => {"write" => true}}}`). The behavior is unchanged this
+  release (the ACL is still applied), but the supported path is the explicit
+  `record.acl = ...` setter, and a future release may block ACL mass-assignment.
+  The constructor form `Klass.new(acl: ...)` is unaffected and does not warn.
+
+#### Redis cache values serialized as JSON instead of Marshal
+
+- **FIXED**: `Parse::Cache::Redis` now serializes cached HTTP responses as
+  JSON rather than Marshal. The Moneta-Redis store Marshals values by default,
+  so every cache hit ran `Marshal.load` on the bytes returned by Redis. Against
+  a shared, unauthenticated, or plaintext-`redis://` cache, an attacker able to
+  write the cache could plant a crafted Marshal payload that executed code on
+  deserialization. The wrapper now disables Moneta's value serializer
+  (`value_serializer: nil`) and JSON-encodes/decodes values itself; an
+  undecodable value (including any legacy Marshal entry) is treated as a cache
+  miss rather than deserialized. Cache keys are unchanged. No application code
+  changes are required; existing cached entries are transparently refetched and
+  re-stored in the new format on first access.
+- **FIXED**: The `cache: "redis://..."` shorthand on `Parse::Client.new` /
+  `Parse.setup` now builds a `Parse::Cache::Redis` store instead of a bare
+  `Moneta.new(:Redis, ...)`, so it gets the same JSON value serialization and
+  is not subject to the Marshal deserialization issue above.
+- **CHANGED**: The caching middleware stores response entries with string keys
+  so they round-trip losslessly through the JSON serialization. Reads accept
+  both string and legacy symbol keys.
+- **FIXED**: `Parse::Embeddings::Cache::MonetaStore` now JSON-encodes cached
+  embedding vectors instead of relying on the Moneta store's default Marshal
+  value serializer, closing the same `Marshal.load`-on-read deserialization
+  vector for the embedding cache (whose key is derived from often-user-supplied
+  text). It also emits a one-time warning when handed a Marshal-serializing
+  store and recommends `value_serializer: nil`.
+- **CHANGED**: Documentation for Redis-backed caches, the embedding cache, and
+  the synchronize-create lock store (`Parse.synchronize_create_store`) now
+  builds the Redis store via `Parse::Cache::Redis` or `value_serializer: nil`
+  so a raw `Moneta.new(:Redis, ...)` no longer leaves Marshal on the read path.
+
+#### Internal columns stripped from joined documents on mongo-direct reads
+
+- **FIXED**: `Parse::MongoDB.aggregate` now recursively strips Parse-internal
+  credential columns (`_hashed_password`, `_session_token`, `_auth_data_*`,
+  `_rperm`/`_wperm`, ...) from every result row **and every embedded
+  sub-document** for scoped (non-master) callers. Previously a scoped caller
+  could embed a foreign class (e.g. `_User` or `_Session`) into an arbitrary
+  alias via `$lookup` / `$graphLookup` / `$unionWith` and read back password
+  hashes, OAuth tokens, and session tokens: the per-class `protectedFields`
+  strip is keyed on the outer class, and the ACL sub-document walk only drops
+  ACL-failing sub-documents, so neither covered the aliased foreign document.
+  A new `Parse::PipelineSecurity.redact_internal_fields_deep!` runs as the final
+  redaction step. Structural columns (`_id`, `_p_*`, `_acl`, timestamps) are
+  preserved, so object and ACL reconstruction are unaffected; master-key reads
+  are unchanged.
+
+#### Hardened developer-facing mongo-direct aggregation terminals
+
+- **FIXED**: Credential columns (`_hashed_password`, `_session_token`,
+  `_auth_data_*`, `_email_verify_token`, `_perishable_token`, ...) used as a
+  `$match` field name are now refused **unconditionally** on the mongo-direct
+  path — even on a pipeline running with `allow_internal_fields: true` (the flag
+  that lets SDK-emitted `_rperm`/`_wperm` references through for
+  `readable_by_role` / `publicly_readable`). Previously the `*_direct` terminals
+  (`count_direct`, `results_direct`, `distinct_direct`, the direct group-by
+  helpers) passed `allow_internal_fields: true` unconditionally, so a query
+  whose `where` referenced a credential column compiled into a `$match` key that
+  bypassed the internal-field screen — a count/match oracle that could bisect a
+  bcrypt hash or session token. The ACL columns (`_rperm`/`_wperm`/`_tombstone`)
+  remain gated by `allow_internal_fields`, so `readable_by_role` still works.
+- **FIXED**: `Parse::Query#aggregate` and `#aggregate_from_query` now treat a
+  scoped query (`session_token` / `scope_to_user` / `scope_to_role`) as
+  authoritative over an explicit `mongo_direct: false`. Previously passing
+  `mongo_direct: false` on a scoped aggregation skipped the fail-closed guard
+  and routed to Parse Server's master-key-only REST `/aggregate` endpoint,
+  running the aggregation unscoped (no ACL, CLP, or `protectedFields`). A scoped
+  aggregation now promotes to mongo-direct, or fails closed with
+  `Parse::Query::MongoDirectRequired` when direct Mongo is unavailable; unscoped
+  callers can still opt out to REST with `mongo_direct: false`.
+
+#### Additional hardening
+
+- **FIXED**: Request/response body logging now redacts credentials. At `:debug`
+  level the logging middleware emitted login/signup request bodies (cleartext
+  `password`) and auth response bodies (`sessionToken`, `authData`, MFA
+  secrets); the body path now runs through the same `BodyBuilder.redact`
+  scrubber the header path already used, before truncation.
+- **FIXED**: The `_User` REST endpoints (`fetch_user` / `update_user` /
+  `delete_user`) now validate the `objectId` against
+  `Parse::API::PathSegment.object_id!` before interpolating it into the path,
+  matching the object endpoints. A crafted objectId (e.g. from a compromised
+  server response) can no longer traverse to a different endpoint on a
+  subsequent request.
+- **CHANGED**: `$sessionToken` / `$session_token` (the camelCase forms of the
+  session-token column) are now in `DENIED_FIELD_REFS`, so they cannot be
+  laundered through a `$`-field reference in a pipeline.
+- **IMPROVED**: The internal-collection floor (`_SCHEMA` / `_Hooks` /
+  `_GlobalConfig` / `_Audit` / ...) is now enforced unconditionally on every
+  `$lookup` / `$graphLookup` / `$unionWith` join target in
+  `Parse::ACLScope`, not only when lookup-rewriting runs. This closes a
+  defense-in-depth gap where an internal class whose CLP lookup returned no
+  policy could otherwise have been joinable on the direct path.
+- **IMPROVED**: When the MCP agent server is started on an unauthenticated
+  loopback bind with no Origin/custom-header gate configured, it now defaults
+  to a loopback-only Origin policy. A browser DNS-rebinding attack against
+  `127.0.0.1` carries a non-loopback `Origin` and is refused; native clients
+  (which send no `Origin`) and local browser UIs are unaffected. A one-time
+  warning points operators at `MCP_API_KEY` / `allowed_origins:` /
+  `require_custom_header:` for routable deployments.
