parse-stack-next 5.5.0 → 5.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 21be0f771a719c1df464556b7b4757d23266e4446a0636887cbc7b0ca079e3db
-  data.tar.gz: e130b4255384a8fb3b0a1be0e44d6fa8a345ee120851c9596285e44a4c9ec81b
+  metadata.gz: 2d234769063a852058f1024815a4cb5e804646bfe54c5bd316e4730e4e451451
+  data.tar.gz: cf3d7dcdeee49dd7b74fdaf241d205c98519e0464171c232bc565a2d844fe71a
 SHA512:
-  metadata.gz: '008496f006ad4c6026675be14f50be0189e4d64fa8ba1b5102bf781ef85e0d851507c6eb7c3ad3fadb9796e09f983e0609d220e0f580f2589ba0cea1471668c9'
-  data.tar.gz: 1ccb000d645ad338c5cafb98c7d7dbc8610d5cf9ce0c2fac84595c6fb8e6c27dc66c9c14678a834180a1ad57b653f242bb64fe8139383a979921a10a13d84953
+  metadata.gz: e32cb99c46fc779dcb7595b7fe8dd95592411856ee079bf969f8c9f2a28cd7739a3785af6cad45fe741b868d69f8c1ce74c7d46bd8cd5a439ea8d7c225434ee4
+  data.tar.gz: 51548942c4b24a7e9c3d5323269962ba9212dce7f3b58ab6bddc3d9199df9a8976698b3bfce690c5dbd42726ea1260825dfd8567f777b14bb1793d941cdb302e

data/CHANGELOG.md

@@ -1,5 +1,195 @@
 ## parse-stack-next Changelog
 
+### 5.5.2
+
+#### Large aggregation pipelines no longer fail with "Invalid aggregate stage '0'"
+
+- **FIXED**: An aggregation whose request URL exceeds ~2KB (for example a
+  `group_by`, `group_by_date`, `distinct`, or custom `aggregate` pipeline with
+  a large `$in` / `$match`) is rewritten from a GET to a POST carrying
+  `_method=GET`, with the query moved into the request body. The pipeline was
+  sent in the body as a URL-encoded string, but Parse Server's aggregate
+  endpoint only JSON-decodes query-string params, not body params — so the
+  pipeline arrived as a raw string and was rejected with
+  `Invalid aggregate stage '0'`, causing the aggregation to return an empty
+  result. The long-URL override now sends a JSON body for the aggregate
+  endpoint so the pipeline is delivered as a real array (boolean params such as
+  `rawValues` are preserved as booleans). The historical URL-encoded override is
+  unchanged for `find` and other endpoints, which Parse Server already decodes
+  correctly.
+
+#### Aggregations inside `Parse.with_session` blocks are now scoped
+
+- **FIXED**: `group_by_date`, `group_by`, `distinct`, and `count` (aggregation
+  branch) now detect the ambient session token set by `Parse.with_session` and
+  treat the query as scoped — consistent with how `Parse::Client#request`
+  already scopes REST find/get/count calls in the same block. Previously the
+  `query_is_scoped?` / `distinct_query_is_scoped?` checks consulted only the
+  query instance's own `session_token=` / `scope_to_user` / `scope_to_role`
+  and ignored `Parse.current_session_token`, so an aggregation inside a
+  `with_session` block ran unscoped as the master key and returned all rows
+  regardless of ACL. The checks now include the ambient: when scoped and
+  mongo-direct is available the aggregation auto-promotes (ACL/CLP enforced);
+  when scoped and mongo-direct is unavailable it fails closed with
+  `MongoDirectRequired` rather than silently leaking rows.
+- **FIXED**: `group_by_date` now also fails closed (`MongoDirectRequired`) when
+  the query is scoped but mongo-direct is unavailable — matching the existing
+  behavior of `group_by`, `distinct`, and `count`. Previously `group_by_date`
+  silently fell back to the REST `/aggregate` endpoint in that case.
+- **FIXED**: A regression introduced in 5.5.1 where `group_by_date`,
+  `group_by`, and pipeline-based aggregations called inside a
+  `Parse.with_session` block returned empty results `{}`. The ambient session
+  token was forwarded as an HTTP session-token header (suppressing the master
+  key), causing Parse Server's REST `/aggregate` endpoint — which is
+  master-key-only — to return a 401/403. The REST aggregate call sites now
+  force `use_master_key: true` so the ambient cannot suppress it, unless the
+  caller explicitly set `use_master_key: false`.