+
 ### 5.5.0
 
 #### Multimodal bytes-fetch path with magic-byte MIME verification

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    parse-stack-next (5.5.0)
+    parse-stack-next (5.5.1)
       activemodel (>= 6.1, < 9)
       activesupport (>= 6.1, < 9)
       connection_pool (>= 2.2, < 4)

data/README.md

@@ -628,12 +628,21 @@ If `faraday-net_http_persistent` is not available, Parse Stack automatically fal
 A caching adapter of type `Moneta::Transformer`. Caching queries and object fetches can help improve the performance of your application, even if it is for a few seconds. Only successful `GET` object fetches and queries (non-empty) will be cached. You may set the default expiration time with the `expires` option. See related: [Moneta](https://github.com/minad/moneta). At any point in time you may clear the cache by calling the `clear_cache!` method on the client connection.
 
 ```ruby
-  store = Moneta.new :Redis, url: 'redis://localhost:6379'
+  # Use the bundled Parse::Cache::Redis wrapper for a Redis-backed cache. It
+  # serializes cached responses as JSON (never Marshal): a raw
+  # `Moneta.new(:Redis, ...)` store Marshals values by default, so a cache
+  # read would `Marshal.load` bytes from Redis — an RCE vector if that Redis
+  # is shared, unauthenticated, or reachable over a plaintext `redis://` MITM.
+  store = Parse::Cache::Redis.new(url: 'redis://localhost:6379')
    # use a Redis cache store with an automatic expire of 10 seconds.
   Parse.setup(cache: store, expires: 10, ...)
 ```
 
-As a shortcut, if you are planning on using REDIS and have configured the use of `redis` in your `Gemfile`, you can just pass the REDIS connection string directly to the cache option.
+If you supply your own raw `Moneta.new(:Redis, ...)` store instead of the
+wrapper, build it with `value_serializer: nil` to keep Marshal off the cache
+read path.
+
+As a shortcut, if you are planning on using REDIS and have configured the use of `redis` in your `Gemfile`, you can just pass the REDIS connection string directly to the cache option. The string form builds a `Parse::Cache::Redis` wrapper for you, so it is JSON-serialized and safe by default.
 
 ```ruby
   Parse.setup(cache: 'redis://localhost:6379', ...)
@@ -5342,7 +5351,11 @@ If you are already have setup a client that is being used by your defined models
 For high traffic applications that may be performing several server tasks on similar objects, you may utilize request caching. Caching is provided by a the `Parse::Middleware::Caching` class which utilizes a [Moneta store](https://github.com/minad/moneta) object to cache GET url requests that have allowable status codes (ex. HTTP 200, etc). The cache entry for the url will be removed when it is either considered expired (based on the `expires` option) or if a non-GET request is made with the same url. Using this feature appropriately can dramatically reduce your API request usage.
 
 ```ruby
-store = Moneta.new :Redis, url: 'redis://localhost:6379'
+# Parse::Cache::Redis serializes cached responses as JSON, not Marshal — a raw
+# Moneta.new(:Redis) store Marshals values by default and a cache read would
+# Marshal.load Redis bytes (RCE if the cache is shared/untrusted). Prefer the
+# wrapper; if you supply a raw Moneta-Redis store, pass value_serializer: nil.
+store = Parse::Cache::Redis.new(url: 'redis://localhost:6379')
  # use a Redis cache store with an automatic expire of 10 seconds.
 Parse.setup(cache: store, expires: 10, ...)
 

data/docs/atlas_vector_search_guide.md

@@ -353,7 +353,11 @@ layer shared across processes, wrap any Moneta-compatible backend in
 the bundled adapter:
 
 ```ruby
-moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"])
+# Build the Moneta store with value_serializer: nil. MonetaStore JSON-encodes
+# vectors itself; without value_serializer: nil, Moneta would additionally
+# Marshal the values, and a cache read would Marshal.load bytes from a shared
+# Redis — an RCE vector if that Redis is untrusted or MITM'd over redis://.
+moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"], value_serializer: nil)
 Parse::Embeddings::Cache.enable!(
   store: Parse::Embeddings::Cache::MonetaStore.new(moneta, ttl: 30 * 24 * 3600),
 )

data/lib/parse/acl_scope.rb

@@ -336,6 +336,17 @@ module Parse
         return if target.nil?
         target_str = target.to_s
         return if target_str.empty?
+        # RT-7 / NEW-4: hard internal-collection floor FIRST, independent of
+        # CLP. This must run on EVERY join target on the direct
+        # Parse::MongoDB.aggregate path. LookupRewriter.auto_rewrite (the other
+        # caller of assert_collection_allowed!) is skipped when rewrite_lookups
+        # is off or the root class can't be resolved, so relying on it alone
+        # leaves a gap: an internal collection (`_SCHEMA`/`_Hooks`/`_Audit`/
+        # `_GlobalConfig`/...) whose CLP fetch returns :no_clp would pass the
+        # permits? check below. The floor refuses those outright while still
+        # admitting the SDK data classes (`_User`/`_Role`/`_Installation`/
+        # `_Session`), which then face the per-scope CLP `find` gate.
+        Parse::PipelineSecurity.assert_collection_allowed!(target_str)
         return if Parse::CLPScope.permits?(target_str, :find, perms)
         raise Parse::CLPScope::Denied.new(
           target_str, :find,

data/lib/parse/agent/mcp_rack_app.rb

@@ -4,6 +4,7 @@
 require "json"
 require "securerandom"
 require "digest"
+require "uri"
 require_relative "errors"
 require_relative "mcp_dispatcher"
 require_relative "mcp_subscriptions"
@@ -320,6 +321,7 @@ module Parse
                      pre_auth_rate_limiter: nil,
                      allowed_origins: nil,
                      require_custom_header: nil,
+                     loopback_csrf_default: false,
                      resource_subscriptions: false,
                      subscription_manager: nil,
                      notifications: nil,
@@ -376,6 +378,16 @@ module Parse
         @pre_auth_rate_limiter      = pre_auth_rate_limiter
         @allowed_origins            = normalize_allowed_origins(allowed_origins)
         @required_custom_header     = normalize_required_custom_header(require_custom_header)
+        # NEW-9: when no explicit allowed_origins / require_custom_header CSRF
+        # gate is configured but the server was started on an unauthenticated
+        # loopback bind, default to a loopback-only Origin policy. A browser
+        # DNS-rebinding attack against 127.0.0.1 always carries an `Origin`
+        # header (the attacker page's origin), so refusing any present
+        # non-loopback Origin closes that vector — while native clients (curl,
+        # SDK-to-SDK) send NO Origin and stay allowed, and a legitimate local
+        # browser UI sends a loopback Origin and is allowed. Ignored when an
+        # explicit allowlist is configured (operator owns the policy then).
+        @loopback_csrf_default      = loopback_csrf_default && @allowed_origins.nil?