+
+### 5.5.1
+
+#### Mongo-direct reads inside `Parse.with_session` are now scoped, not master
+
+- **FIXED**: A query that auto-routes to the mongo-direct path because of a
+  direct-only constraint (for example a geo `$near` / `$geoIntersects` query)
+  now honors the ambient session token set by `Parse.with_session(token)`.
+  Previously the mongo-direct auth resolver consulted only the query's own
+  `session_token=` / `scope_to_user` / `scope_to_role` and ignored the
+  fiber-local ambient session, so in server mode it fell through to a
+  master-key read with no ACL/CLP enforcement — returning rows the session was
+  not permitted to see, even though every REST query in the same
+  `with_session` block was correctly scoped. The resolver now mirrors
+  `Parse::Client#request` precedence: an explicit per-query token wins, then
+  the ambient session, then the master-key fallback; an explicit
+  `use_master_key: true` is a deliberate admin call and still skips the
+  ambient. Routing also accepts the ambient on non-master clients
+  (`Parse.client_mode` or a user-scoped client), so such a query runs scoped
+  rather than raising.
+
+#### Boolean property coercion no longer treats the string "false" as true
+
+- **FIXED**: A `:boolean` property assigned a string now coerces via
+  ActiveModel's boolean caster instead of raw Ruby truthiness. Previously the
+  coercion was `val ? true : false`, so the strings `"false"`, `"0"`, and
+  `"off"` — exactly what arrives on a Rails-form or query-string ingestion
+  path — all coerced to `true`, silently flipping a boolean the wrong way (for
+  example an `archived` flag or an application-defined access gate). String
+  forms now map correctly (`"false"`/`"0"`/`"off"` to `false`), a blank string
+  is treated as unset (`nil`), and native booleans from Parse wire JSON pass
+  through unchanged.
+
+#### Deprecation warning for setting ACL via mass-assignment
+
+- **DEPRECATED**: Setting `acl`/`ACL` through mass-assignment
+  (`Parse::Object#attributes=`) now emits a one-time security warning. Mass-
+  assigning an ACL from a caller-supplied hash — for example a controller doing
+  `record.attributes = params` without StrongParameters — lets an attacker
+  grant unintended access by sending an `ACL` key
+  (`{"ACL" => {"*" => {"write" => true}}}`). The behavior is unchanged this
+  release (the ACL is still applied), but the supported path is the explicit
+  `record.acl = ...` setter, and a future release may block ACL mass-assignment.
+  The constructor form `Klass.new(acl: ...)` is unaffected and does not warn.
+
+#### Redis cache values serialized as JSON instead of Marshal
+
+- **FIXED**: `Parse::Cache::Redis` now serializes cached HTTP responses as
+  JSON rather than Marshal. The Moneta-Redis store Marshals values by default,
+  so every cache hit ran `Marshal.load` on the bytes returned by Redis. Against
+  a shared, unauthenticated, or plaintext-`redis://` cache, an attacker able to
+  write the cache could plant a crafted Marshal payload that executed code on
+  deserialization. The wrapper now disables Moneta's value serializer
+  (`value_serializer: nil`) and JSON-encodes/decodes values itself; an
+  undecodable value (including any legacy Marshal entry) is treated as a cache
+  miss rather than deserialized. Cache keys are unchanged. No application code
+  changes are required; existing cached entries are transparently refetched and
+  re-stored in the new format on first access.
+- **FIXED**: The `cache: "redis://..."` shorthand on `Parse::Client.new` /
+  `Parse.setup` now builds a `Parse::Cache::Redis` store instead of a bare
+  `Moneta.new(:Redis, ...)`, so it gets the same JSON value serialization and
+  is not subject to the Marshal deserialization issue above.
+- **CHANGED**: The caching middleware stores response entries with string keys
+  so they round-trip losslessly through the JSON serialization. Reads accept
+  both string and legacy symbol keys.
+- **FIXED**: `Parse::Embeddings::Cache::MonetaStore` now JSON-encodes cached
+  embedding vectors instead of relying on the Moneta store's default Marshal
+  value serializer, closing the same `Marshal.load`-on-read deserialization
+  vector for the embedding cache (whose key is derived from often-user-supplied
+  text). It also emits a one-time warning when handed a Marshal-serializing
+  store and recommends `value_serializer: nil`.
+- **CHANGED**: Documentation for Redis-backed caches, the embedding cache, and
+  the synchronize-create lock store (`Parse.synchronize_create_store`) now
+  builds the Redis store via `Parse::Cache::Redis` or `value_serializer: nil`
+  so a raw `Moneta.new(:Redis, ...)` no longer leaves Marshal on the read path.
+
+#### Internal columns stripped from joined documents on mongo-direct reads
+
+- **FIXED**: `Parse::MongoDB.aggregate` now recursively strips Parse-internal
+  credential columns (`_hashed_password`, `_session_token`, `_auth_data_*`,
+  `_rperm`/`_wperm`, ...) from every result row **and every embedded
+  sub-document** for scoped (non-master) callers. Previously a scoped caller
+  could embed a foreign class (e.g. `_User` or `_Session`) into an arbitrary
+  alias via `$lookup` / `$graphLookup` / `$unionWith` and read back password
+  hashes, OAuth tokens, and session tokens: the per-class `protectedFields`
+  strip is keyed on the outer class, and the ACL sub-document walk only drops
+  ACL-failing sub-documents, so neither covered the aliased foreign document.
+  A new `Parse::PipelineSecurity.redact_internal_fields_deep!` runs as the final
+  redaction step. Structural columns (`_id`, `_p_*`, `_acl`, timestamps) are
+  preserved, so object and ACL reconstruction are unaffected; master-key reads
+  are unchanged.
+
+#### Hardened developer-facing mongo-direct aggregation terminals
+
+- **FIXED**: Credential columns (`_hashed_password`, `_session_token`,
+  `_auth_data_*`, `_email_verify_token`, `_perishable_token`, ...) used as a
+  `$match` field name are now refused **unconditionally** on the mongo-direct
+  path — even on a pipeline running with `allow_internal_fields: true` (the flag
+  that lets SDK-emitted `_rperm`/`_wperm` references through for
+  `readable_by_role` / `publicly_readable`). Previously the `*_direct` terminals
+  (`count_direct`, `results_direct`, `distinct_direct`, the direct group-by
+  helpers) passed `allow_internal_fields: true` unconditionally, so a query
+  whose `where` referenced a credential column compiled into a `$match` key that
+  bypassed the internal-field screen — a count/match oracle that could bisect a
+  bcrypt hash or session token. The ACL columns (`_rperm`/`_wperm`/`_tombstone`)
+  remain gated by `allow_internal_fields`, so `readable_by_role` still works.
+- **FIXED**: `Parse::Query#aggregate` and `#aggregate_from_query` now treat a
+  scoped query (`session_token` / `scope_to_user` / `scope_to_role`) as
+  authoritative over an explicit `mongo_direct: false`. Previously passing
+  `mongo_direct: false` on a scoped aggregation skipped the fail-closed guard
+  and routed to Parse Server's master-key-only REST `/aggregate` endpoint,
+  running the aggregation unscoped (no ACL, CLP, or `protectedFields`). A scoped
+  aggregation now promotes to mongo-direct, or fails closed with
+  `Parse::Query::MongoDirectRequired` when direct Mongo is unavailable; unscoped
+  callers can still opt out to REST with `mongo_direct: false`.
+
+#### Additional hardening
+
+- **FIXED**: Request/response body logging now redacts credentials. At `:debug`
+  level the logging middleware emitted login/signup request bodies (cleartext
+  `password`) and auth response bodies (`sessionToken`, `authData`, MFA
+  secrets); the body path now runs through the same `BodyBuilder.redact`
+  scrubber the header path already used, before truncation.
+- **FIXED**: The `_User` REST endpoints (`fetch_user` / `update_user` /
+  `delete_user`) now validate the `objectId` against
+  `Parse::API::PathSegment.object_id!` before interpolating it into the path,
+  matching the object endpoints. A crafted objectId (e.g. from a compromised
+  server response) can no longer traverse to a different endpoint on a
+  subsequent request.
+- **CHANGED**: `$sessionToken` / `$session_token` (the camelCase forms of the
+  session-token column) are now in `DENIED_FIELD_REFS`, so they cannot be
+  laundered through a `$`-field reference in a pipeline.