         @health_path                = health_path.is_a?(String) && !health_path.empty? ? health_path : nil
         # Per-app registry of in-flight cancellable requests. Keyed by
         # [correlation_id, request_id]. A `notifications/cancelled` POST
@@ -660,12 +672,9 @@ module Parse
         #     Missing/empty `Origin` is allowed regardless — native
         #     clients (curl, SDK-to-SDK) shouldn't be broken by a
         #     CSRF defense aimed at browsers.
-        if @allowed_origins
-          origin = env["HTTP_ORIGIN"].to_s.strip
-          unless origin.empty? || origin_allowed?(origin)
-            @logger&.warn("[Parse::Agent::MCPRackApp] Origin refused: #{origin.inspect}")
-            return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
-          end
+        if origin_refused?(env)
+          @logger&.warn("[Parse::Agent::MCPRackApp] Origin refused: #{env["HTTP_ORIGIN"].to_s.strip.inspect}")
+          return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
         end
 
         # 2c. Required custom header (CSRF defense-in-depth). A header
@@ -1051,14 +1060,11 @@ module Parse
           return [400, json_headers, [json_rpc_error(-32_600, "Missing or invalid Mcp-Session-Id")]]
         end
 
-        # The origin allowlist (when configured) guards the listening stream
-        # the same way it guards POST — a browser-driven cross-origin GET to
-        # an SSE endpoint is the analogous CSRF surface.
-        if @allowed_origins
-          origin = env["HTTP_ORIGIN"].to_s.strip
-          unless origin.empty? || origin_allowed?(origin)
-            return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
-          end
+        # The origin policy (when configured, or the loopback default) guards
+        # the listening stream the same way it guards POST — a browser-driven
+        # cross-origin GET to an SSE endpoint is the analogous CSRF surface.
+        if origin_refused?(env)
+          return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
         end
 
         # Owner-binding: only the principal that established this session (or,
@@ -2119,6 +2125,39 @@ module Parse
       # `@allowed_origins`. Comparison is case-insensitive on host and
       # scheme. Wildcard via leading `.` matches subdomains:
       # `.example.com` matches `app.example.com` and `example.com`.
+      # Single chokepoint for the Origin CSRF gate, shared by the POST and
+      # listening-stream paths. A missing/empty Origin (native clients: curl,
+      # SDK-to-SDK) is always allowed — the CSRF surface is browser-only, and
+      # browsers always send an Origin on cross-origin requests. When an
+      # explicit allowlist is configured it wins; otherwise the loopback
+      # default (NEW-9) refuses any present non-loopback Origin.
+      def origin_refused?(env)
+        origin = env["HTTP_ORIGIN"].to_s.strip
+        return false if origin.empty?
+        if @allowed_origins
+          !origin_allowed?(origin)
+        elsif @loopback_csrf_default
+          !origin_is_loopback?(origin)
+        else
+          false
+        end
+      end
+
+      # True when `origin`'s host is a loopback address (any scheme/port).
+      # Closes browser DNS-rebinding on an unauthenticated loopback bind: the
+      # attacker page's Origin (e.g. http://evil.example) is not loopback and
+      # is refused, while a real local UI on http://localhost:<port> passes.
+      def origin_is_loopback?(origin)
+        host = begin
+          URI.parse(origin).host
+        rescue URI::InvalidURIError, StandardError
+          nil
+        end
+        return false if host.nil?
+        host = host.downcase.delete_prefix("[").delete_suffix("]") # unwrap IPv6 brackets
+        host == "localhost" || host == "127.0.0.1" || host == "::1"
+      end
+
       def origin_allowed?(origin)
         return false unless @allowed_origins
         normalized = origin.downcase

data/lib/parse/agent/mcp_server.rb

@@ -162,11 +162,30 @@ module Parse
         # pre_auth_rate_limiter: closes NEW-MCP-6 — runs before the factory
         # is invoked so an empty or malformed body can't amplify into a
         # Parse Server round-trip.
+        # NEW-9: on an unauthenticated loopback dev bind with no explicit CSRF
+        # gate configured, enable a loopback-only Origin policy by default to
+        # mitigate browser DNS-rebinding (a malicious page resolving a hostname
+        # to 127.0.0.1 and POSTing to the agent). The attacker page always
+        # carries a non-loopback Origin and is refused; native (no-Origin)
+        # clients and real local browser UIs are unaffected. Skipped when an
+        # API key is set (auth already gates) or the operator configured the
+        # Origin/custom-header gates themselves.
+        loopback_csrf_default =
+          LOOPBACK_HOSTS.include?(host.to_s) && @api_key.to_s.empty? &&
+          allowed_origins.nil? && require_custom_header.nil?
+        if loopback_csrf_default
+          warn "[Parse::Agent::MCPServer] Binding #{host}:#{port} without an API key. " \
+               "Enabling a loopback-only Origin policy to mitigate browser DNS-rebinding. " \
+               "For anything beyond local single-user dev set MCP_API_KEY (or pass api_key:), " \
+               "and/or configure allowed_origins:/require_custom_header:."
+        end
+
         @rack_app = MCPRackApp.new(
           agent_factory: method(:agent_factory),
           pre_auth_rate_limiter: pre_auth_rate_limiter,
           allowed_origins: allowed_origins,
           require_custom_header: require_custom_header,
+          loopback_csrf_default: loopback_csrf_default,
         )
       end
 

data/lib/parse/api/path_segment.rb

@@ -45,6 +45,37 @@ module Parse
         s
       end
 
+      # Parse objectId pattern: 1–40 alphanumerics. Parse Server generates
+      # 10-char alphanumeric ids; the cap is generous to allow custom ids
+      # while still refusing path-traversal (`/`, `.`, `..`) and query
+      # injection (`?`, `&`, `=`). Mirrors Parse::API::Objects::OBJECT_ID_PATTERN.
+      OBJECT_ID_PATTERN = /\A[A-Za-z0-9]{1,40}\z/.freeze
+
+      # Validate a Parse objectId used in a REST path (`users/<id>`,
+      # `classes/<Class>/<id>`) and return it unchanged. Refuses anything that
+      # could traverse to a different endpoint or smuggle a query string when
+      # interpolated raw — e.g. a hostile/compromised Parse Server returning a
+      # crafted `objectId` like `../classes/_User?where=...` on a prior
+      # response that then rides the next fetch/update/delete with whatever
+      # credentials the call is authorized to send.
+      #
+      # @param value the objectId to validate (anything responding to `to_s`).
+      # @param kind [String] human-readable name for error messages.
+      # @return [String] the validated objectId.
+      # @raise [ArgumentError] if blank or it fails the pattern.
+      def object_id!(value, kind: "objectId")
+        s = value.to_s
+        if s.empty?
+          raise ArgumentError, "#{kind} must not be empty"
+        end
+        unless OBJECT_ID_PATTERN.match?(s)
+          raise ArgumentError,
+            "#{kind} #{s.inspect} contains characters not allowed in a Parse " \
+            "objectId. Must match /\\A[A-Za-z0-9]{1,40}\\z/."