+- **IMPROVED**: The internal-collection floor (`_SCHEMA` / `_Hooks` /
+  `_GlobalConfig` / `_Audit` / ...) is now enforced unconditionally on every
+  `$lookup` / `$graphLookup` / `$unionWith` join target in
+  `Parse::ACLScope`, not only when lookup-rewriting runs. This closes a
+  defense-in-depth gap where an internal class whose CLP lookup returned no
+  policy could otherwise have been joinable on the direct path.
+- **IMPROVED**: When the MCP agent server is started on an unauthenticated
+  loopback bind with no Origin/custom-header gate configured, it now defaults
+  to a loopback-only Origin policy. A browser DNS-rebinding attack against
+  `127.0.0.1` carries a non-loopback `Origin` and is refused; native clients
+  (which send no `Origin`) and local browser UIs are unaffected. A one-time
+  warning points operators at `MCP_API_KEY` / `allowed_origins:` /
+  `require_custom_header:` for routable deployments.
+
 ### 5.5.0
 
 #### Multimodal bytes-fetch path with magic-byte MIME verification

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    parse-stack-next (5.5.0)
+    parse-stack-next (5.5.2)
       activemodel (>= 6.1, < 9)
       activesupport (>= 6.1, < 9)
       connection_pool (>= 2.2, < 4)

data/README.md

@@ -628,12 +628,21 @@ If `faraday-net_http_persistent` is not available, Parse Stack automatically fal
 A caching adapter of type `Moneta::Transformer`. Caching queries and object fetches can help improve the performance of your application, even if it is for a few seconds. Only successful `GET` object fetches and queries (non-empty) will be cached. You may set the default expiration time with the `expires` option. See related: [Moneta](https://github.com/minad/moneta). At any point in time you may clear the cache by calling the `clear_cache!` method on the client connection.
 
 ```ruby
-  store = Moneta.new :Redis, url: 'redis://localhost:6379'
+  # Use the bundled Parse::Cache::Redis wrapper for a Redis-backed cache. It
+  # serializes cached responses as JSON (never Marshal): a raw
+  # `Moneta.new(:Redis, ...)` store Marshals values by default, so a cache
+  # read would `Marshal.load` bytes from Redis — an RCE vector if that Redis
+  # is shared, unauthenticated, or reachable over a plaintext `redis://` MITM.
+  store = Parse::Cache::Redis.new(url: 'redis://localhost:6379')
    # use a Redis cache store with an automatic expire of 10 seconds.
   Parse.setup(cache: store, expires: 10, ...)
 ```
 
-As a shortcut, if you are planning on using REDIS and have configured the use of `redis` in your `Gemfile`, you can just pass the REDIS connection string directly to the cache option.
+If you supply your own raw `Moneta.new(:Redis, ...)` store instead of the
+wrapper, build it with `value_serializer: nil` to keep Marshal off the cache
+read path.
+
+As a shortcut, if you are planning on using REDIS and have configured the use of `redis` in your `Gemfile`, you can just pass the REDIS connection string directly to the cache option. The string form builds a `Parse::Cache::Redis` wrapper for you, so it is JSON-serialized and safe by default.
 
 ```ruby
   Parse.setup(cache: 'redis://localhost:6379', ...)
@@ -5342,7 +5351,11 @@ If you are already have setup a client that is being used by your defined models
 For high traffic applications that may be performing several server tasks on similar objects, you may utilize request caching. Caching is provided by a the `Parse::Middleware::Caching` class which utilizes a [Moneta store](https://github.com/minad/moneta) object to cache GET url requests that have allowable status codes (ex. HTTP 200, etc). The cache entry for the url will be removed when it is either considered expired (based on the `expires` option) or if a non-GET request is made with the same url. Using this feature appropriately can dramatically reduce your API request usage.
 
 ```ruby
-store = Moneta.new :Redis, url: 'redis://localhost:6379'
+# Parse::Cache::Redis serializes cached responses as JSON, not Marshal — a raw
+# Moneta.new(:Redis) store Marshals values by default and a cache read would
+# Marshal.load Redis bytes (RCE if the cache is shared/untrusted). Prefer the
+# wrapper; if you supply a raw Moneta-Redis store, pass value_serializer: nil.
+store = Parse::Cache::Redis.new(url: 'redis://localhost:6379')
  # use a Redis cache store with an automatic expire of 10 seconds.
 Parse.setup(cache: store, expires: 10, ...)