+        end
+        s
+      end
+
       # Parse trigger className pattern: a normal identifier, OR one of Parse
       # Server's `@`-prefixed pseudo-classes (`@File` for file triggers,
       # `@Connect` for the connection-global LiveQuery trigger). The optional

data/lib/parse/api/users.rb

@@ -26,6 +26,7 @@ module Parse
       # @param headers [Hash] additional HTTP headers to send with the request.
       # @return [Parse::Response]
       def fetch_user(id, headers: {}, **opts)
+        id = Parse::API::PathSegment.object_id!(id)
         request :get, "#{USER_PATH_PREFIX}/#{id}", headers: headers, opts: opts
       end
 
@@ -74,6 +75,7 @@ module Parse
       # @param headers [Hash] additional HTTP headers to send with the request.
       # @return [Parse::Response]
       def update_user(id, body = {}, headers: {}, **opts)
+        id = Parse::API::PathSegment.object_id!(id)
         response = request :put, "#{USER_PATH_PREFIX}/#{id}", body: body, headers: headers, opts: opts
         response.parse_class = Parse::Model::CLASS_USER
         response
@@ -98,6 +100,7 @@ module Parse
       # @param headers [Hash] additional HTTP headers to send with the request.
       # @return [Parse::Response]
       def delete_user(id, headers: {}, **opts)
+        id = Parse::API::PathSegment.object_id!(id)
         request :delete, "#{USER_PATH_PREFIX}/#{id}", headers: headers, opts: opts
       end
 

data/lib/parse/cache/redis.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "moneta"
+require "json"
 require_relative "pool"
 
 module Parse
@@ -82,6 +83,20 @@ module Parse
         # session-scoped REST responses outlive their token's
         # validity. Callers can still pass `expires: false` to opt out.
         merged_options = { expires: true }.merge(moneta_options)
+        # SECURITY: disable Moneta's value serializer so cached values are NOT
+        # Marshal-encoded. We JSON-(de)serialize values ourselves in #store /
+        # #[] (see #encode_value / #decode_value). The default Moneta-Redis
+        # value serializer is Marshal, which would `Marshal.load` whatever
+        # bytes come back from Redis on every cache hit — an arbitrary-code-
+        # execution primitive if the Redis cache is shared, unauthenticated,
+        # or reachable through a plaintext `redis://` MITM. Forcing nil here
+        # (overriding any caller-supplied `value_serializer:`/`serializer:`)
+        # keeps that gadget-deserialization vector closed regardless of how
+        # the wrapper is configured. Keys keep the default (:marshal) encoding:
+        # they are only ever written and SCAN/DEL-compared as opaque strings,
+        # never `Marshal.load`ed from Redis content, so they are not a
+        # deserialization vector.
+        merged_options = merged_options.merge(value_serializer: nil)
         @moneta_options = merged_options
         @closed = false
         @pool = Pool.new(size: pool_size, timeout: pool_timeout) do
@@ -90,7 +105,7 @@ module Parse
       end
 
       def [](key)
-        @pool[key]
+        decode_value(@pool[key])
       end
 
       def key?(key)
@@ -102,15 +117,18 @@ module Parse
       end
 
       def store(key, value, options = {})
-        @pool.store(key, value, options)
+        @pool.store(key, encode_value(value), options)
       end
 
       # Atomic SETNX. Required so `Parse::CreateLock` can acquire
       # cross-process locks when this wrapper is the configured cache /
       # `synchronize_create_store`. Returns `true` only when the key did
-      # not already exist.
+      # not already exist. The value goes through the same JSON encoding
+      # as {#store} so a later {#[]} read round-trips instead of decoding
+      # to nil. (Parse::LockBackend never hits this path on this wrapper —
+      # it prefers the raw-Redis {#lock_acquire}/{#lock_release} pair.)
       def create(key, value, options = {})
-        @pool.create(key, value, options)
+        @pool.create(key, encode_value(value), options)
       end
 
       # Atomic counter increment. Forwarded for Moneta surface parity.
@@ -135,14 +153,14 @@ module Parse
       # Atomically acquire a lock: SET key=owner only if absent, with a
       # native expiry. Used by {Parse::LockBackend} for {Parse::Lock} and
       # {Parse::CreateLock}. Deliberately bypasses Moneta's `create` —
-      # `Moneta.new(:Redis)` marshals BOTH keys and values, so a raw-Redis
-      # compare-and-delete on the marshaled blob would be fragile and
-      # coupled to Moneta's serializer config. Routing acquire AND release
-      # through plain-string raw Redis here keeps one consistent encoding
-      # across both ends of the lock and makes the keys human-inspectable
-      # in Redis (`parse-stack:lock:v1:<digest>`). Lock keys are
+      # `Moneta.new(:Redis)` marshals keys (and, by default, values), so a
+      # raw-Redis compare-and-delete on a Moneta-encoded blob would be
+      # fragile and coupled to Moneta's serializer config. Routing acquire
+      # AND release through plain-string raw Redis here keeps one consistent
+      # encoding across both ends of the lock and makes the keys human-
+      # inspectable in Redis (`parse-stack:lock:v1:<digest>`). Lock keys are
       # short-lived (TTL ≤ 30s) so there is no migration concern when a
-      # deploy flips between the Moneta-encoded and raw-encoded paths.
+      # deploy flips encodings.
       #
       # @param key [String] plain-string lock key.
       # @param owner [String] unique-per-acquisition owner token.
@@ -222,6 +240,32 @@ module Parse
 
       private
 
+      # Serialize a cache value to a JSON String before handing it to Moneta
+      # (which stores it raw, since the value serializer is disabled — see the
+      # constructor). JSON is used instead of Marshal so the read side never
+      # `Marshal.load`s attacker-influenced Redis bytes. Cache values written
+      # by the caching middleware are `{ "headers" => ..., "body" => ... }`
+      # hashes of strings, which round-trip losslessly through JSON.
+      def encode_value(value)
+        JSON.generate(value)
+      end
+
+      # Decode a JSON String read back from Moneta/Redis. Returns nil on a
+      # miss or on any value that is not valid JSON — most importantly, legacy
+      # Marshal-encoded entries written before this wrapper switched to JSON.
+      # Treating an undecodable value as a miss makes the caller refetch and
+      # re-store it in the JSON format, and ensures a hostile non-JSON blob can
+      # at worst yield a cache miss, never a deserialized Ruby object graph.
+      def decode_value(raw)
+        return nil if raw.nil?
+        JSON.parse(raw)
+      rescue JSON::ParserError, EncodingError, TypeError
+        # ParserError covers malformed and hostile-depth JSON
+        # (JSON::NestingError subclasses it); TypeError covers a
+        # non-String blob from a misconfigured store. All are misses.
+        nil
+      end
+
       def delete_keys_matching!(pattern)
         @pool.pool.with do |store|
           redis = backend_client(store)

data/lib/parse/client/caching.rb

@@ -190,8 +190,13 @@ module Parse
               body = cache_data.respond_to?(:body) ? cache_data.body : nil
               response_headers = cache_data.response_headers || {}
             elsif cache_data.is_a?(Hash)
-              body = cache_data[:body]
-              response_headers = cache_data[:headers] || {}
+              # New entries are stored with string keys so they survive a
+              # JSON round-trip (the Redis cache wrapper serializes values as
+              # JSON, not Marshal — see Parse::Cache::Redis). Fall back to
+              # symbol keys for legacy in-memory / Marshal-backed entries
+              # written before that switch.
+              body = cache_data["body"] || cache_data[:body]
+              response_headers = cache_data["headers"] || cache_data[:headers] || {}
             end
 
             if cache_data.present? && body.present?
@@ -244,8 +249,12 @@ module Parse
              response_env.body.present? && response_env.response_headers[CONTENT_LENGTH_KEY].to_i.between?(20, 1_250_000)
             store_start = Process.clock_gettime(Process::CLOCK_MONOTONIC)
             begin
+              # Store with string keys (and a plain Hash of headers) so the
+              # value round-trips losslessly through the Redis cache wrapper's
+              # JSON serialization. The read path above reads string keys first
+              # with a symbol-key fallback for legacy entries.
               @store.store(@cache_key,
-                           { headers: response_env.response_headers, body: response_env.body },
+                           { "headers" => response_env.response_headers.to_h, "body" => response_env.body },
                            expires: @expires)
               duration_ms = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - store_start) * 1000.0).round(3)
               instrument_cache(:store, method: method, url_path: url_path, duration_ms: duration_ms)

data/lib/parse/client/logging.rb

@@ -186,6 +186,15 @@ module Parse
             end
           end
 
+        # Scrub credentials before logging. At :debug level this method emits
+        # both the request body (login/signup carries a cleartext `password`)
+        # and the response body (auth responses carry a fresh `sessionToken`,
+        # `authData`, and MFA secrets). `log_headers` already redacts headers;
+        # the body path must use the same canonical scrubber or it leaks live
+        # credentials to anyone with log access. Redact BEFORE the length cap
+        # so truncation can't split a token across the boundary and slip past.
+        content = Parse::Middleware::BodyBuilder.redact(content)
+
         if content.length > max_length
           logger.debug "  [#{prefix} Body] #{content[0...max_length]}... (truncated, #{content.length} total)"
         elsif content.length > 0

data/lib/parse/client.rb

@@ -716,10 +716,26 @@ module Parse
             warn "[Parse::Client] Cache store provided but :expires is not set or is 0. " \
                  "Caching will be disabled. Set :expires to enable caching (e.g., expires: 10)."
           else
-            # advanced: provide a REDIS url, we'll configure a Moneta Redis store.
+            # advanced: provide a REDIS url, we'll configure a Redis store.
             if opts[:cache].is_a?(String) && opts[:cache].starts_with?("redis://")
               begin
-                opts[:cache] = Moneta.new(:Redis, url: opts[:cache])
+                # Eagerly load the redis adapter so a missing `redis` gem
+                # fails fast here (at setup) with the friendly hint below,
+                # rather than deferring to the first cache access — the
+                # Parse::Cache::Redis pool builds its Moneta-Redis backends
+                # lazily, so without this the LoadError would surface later.
+                require "moneta/adapters/redis"
+                # Route through Parse::Cache::Redis rather than a bare
+                # `Moneta.new(:Redis, ...)`. SECURITY: the Moneta-Redis store
+                # Marshals values by default, so every cache hit would
+                # `Marshal.load` whatever bytes come back from Redis — an
+                # arbitrary-code-execution primitive if the cache is shared,
+                # unauthenticated, or reachable over a plaintext `redis://`
+                # MITM. The wrapper forces `value_serializer: nil` and
+                # JSON-(de)serializes cached values itself, closing that
+                # deserialization vector on this shorthand the same way an
+                # explicitly-constructed wrapper does.
+                opts[:cache] = Parse::Cache::Redis.new(url: opts[:cache])
               rescue LoadError
                 puts "[Parse::Middleware::Caching] Did you forget to load the redis gem (Gemfile)?"
                 raise

data/lib/parse/embeddings/cache.rb

@@ -3,6 +3,7 @@
 
 require "digest"
 require "monitor"
+require "json"
 
 module Parse
   module Embeddings
@@ -89,14 +90,25 @@ module Parse
       # shared across processes:
       #
       #   require "moneta"
-      #   moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"])
+      #   moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"], value_serializer: nil)
       #   Parse::Embeddings::Cache.enable!(
       #     store: Parse::Embeddings::Cache::MonetaStore.new(moneta, ttl: 30 * 24 * 3600),
       #   )
       #
       # Keys are namespaced (`emb:` by default) so the entries are
-      # recognizable next to other application keys; values are the
-      # raw vector Arrays (Moneta's own serializer handles encoding).
+      # recognizable next to other application keys; values are
+      # JSON-encoded vector Arrays (see {#get}/{#set}).
+      #
+      # SECURITY — build the Moneta store with `value_serializer: nil`
+      # (as above). Moneta's default value serializer is Marshal, so a
+      # cache read would `Marshal.load` whatever bytes are in the backing
+      # store — an arbitrary-code-execution primitive if that store is
+      # shared, unauthenticated, or reachable over a plaintext `redis://`
+      # MITM, and the cache key is derived from (often user-supplied)
+      # embedded text. `MonetaStore` JSON-(de)serializes values itself, but
+      # that only closes the vector IF Moneta is not also Marshaling on top;
+      # `value_serializer: nil` ensures it is not. `MonetaStore` emits a
+      # one-time warning if it is handed a Marshal-serializing store.
       # TTL is forwarded via Moneta's `expires:` option when the
       # backend supports it, ignored otherwise.
       #
@@ -121,6 +133,13 @@ module Parse
                   "Parse::Embeddings::Cache::MonetaStore expects a Moneta-compatible " \
                   "store responding to #[] and #[]= (got #{moneta.class})."
           end
+          if marshaling_value_store?(moneta)
+            warn "[Parse::Embeddings::Cache::MonetaStore] SECURITY: the supplied Moneta " \
+                 "store deserializes values with Marshal. A cache read Marshal.loads bytes " \
+                 "from the backing store, which is a remote-code-execution vector when the " \
+                 "store is shared/untrusted. Rebuild it with value_serializer: nil, e.g. " \
+                 "Moneta.new(:Redis, url: ..., value_serializer: nil)."
+          end
           @moneta = moneta
           @ttl = ttl && Float(ttl)
           @namespace = namespace.to_s
@@ -128,8 +147,7 @@ module Parse
 
         # @return [Array<Float>, nil]
         def get(key)
-          value = @moneta[@namespace + key]
-          value.is_a?(Array) ? value : nil
+          decode_vector(@moneta[@namespace + key])
         rescue StandardError
           nil
         end
@@ -137,23 +155,57 @@ module Parse
         # @return [Array<Float>] the vector, unchanged.
         def set(key, vector)
           k = @namespace + key
+          encoded = encode_vector(vector)
           if @ttl && @moneta.respond_to?(:store)
             begin
-              @moneta.store(k, vector, expires: @ttl)
+              @moneta.store(k, encoded, expires: @ttl)
             rescue ArgumentError
               # Hash-like backends define #store(key, value) with no
               # options arg, so the expires: form raises ArgumentError.
               # Fall back to a plain write (no expiry) rather than letting
               # the fail-open rescue below silently drop every vector.
-              @moneta[k] = vector
+              @moneta[k] = encoded
             end
           else
-            @moneta[k] = vector
+            @moneta[k] = encoded
           end
           vector
         rescue StandardError
           vector
         end
+
+        private
+
+        # Vectors are JSON-encoded here rather than left to the Moneta
+        # store's own (Marshal-by-default) value serializer. Combined with a
+        # store built with `value_serializer: nil`, this keeps Marshal off
+        # the read path entirely: a JSON parse of attacker-influenced backing-
+        # store bytes can at worst yield inert data or raise — never a
+        # deserialized Ruby gadget object graph (RCE-if-cache-compromised).
+        # Embedding vectors are Array<Float>, which round-trips losslessly
+        # through JSON.