 

data/docs/atlas_vector_search_guide.md

@@ -353,7 +353,11 @@ layer shared across processes, wrap any Moneta-compatible backend in
 the bundled adapter:
 
 ```ruby
-moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"])
+# Build the Moneta store with value_serializer: nil. MonetaStore JSON-encodes
+# vectors itself; without value_serializer: nil, Moneta would additionally
+# Marshal the values, and a cache read would Marshal.load bytes from a shared
+# Redis — an RCE vector if that Redis is untrusted or MITM'd over redis://.
+moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"], value_serializer: nil)
 Parse::Embeddings::Cache.enable!(
   store: Parse::Embeddings::Cache::MonetaStore.new(moneta, ttl: 30 * 24 * 3600),
 )

data/lib/parse/acl_scope.rb

@@ -336,6 +336,17 @@ module Parse
         return if target.nil?
         target_str = target.to_s
         return if target_str.empty?
+        # RT-7 / NEW-4: hard internal-collection floor FIRST, independent of
+        # CLP. This must run on EVERY join target on the direct
+        # Parse::MongoDB.aggregate path. LookupRewriter.auto_rewrite (the other
+        # caller of assert_collection_allowed!) is skipped when rewrite_lookups
+        # is off or the root class can't be resolved, so relying on it alone
+        # leaves a gap: an internal collection (`_SCHEMA`/`_Hooks`/`_Audit`/
+        # `_GlobalConfig`/...) whose CLP fetch returns :no_clp would pass the
+        # permits? check below. The floor refuses those outright while still
+        # admitting the SDK data classes (`_User`/`_Role`/`_Installation`/
+        # `_Session`), which then face the per-scope CLP `find` gate.
+        Parse::PipelineSecurity.assert_collection_allowed!(target_str)
         return if Parse::CLPScope.permits?(target_str, :find, perms)
         raise Parse::CLPScope::Denied.new(
           target_str, :find,

data/lib/parse/agent/mcp_rack_app.rb

@@ -4,6 +4,7 @@
 require "json"
 require "securerandom"
 require "digest"
+require "uri"
 require_relative "errors"
 require_relative "mcp_dispatcher"
 require_relative "mcp_subscriptions"
@@ -320,6 +321,7 @@ module Parse
                      pre_auth_rate_limiter: nil,
                      allowed_origins: nil,
                      require_custom_header: nil,
+                     loopback_csrf_default: false,
                      resource_subscriptions: false,
                      subscription_manager: nil,
                      notifications: nil,
@@ -376,6 +378,16 @@ module Parse
         @pre_auth_rate_limiter      = pre_auth_rate_limiter
         @allowed_origins            = normalize_allowed_origins(allowed_origins)
         @required_custom_header     = normalize_required_custom_header(require_custom_header)
+        # NEW-9: when no explicit allowed_origins / require_custom_header CSRF
+        # gate is configured but the server was started on an unauthenticated
+        # loopback bind, default to a loopback-only Origin policy. A browser
+        # DNS-rebinding attack against 127.0.0.1 always carries an `Origin`
+        # header (the attacker page's origin), so refusing any present
+        # non-loopback Origin closes that vector — while native clients (curl,
+        # SDK-to-SDK) send NO Origin and stay allowed, and a legitimate local
+        # browser UI sends a loopback Origin and is allowed. Ignored when an
+        # explicit allowlist is configured (operator owns the policy then).
+        @loopback_csrf_default      = loopback_csrf_default && @allowed_origins.nil?
         @health_path                = health_path.is_a?(String) && !health_path.empty? ? health_path : nil
         # Per-app registry of in-flight cancellable requests. Keyed by
         # [correlation_id, request_id]. A `notifications/cancelled` POST
@@ -660,12 +672,9 @@ module Parse
         #     Missing/empty `Origin` is allowed regardless — native
         #     clients (curl, SDK-to-SDK) shouldn't be broken by a
         #     CSRF defense aimed at browsers.
-        if @allowed_origins
-          origin = env["HTTP_ORIGIN"].to_s.strip
-          unless origin.empty? || origin_allowed?(origin)
-            @logger&.warn("[Parse::Agent::MCPRackApp] Origin refused: #{origin.inspect}")
-            return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
-          end
+        if origin_refused?(env)
+          @logger&.warn("[Parse::Agent::MCPRackApp] Origin refused: #{env["HTTP_ORIGIN"].to_s.strip.inspect}")
+          return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
         end
 
         # 2c. Required custom header (CSRF defense-in-depth). A header
@@ -1051,14 +1060,11 @@ module Parse
           return [400, json_headers, [json_rpc_error(-32_600, "Missing or invalid Mcp-Session-Id")]]
         end
 
-        # The origin allowlist (when configured) guards the listening stream
-        # the same way it guards POST — a browser-driven cross-origin GET to
-        # an SSE endpoint is the analogous CSRF surface.