+        def encode_vector(vector)
+          JSON.generate(vector)
+        end
+
+        def decode_vector(raw)
+          return raw if raw.is_a?(Array) # legacy/non-serializing store entry
+          return nil if raw.nil?
+          parsed = JSON.parse(raw)
+          parsed.is_a?(Array) ? parsed : nil
+        rescue JSON::ParserError, TypeError, EncodingError
+          nil
+        end
+
+        # Best-effort detection of a Moneta store that serializes VALUES with
+        # Marshal. Moneta names its transformer proxy after the active
+        # serializers (e.g. "...MarshalValue"); a store built with
+        # value_serializer: nil has no "...Value" segment. Used only to warn.
+        def marshaling_value_store?(moneta)
+          moneta.class.name.to_s.include?("MarshalValue")
+        rescue StandardError
+          false
+        end
       end
 
       MONITOR = Monitor.new

data/lib/parse/model/core/properties.rb

@@ -79,11 +79,33 @@ module Parse
     CORE_FIELDS = { id: :string, created_at: :date, updated_at: :date, acl: :acl }.freeze
     # The delete operation hash.
     DELETE_OP = { "__op" => "Delete" }.freeze
+    # Shared stateless boolean caster used by {#format_value}. One instance
+    # for the process lifetime — `cast` only consults a frozen FALSE_VALUES
+    # set, so reuse is thread-safe.
+    BOOLEAN_CASTER = ActiveModel::Type::Boolean.new.freeze
     # @!visibility private
     def self.included(base)
       base.extend(ClassMethods)
     end
 
+    # Process-once deprecation warning emitted when an ACL is set through
+    # mass-assignment (`Parse::Object#attributes=`). Setting ACL this way is
+    # still permitted in this release for backward compatibility, but is a
+    # mass-assignment foot-gun (a caller-supplied params hash bearing an
+    # `ACL` key can grant public write). A future release may block it; the
+    # supported path is the explicit `obj.acl =` setter. One-time so loops
+    # over many records do not spam the log.
+    # @!visibility private
+    def self.warn_acl_mass_assignment_once!
+      return if @acl_mass_assignment_warned
+      @acl_mass_assignment_warned = true
+      warn "[Parse::Stack:SECURITY] Setting `acl`/`ACL` via mass-assignment " \
+           "(Parse::Object#attributes=) is deprecated and may be blocked in a " \
+           "future release. A caller-supplied params hash bearing an ACL key can " \
+           "grant unintended access — filter input with StrongParameters and set " \
+           "ACL via the explicit `obj.acl = ...` setter instead."
+    end
+
     # The class methods added to Parse::Objects
     module ClassMethods
 
@@ -723,6 +745,17 @@ module Parse
     # @return (see #apply_attributes!)
     def attributes=(hash)
       return unless hash.is_a?(Hash)
+      # `acl`/`ACL` is still accepted here (a user-facing property), but
+      # mass-assigning an ACL from a caller-supplied hash — e.g. a Rails
+      # controller doing `record.attributes = params` without
+      # StrongParameters — lets an attacker grant themselves write by
+      # sending `{"ACL" => {"*" => {"write" => true}}}`. Warn (once) so the
+      # foot-gun is visible; callers should set ACL via the explicit
+      # `obj.acl =` setter. The constructor path (`Klass.new(acl:)`) calls
+      # apply_attributes! directly and is intentionally not warned.
+      if hash.key?("ACL") || hash.key?("acl") || hash.key?(:ACL) || hash.key?(:acl)
+        Parse::Properties.warn_acl_mass_assignment_once!
+      end
       # - [:id, :objectId]
       # only overwrite @id if it hasn't been set.
       apply_attributes!(hash, dirty_track: true)
@@ -838,11 +871,15 @@ module Parse
           val = val.to_i
         end
       when :boolean
-        if val.nil?
-          val = nil
-        else
-          val = val ? true : false
-        end
+        # Coerce via ActiveModel's boolean caster rather than Ruby
+        # truthiness. Plain `val ? true : false` treats every non-nil,
+        # non-false object as true, so the strings "false", "0", and "off"
+        # — exactly what arrives on the Rails-form / query-string ingestion
+        # path — would coerce to `true` and silently flip a boolean the
+        # wrong way (e.g. an `archived` or admin gate). ActiveModel maps the
+        # string forms ("false"/"0"/"f"/"off"/"") to false/nil. Parse wire
+        # JSON already sends real booleans, which pass through unchanged.
+        val = val.nil? ? nil : BOOLEAN_CASTER.cast(val)
       when :string
         val = val.to_s unless val.blank?
       when :float

data/lib/parse/mongodb.rb

@@ -1651,6 +1651,18 @@ module Parse
             collection_name, perms_for_clp,
           )
           Parse::CLPScope.redact_protected_fields!(results, strip_set) if strip_set.any?
+
+          # Process-level floor: recursively strip Parse-internal credential
+          # columns (_hashed_password, _session_token, _auth_data_*, _rperm,
+          # ...) from every row AND every embedded sub-document. The
+          # protectedFields strip above is keyed on the OUTER class, and the
+          # ACL sub-doc walk only DROPS ACL-failing sub-docs — neither covers
+          # a foreign class (e.g. _User / _Session) pulled in via $lookup /
+          # $graphLookup / $unionWith under an arbitrary alias. Runs last, for
+          # scoped (non-master) callers only; master is unredacted by design.
+          results.each do |row|
+            Parse::PipelineSecurity.redact_internal_fields_deep!(row)
+          end
         end
 
         payload[:result_count] = results.size

data/lib/parse/pipeline_security.rb

@@ -105,6 +105,7 @@ module Parse
     DENIED_FIELD_REFS = %w[
       $_hashed_password $_password_history
       $_session_token $_sessionToken
+      $sessionToken $session_token
       $_email_verify_token $_perishable_token
       $_failed_login_count $_account_lockout_expires_at
       $_rperm $_wperm
@@ -161,6 +162,19 @@ module Parse
     # walk_for_denied! field-name screen.
     INTERNAL_FIELDS_PREFIX_DENYLIST = %w[_auth_data_].freeze
 
+    # The credential / sensitive subset of {INTERNAL_FIELDS_DENYLIST}. These
+    # columns must NEVER appear as a user-influenced `$match` field name —
+    # even on a pipeline that runs with `allow_internal_fields: true` (which
+    # exists to permit SDK-emitted `_rperm`/`_wperm` references from
+    # `readable_by_role` / `publicly_readable`). A `$match`/`$count` on a
+    # password hash, session/reset token, or auth-data column is a credential-
+    # exfiltration oracle (bisect the value char-by-char), and these columns
+    # have NO legitimate SDK query use — so the `allow_internal_fields` escape
+    # hatch must not relax them. Derived from {INTERNAL_FIELDS_DENYLIST} minus
+    # the ACL/bookkeeping columns (`_rperm`/`_wperm`/`_tombstone`) the ACL DSL
+    # legitimately emits, so the two lists never drift.
+    CREDENTIAL_FIELDS_DENYLIST = (INTERNAL_FIELDS_DENYLIST - %w[_rperm _wperm _tombstone]).freeze
+
     # Forensic string-introspection operators. When any of these
     # appears INSIDE `$expr` with a field-reference input string, the
     # query becomes a per-character oracle even though the operator
@@ -336,6 +350,48 @@ module Parse
       end
     end
 
+    # Depth bound for {redact_internal_fields_deep!}. `$lookup`/`$graphLookup`/
+    # `$unionWith` embed foreign documents at shallow alias depth, so this is
+    # generous; the bound exists only to fail safe on cyclic/pathological docs.
+    INTERNAL_REDACT_MAX_DEPTH = 32
+
+    # Recursively delete {INTERNAL_FIELDS_DENYLIST} / {INTERNAL_FIELDS_PREFIX_DENYLIST}
+    # keys from `node` AND every embedded sub-document/array element, in place.
+    #
+    # This is the process-level floor that stops Parse-Server-internal
+    # credential columns (`_hashed_password`, `_session_token`, `_auth_data_*`,
+    # `_rperm`/`_wperm`, ...) from reaching a scoped caller through ANY result
+    # shape — most importantly a foreign-class document pulled in via
+    # `$lookup`/`$graphLookup`/`$unionWith` under an arbitrary alias. Neither
+    # the per-class protectedFields strip (keyed on the OUTER class) nor the
+    # ACL sub-document walk (which only DROPS ACL-failing sub-docs, never
+    # strips field names) covers that alias. Unlike {strip_internal_fields}
+    # (one level, non-mutating), this walks the whole tree and mutates in
+    # place so it can run as the last step over a result set.
+    #
+    # Structural columns (`_id`, `_p_*`, `_created_at`, `_updated_at`, `_acl`)
+    # are intentionally NOT in the denylist, so object/ACL reconstruction is
+    # unaffected.
+    #
+    # @param node [Object] a result row (Hash), array, or scalar.
+    # @return [Object] the same node, mutated.
+    def redact_internal_fields_deep!(node, depth: INTERNAL_REDACT_MAX_DEPTH)
+      case node
+      when Hash
+        # Always clean the current level (even at the depth floor) so an
+        # embedded document sitting exactly at the bound is still scrubbed.
+        node.delete_if do |key, _value|
+          ks = key.to_s
+          INTERNAL_FIELDS_DENYLIST.include?(ks) ||
+            INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| ks.start_with?(prefix) }
+        end
+        node.each_value { |v| redact_internal_fields_deep!(v, depth: depth - 1) } if depth > 0
+      when Array
+        node.each { |el| redact_internal_fields_deep!(el, depth: depth - 1) } if depth > 0
+      end
+      node
+    end
+
     # Wave-3 TRACK-CLP-4: refuse caller-supplied pipelines that
     # reference a protected field via `$<field>` on the RHS of a
     # `$project` / `$addFields` / `$set` / `$group` / `$bucket` /
@@ -510,21 +566,31 @@ module Parse
           # oracle as the where:-constraint path in ConstraintTranslator.
           # Operators ($-prefixed) are excluded because they are validated
           # separately by DENIED_OPERATORS.
-          if !allow_internal_fields &&
-             !key_str.start_with?("$") &&
-             (INTERNAL_FIELDS_DENYLIST.include?(key_str) ||
-              INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| key_str.start_with?(prefix) })
-            raise Error.new(
-              "SECURITY: Pipeline references internal Parse Server field " \
-              "'#{key_str}' at nesting depth #{depth}" \
-              "#{stage_idx ? " inside stage #{stage_idx}" : ""}. " \
-              "This column (password hash, session token, auth data, or ACL " \
-              "pointer) must not appear in a user-influenced pipeline — " \
-              "it enables credential exfiltration via count/match oracles.",
-              stage: stage_idx,
-              operator: key_str,
-              reason: :denied_internal_field,
-            )
+          #
+          # CREDENTIAL columns (password hash, session/reset token, auth data)
+          # are refused UNCONDITIONALLY — `allow_internal_fields` (which exists
+          # so SDK-emitted `_rperm`/`_wperm` references survive on the mongo-
+          # direct path) must NOT relax them, or a `*_direct` terminal becomes
+          # a credential-bisection oracle. The remaining internal columns
+          # (`_rperm`/`_wperm`/`_tombstone`) stay gated by allow_internal_fields.
+          if !key_str.start_with?("$")
+            is_credential = CREDENTIAL_FIELDS_DENYLIST.include?(key_str) ||
+                            INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| key_str.start_with?(prefix) }
+            is_internal = INTERNAL_FIELDS_DENYLIST.include?(key_str) ||
+                          INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| key_str.start_with?(prefix) }
+            if is_credential || (is_internal && !allow_internal_fields)
+              raise Error.new(
+                "SECURITY: Pipeline references internal Parse Server field " \
+                "'#{key_str}' at nesting depth #{depth}" \
+                "#{stage_idx ? " inside stage #{stage_idx}" : ""}. " \
+                "This column (password hash, session token, auth data, or ACL " \
+                "pointer) must not appear in a user-influenced pipeline — " \
+                "it enables credential exfiltration via count/match oracles.",
+                stage: stage_idx,
+                operator: key_str,
+                reason: :denied_internal_field,
+              )
+            end
           end
           # Cap caller-supplied regex pattern length. Catches the two
           # shapes Mongo accepts: the find-form `{ field: { $regex: "..." } }`

data/lib/parse/query.rb

@@ -1965,11 +1965,21 @@ module Parse
     #     roles, injects the three-layer ACL simulation
     #     (top-level `$match`, `$lookup` rewriter, post-fetch
     #     redactor) via {Parse::MongoDB.aggregate}.
+    #   * an active `Parse.with_session` block — the fiber-local ambient
+    #     session token scopes the read the same way an explicit
+    #     `session_token=` would (see {#mongo_direct_auth_kwargs}).
     #
     # Raises a clear {MongoDirectRequired} otherwise.
     # @!visibility private
     def assert_mongo_direct_routable!
       has_session = @session_token.is_a?(String) && !@session_token.empty?
+      # An active `Parse.with_session` block scopes the read even on a
+      # non-master client (client_mode, or a user-scoped client with no
+      # master key), where `server_mode_master` is false. Without this the
+      # query would raise instead of running scoped — and on a master
+      # client the ambient is what `mongo_direct_auth_kwargs` forwards so
+      # the read is scoped rather than silently master.
+      has_ambient_session = !ambient_session_token.nil?
       # Mirror the request-layer auth resolution in Parse::Client#request:
       # when the process is in "server mode" — Parse.client_mode == false
       # AND the resolved Parse::Client has a master_key — and the caller
@@ -1985,7 +1995,7 @@ module Parse
         false
       end
       server_mode_master = (use_master_key != false) && !Parse.client_mode && client_has_master_key
-      unless use_master_key || server_mode_master || @acl_user || @acl_role || has_session
+      unless use_master_key || server_mode_master || @acl_user || @acl_role || has_session || has_ambient_session
         raise MongoDirectRequired,
           "[Parse::Query] This query uses a constraint that can only run " \
           "via mongo-direct. Mongo-direct bypasses Parse Server's enforcement, " \
@@ -2019,6 +2029,12 @@ module Parse
     #     double-inject).
     #   * `session_token` is set → forward `session_token:` so
     #     Parse::ACLScope runs the full three-layer simulation.
+    #   * Otherwise, the fiber-local ambient session set by
+    #     `Parse.with_session` is forwarded as `session_token:` (unless
+    #     the caller explicitly requested `use_master_key: true`), so a
+    #     query that auto-routes to mongo-direct inside a `with_session`
+    #     block is scoped to that user — matching what the REST path does
+    #     in {Parse::Client#request}.