-        if @allowed_origins
-          origin = env["HTTP_ORIGIN"].to_s.strip
-          unless origin.empty? || origin_allowed?(origin)
-            return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
-          end
+        # The origin policy (when configured, or the loopback default) guards
+        # the listening stream the same way it guards POST — a browser-driven
+        # cross-origin GET to an SSE endpoint is the analogous CSRF surface.
+        if origin_refused?(env)
+          return [403, json_headers, [json_rpc_error(-32_700, "Origin not allowed")]]
         end
 
         # Owner-binding: only the principal that established this session (or,
@@ -2119,6 +2125,39 @@ module Parse
       # `@allowed_origins`. Comparison is case-insensitive on host and
       # scheme. Wildcard via leading `.` matches subdomains:
       # `.example.com` matches `app.example.com` and `example.com`.
+      # Single chokepoint for the Origin CSRF gate, shared by the POST and
+      # listening-stream paths. A missing/empty Origin (native clients: curl,
+      # SDK-to-SDK) is always allowed — the CSRF surface is browser-only, and
+      # browsers always send an Origin on cross-origin requests. When an
+      # explicit allowlist is configured it wins; otherwise the loopback
+      # default (NEW-9) refuses any present non-loopback Origin.
+      def origin_refused?(env)
+        origin = env["HTTP_ORIGIN"].to_s.strip
+        return false if origin.empty?
+        if @allowed_origins
+          !origin_allowed?(origin)
+        elsif @loopback_csrf_default
+          !origin_is_loopback?(origin)
+        else
+          false
+        end
+      end
+
+      # True when `origin`'s host is a loopback address (any scheme/port).
+      # Closes browser DNS-rebinding on an unauthenticated loopback bind: the
+      # attacker page's Origin (e.g. http://evil.example) is not loopback and
+      # is refused, while a real local UI on http://localhost:<port> passes.
+      def origin_is_loopback?(origin)
+        host = begin
+          URI.parse(origin).host
+        rescue URI::InvalidURIError, StandardError
+          nil
+        end
+        return false if host.nil?
+        host = host.downcase.delete_prefix("[").delete_suffix("]") # unwrap IPv6 brackets
+        host == "localhost" || host == "127.0.0.1" || host == "::1"
+      end
+
       def origin_allowed?(origin)
         return false unless @allowed_origins
         normalized = origin.downcase

data/lib/parse/agent/mcp_server.rb

@@ -162,11 +162,30 @@ module Parse
         # pre_auth_rate_limiter: closes NEW-MCP-6 — runs before the factory
         # is invoked so an empty or malformed body can't amplify into a
         # Parse Server round-trip.
+        # NEW-9: on an unauthenticated loopback dev bind with no explicit CSRF
+        # gate configured, enable a loopback-only Origin policy by default to
+        # mitigate browser DNS-rebinding (a malicious page resolving a hostname
+        # to 127.0.0.1 and POSTing to the agent). The attacker page always
+        # carries a non-loopback Origin and is refused; native (no-Origin)
+        # clients and real local browser UIs are unaffected. Skipped when an
+        # API key is set (auth already gates) or the operator configured the
+        # Origin/custom-header gates themselves.
+        loopback_csrf_default =
+          LOOPBACK_HOSTS.include?(host.to_s) && @api_key.to_s.empty? &&
+          allowed_origins.nil? && require_custom_header.nil?
+        if loopback_csrf_default
+          warn "[Parse::Agent::MCPServer] Binding #{host}:#{port} without an API key. " \
+               "Enabling a loopback-only Origin policy to mitigate browser DNS-rebinding. " \
+               "For anything beyond local single-user dev set MCP_API_KEY (or pass api_key:), " \
+               "and/or configure allowed_origins:/require_custom_header:."