     #   * Otherwise (master-key path) → forward `master: true`.
     # @!visibility private
     def mongo_direct_auth_kwargs
@@ -2036,11 +2052,32 @@ module Parse
         { acl_role: @acl_role }
       elsif @session_token.is_a?(String) && !@session_token.empty?
         { session_token: @session_token }
+      elsif use_master_key != true && (ambient = ambient_session_token)
+        # No explicit per-query scope, but a `Parse.with_session` block is
+        # active. Mirror Parse::Client#request's precedence (ambient
+        # session wins over the server-mode master default) so the read is
+        # scoped to that user instead of silently running as master with
+        # no ACL/CLP enforcement. An explicit `use_master_key: true` is a
+        # deliberate admin call and skips the ambient, exactly as the REST
+        # path does.
+        { session_token: ambient }
       else
         { master: true }
       end
     end
 
+    # The fiber-local ambient session token set by `Parse.with_session`,
+    # or nil. A whitespace-only ambient is treated as absent so it cannot
+    # block the master fallback and then fail a later presence check —
+    # the same guard {Parse::Client#request} applies.
+    # @return [String, nil]
+    # @!visibility private
+    def ambient_session_token
+      return nil unless Parse.respond_to?(:current_session_token)
+      ambient = Parse.current_session_token
+      ambient if ambient.is_a?(String) && !ambient.strip.empty?
+    end
+
     # Check if this query contains constraints that require aggregation pipeline processing
     # @return [Boolean] true if aggregation pipeline is required
     def requires_aggregation_pipeline?
@@ -3527,22 +3564,31 @@ module Parse
       # the merged pipeline is provably SDK-injected, never user input.
       uses_internal_fields = pipeline_uses_internal_fields?(complete_pipeline)
       scoped = distinct_query_is_scoped?
+      mongo_ready = defined?(Parse::MongoDB) && Parse::MongoDB.enabled?
       use_mongo_direct = mongo_direct
-      if use_mongo_direct.nil?
-        mongo_ready = defined?(Parse::MongoDB) && Parse::MongoDB.enabled?
-        if lookup_stages && lookup_stages.any?
+
+      if scoped
+        # A scoped aggregation (session_token / scope_to_user / scope_to_role)
+        # must NEVER reach Parse Server's REST /aggregate endpoint — it is
+        # master-key-only and enforces NEITHER ACL NOR CLP, so it would run
+        # unscoped as the master key. This holds even when the caller
+        # explicitly passes `mongo_direct: false`: an explicit false cannot
+        # opt a scoped query out of ACL/CLP enforcement. Promote to mongo-
+        # direct, or fail closed when direct Mongo is unavailable (refuse
+        # rather than leak unscoped rows).
+        if mongo_ready
+          use_mongo_direct = true
+        else
+          raise_scoped_aggregation_requires_mongo_direct!
+        end
+      elsif use_mongo_direct.nil?
+        # Unscoped auto-routing: $inQuery/$notInQuery → $lookup pipelines and
+        # SDK-injected internal-field ($rperm/_wperm) pipelines can't be served
+        # by REST /aggregate, so prefer mongo-direct when available. An unscoped
+        # internal-field pipeline keeps the REST fallback (a master-key
+        # correctness edge, not an enforcement bypass).
+        if (lookup_stages && lookup_stages.any?) || uses_internal_fields
           use_mongo_direct = true if mongo_ready
-        elsif scoped || uses_internal_fields
-          if mongo_ready
-            use_mongo_direct = true
-          elsif scoped
-            # Fail closed: a scoped aggregation cannot fall back to REST
-            # /aggregate without silently bypassing ACL/CLP (master-key-only
-            # endpoint). Refuse rather than leak unscoped results. Unscoped
-            # internal-field pipelines keep the REST fallback (a master-key
-            # correctness edge, not an enforcement bypass).
-            raise_scoped_aggregation_requires_mongo_direct!
-          end
         end
       end
 
@@ -3641,17 +3687,21 @@ module Parse
       # unenforced). A scoped query fails closed when mongo-direct is
       # unavailable rather than silently running unscoped as master.
       scoped = distinct_query_is_scoped?
+      mongo_ready = defined?(Parse::MongoDB) && Parse::MongoDB.enabled?
       use_mongo_direct = mongo_direct
-      if use_mongo_direct.nil?
-        mongo_ready = defined?(Parse::MongoDB) && Parse::MongoDB.enabled?
-        if has_lookup_stages
+
+      if scoped
+        # A scoped aggregation must never reach REST /aggregate (master-key-
+        # only, unenforced) — not even when the caller explicitly passes
+        # mongo_direct: false. Promote to mongo-direct, or fail closed.
+        if mongo_ready
+          use_mongo_direct = true
+        else
+          raise_scoped_aggregation_requires_mongo_direct!
+        end
+      elsif use_mongo_direct.nil?
+        if has_lookup_stages || uses_internal_fields
           use_mongo_direct = true if mongo_ready
-        elsif scoped || uses_internal_fields
-          if mongo_ready
-            use_mongo_direct = true
-          elsif scoped
-            raise_scoped_aggregation_requires_mongo_direct!
-          end
         end
       end
 

data/lib/parse/stack/version.rb

@@ -6,6 +6,6 @@ module Parse
   # The Parse Server SDK for Ruby
   module Stack
     # The current version.
-    VERSION = "5.5.0"
+    VERSION = "5.5.1"
   end
 end

data/lib/parse/stack.rb

@@ -582,8 +582,19 @@ module Parse
 
   # Optional dedicated Moneta store for the synchronize-create lock. When
   # nil, falls back to {Parse.cache}.
+  #
+  # SECURITY: if you pass a raw Moneta-Redis store, build it with
+  # +value_serializer: nil+. The lock release path reads the stored owner
+  # token back (+store[key]+) to compare-and-delete; with Moneta's default
+  # Marshal value serializer that read +Marshal.load+s bytes from Redis — an
+  # RCE vector on a shared/untrusted/MITM'd lock store. With
+  # +value_serializer: nil+ the owner token is a plain string and is never
+  # deserialized. Alternatively pass a {Parse::Cache::Redis} instance, which
+  # uses a raw-string acquire/release path and avoids Marshal entirely.
   # @example
-  #   Parse.synchronize_create_store = Moneta.new(:Redis, url: "redis://locks:6379/1")
+  #   Parse.synchronize_create_store = Moneta.new(:Redis, url: "redis://locks:6379/1", value_serializer: nil)
+  #   # or, preferred:
+  #   Parse.synchronize_create_store = Parse::Cache::Redis.new(url: "redis://locks:6379/1")
   @synchronize_create_store = nil
 
   # Optional allowlist of {Parse::Object} subclasses that may use the

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: parse-stack-next
 version: !ruby/object:Gem::Version
-  version: 5.5.0
+  version: 5.5.1
 platform: ruby
 authors:
 - Adrian Curtin