+        end
+
         @rack_app = MCPRackApp.new(
           agent_factory: method(:agent_factory),
           pre_auth_rate_limiter: pre_auth_rate_limiter,
           allowed_origins: allowed_origins,
           require_custom_header: require_custom_header,
+          loopback_csrf_default: loopback_csrf_default,
         )
       end
 

data/lib/parse/api/path_segment.rb

@@ -45,6 +45,37 @@ module Parse
         s
       end
 
+      # Parse objectId pattern: 1–40 alphanumerics. Parse Server generates
+      # 10-char alphanumeric ids; the cap is generous to allow custom ids
+      # while still refusing path-traversal (`/`, `.`, `..`) and query
+      # injection (`?`, `&`, `=`). Mirrors Parse::API::Objects::OBJECT_ID_PATTERN.
+      OBJECT_ID_PATTERN = /\A[A-Za-z0-9]{1,40}\z/.freeze
+
+      # Validate a Parse objectId used in a REST path (`users/<id>`,
+      # `classes/<Class>/<id>`) and return it unchanged. Refuses anything that
+      # could traverse to a different endpoint or smuggle a query string when
+      # interpolated raw — e.g. a hostile/compromised Parse Server returning a
+      # crafted `objectId` like `../classes/_User?where=...` on a prior
+      # response that then rides the next fetch/update/delete with whatever
+      # credentials the call is authorized to send.
+      #
+      # @param value the objectId to validate (anything responding to `to_s`).
+      # @param kind [String] human-readable name for error messages.
+      # @return [String] the validated objectId.
+      # @raise [ArgumentError] if blank or it fails the pattern.
+      def object_id!(value, kind: "objectId")
+        s = value.to_s
+        if s.empty?
+          raise ArgumentError, "#{kind} must not be empty"
+        end
+        unless OBJECT_ID_PATTERN.match?(s)
+          raise ArgumentError,
+            "#{kind} #{s.inspect} contains characters not allowed in a Parse " \
+            "objectId. Must match /\\A[A-Za-z0-9]{1,40}\\z/."
+        end
+        s
+      end
+
       # Parse trigger className pattern: a normal identifier, OR one of Parse
       # Server's `@`-prefixed pseudo-classes (`@File` for file triggers,
       # `@Connect` for the connection-global LiveQuery trigger). The optional

data/lib/parse/api/users.rb

@@ -26,6 +26,7 @@ module Parse
       # @param headers [Hash] additional HTTP headers to send with the request.
       # @return [Parse::Response]
       def fetch_user(id, headers: {}, **opts)
+        id = Parse::API::PathSegment.object_id!(id)
         request :get, "#{USER_PATH_PREFIX}/#{id}", headers: headers, opts: opts
       end
 
@@ -74,6 +75,7 @@ module Parse
       # @param headers [Hash] additional HTTP headers to send with the request.
       # @return [Parse::Response]
       def update_user(id, body = {}, headers: {}, **opts)
+        id = Parse::API::PathSegment.object_id!(id)
         response = request :put, "#{USER_PATH_PREFIX}/#{id}", body: body, headers: headers, opts: opts
         response.parse_class = Parse::Model::CLASS_USER
         response
@@ -98,6 +100,7 @@ module Parse
       # @param headers [Hash] additional HTTP headers to send with the request.
       # @return [Parse::Response]
       def delete_user(id, headers: {}, **opts)
+        id = Parse::API::PathSegment.object_id!(id)
         request :delete, "#{USER_PATH_PREFIX}/#{id}", headers: headers, opts: opts
       end
 

data/lib/parse/cache/redis.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "moneta"
+require "json"
 require_relative "pool"
 
 module Parse
@@ -82,6 +83,20 @@ module Parse
         # session-scoped REST responses outlive their token's
         # validity. Callers can still pass `expires: false` to opt out.
         merged_options = { expires: true }.merge(moneta_options)
+        # SECURITY: disable Moneta's value serializer so cached values are NOT
+        # Marshal-encoded. We JSON-(de)serialize values ourselves in #store /
+        # #[] (see #encode_value / #decode_value). The default Moneta-Redis
+        # value serializer is Marshal, which would `Marshal.load` whatever
+        # bytes come back from Redis on every cache hit — an arbitrary-code-
+        # execution primitive if the Redis cache is shared, unauthenticated,
+        # or reachable through a plaintext `redis://` MITM. Forcing nil here
+        # (overriding any caller-supplied `value_serializer:`/`serializer:`)
+        # keeps that gadget-deserialization vector closed regardless of how
+        # the wrapper is configured. Keys keep the default (:marshal) encoding:
+        # they are only ever written and SCAN/DEL-compared as opaque strings,
+        # never `Marshal.load`ed from Redis content, so they are not a
+        # deserialization vector.
+        merged_options = merged_options.merge(value_serializer: nil)
         @moneta_options = merged_options
         @closed = false
         @pool = Pool.new(size: pool_size, timeout: pool_timeout) do
@@ -90,7 +105,7 @@ module Parse
       end
 
       def [](key)
-        @pool[key]
+        decode_value(@pool[key])
       end
 
       def key?(key)
@@ -102,15 +117,18 @@ module Parse
       end
 
       def store(key, value, options = {})
-        @pool.store(key, value, options)
+        @pool.store(key, encode_value(value), options)
       end
 
       # Atomic SETNX. Required so `Parse::CreateLock` can acquire
       # cross-process locks when this wrapper is the configured cache /
       # `synchronize_create_store`. Returns `true` only when the key did
-      # not already exist.
+      # not already exist. The value goes through the same JSON encoding
+      # as {#store} so a later {#[]} read round-trips instead of decoding
+      # to nil. (Parse::LockBackend never hits this path on this wrapper —
+      # it prefers the raw-Redis {#lock_acquire}/{#lock_release} pair.)
       def create(key, value, options = {})
-        @pool.create(key, value, options)
+        @pool.create(key, encode_value(value), options)
       end
 
       # Atomic counter increment. Forwarded for Moneta surface parity.
@@ -135,14 +153,14 @@ module Parse
       # Atomically acquire a lock: SET key=owner only if absent, with a
       # native expiry. Used by {Parse::LockBackend} for {Parse::Lock} and
       # {Parse::CreateLock}. Deliberately bypasses Moneta's `create` —
-      # `Moneta.new(:Redis)` marshals BOTH keys and values, so a raw-Redis
-      # compare-and-delete on the marshaled blob would be fragile and
-      # coupled to Moneta's serializer config. Routing acquire AND release
-      # through plain-string raw Redis here keeps one consistent encoding
-      # across both ends of the lock and makes the keys human-inspectable
-      # in Redis (`parse-stack:lock:v1:<digest>`). Lock keys are
+      # `Moneta.new(:Redis)` marshals keys (and, by default, values), so a
+      # raw-Redis compare-and-delete on a Moneta-encoded blob would be
+      # fragile and coupled to Moneta's serializer config. Routing acquire
+      # AND release through plain-string raw Redis here keeps one consistent
+      # encoding across both ends of the lock and makes the keys human-
+      # inspectable in Redis (`parse-stack:lock:v1:<digest>`). Lock keys are
       # short-lived (TTL ≤ 30s) so there is no migration concern when a
-      # deploy flips between the Moneta-encoded and raw-encoded paths.
+      # deploy flips encodings.
       #
       # @param key [String] plain-string lock key.
       # @param owner [String] unique-per-acquisition owner token.
@@ -222,6 +240,32 @@ module Parse
 
       private
 
+      # Serialize a cache value to a JSON String before handing it to Moneta
+      # (which stores it raw, since the value serializer is disabled — see the
+      # constructor). JSON is used instead of Marshal so the read side never
+      # `Marshal.load`s attacker-influenced Redis bytes. Cache values written
+      # by the caching middleware are `{ "headers" => ..., "body" => ... }`
+      # hashes of strings, which round-trip losslessly through JSON.
+      def encode_value(value)
+        JSON.generate(value)
+      end
+
+      # Decode a JSON String read back from Moneta/Redis. Returns nil on a
+      # miss or on any value that is not valid JSON — most importantly, legacy
+      # Marshal-encoded entries written before this wrapper switched to JSON.
+      # Treating an undecodable value as a miss makes the caller refetch and
+      # re-store it in the JSON format, and ensures a hostile non-JSON blob can
+      # at worst yield a cache miss, never a deserialized Ruby object graph.
+      def decode_value(raw)
+        return nil if raw.nil?
+        JSON.parse(raw)
+      rescue JSON::ParserError, EncodingError, TypeError
+        # ParserError covers malformed and hostile-depth JSON
+        # (JSON::NestingError subclasses it); TypeError covers a
+        # non-String blob from a misconfigured store. All are misses.
+        nil
+      end
+
       def delete_keys_matching!(pattern)
         @pool.pool.with do |store|
           redis = backend_client(store)