parse-stack-next 5.5.0 → 5.5.2

data/lib/parse/client/body_builder.rb

@@ -285,14 +285,32 @@ module Parse
         # to be POST instead of GET and send the query parameters in the body of the POST request.
         # The standard maximum POST request (which is a server setting), is usually set to 20MBs
         if env[:method] == :get && env[:url].to_s.length >= MAX_URL_LENGTH
-          env[:request_headers][HTTP_METHOD_OVERRIDE] = "GET"
-          env[:request_headers][CONTENT_TYPE] = "application/x-www-form-urlencoded"
-          # parse-sever looks for method overrides in the body under the `_method` param.
-          # so we will add it to the query string, which will now go into the body.
-          env[:body] = "_method=GET&" + env[:url].query
-          env[:url].query = nil
-          #override
-          env[:method] = :post
+          if aggregate_request?(env[:url])
+            # Parse Server's AggregateRouter only JSON-decodes query-string
+            # params (via JSONFromQuery); it does NOT decode a `pipeline` param
+            # that arrives in the request body. The urlencoded override below
+            # would therefore deliver `pipeline` as a raw JSON *string*, which
+            # AggregateRouter.getPipeline mis-reads character-by-character and
+            # rejects with "Invalid aggregate stage '0'". Send a JSON body
+            # instead so the pipeline survives as a real Array. `_method=GET`
+            # still routes Parse Server to its GET-only aggregate handler.
+            env[:request_headers][HTTP_METHOD_OVERRIDE] = "GET"
+            env[:request_headers][CONTENT_TYPE] = CONTENT_TYPE_FORMAT
+            env[:body] = aggregate_override_body(env[:url].query)
+            env[:url].query = nil
+            env[:method] = :post
+          else
+            env[:request_headers][HTTP_METHOD_OVERRIDE] = "GET"
+            env[:request_headers][CONTENT_TYPE] = "application/x-www-form-urlencoded"
+            # parse-server looks for method overrides in the body under the `_method` param.
+            # so we will add it to the query string, which will now go into the body.
+            # `.to_s` guards the (contrived but possible) case of a >=2KB URL whose
+            # length is all path and no query — nil + String would raise TypeError.
+            env[:body] = "_method=GET&" + env[:url].query.to_s
+            env[:url].query = nil
+            #override
+            env[:method] = :post
+          end
           # else if not a get, always make sure the request is JSON encoded if the content type matches
         elsif env[:request_headers][CONTENT_TYPE] == CONTENT_TYPE_FORMAT &&
               (env[:body].is_a?(Hash) || env[:body].is_a?(Array))
@@ -334,6 +352,51 @@ module Parse
           response_env[:body] = r
         end
       end
+
+      private
+
+      # Whether the request targets Parse Server's `/aggregate/<Class>`
+      # endpoint. Used by {#call!} to pick the JSON-body form of the
+      # long-URL GET→POST override (the aggregate endpoint does not
+      # JSON-decode a body `pipeline` param, unlike `where`).
+      #
+      # Anchored to the final two path segments: `.../aggregate/<ClassName>`
+      # where <ClassName> is the last segment (no further slashes). The
+      # className is mandatory and slash-free — see
+      # {Parse::API::Aggregate#aggregate_uri_path}, which validates it via
+      # PathSegment.identifier! — so a real aggregate URL always ends this way.
+      # A `find` request is `.../classes/<ClassName>` (no match), a class
+      # merely *named* with "aggregate" (e.g. `MyAggregateData`) does not match,
+      # and an `/aggregate/` segment appearing earlier in a custom mount prefix
+      # (e.g. `/aggregate/api/classes/Foo`) does not match either.
+      # @param url [URI] the request URL.
+      # @return [Boolean]
+      def aggregate_request?(url)
+        url.path.to_s.match?(%r{/aggregate/[^/]+/?\z})
+      end
+
+      # Build the JSON request body for a long-URL aggregate GET→POST
+      # override. Reconstructs the params from the encoded query string and
+      # JSON-decodes each value so the `pipeline` Array (and boolean
+      # `rawValues`/`rawFieldNames`) reach Parse Server as real types rather
+      # than strings. A value that is not itself JSON is passed through
+      # unchanged. `_method=GET` is injected so Parse Server routes the POST
+      # to its GET-only aggregate handler.
+      # @param query_string [String, nil] the encoded query string.
+      # @return [String] the JSON body to send.
+      def aggregate_override_body(query_string)
+        params = Faraday::Utils.parse_query(query_string.to_s) || {}
+        body = { "_method" => "GET" }
+        params.each do |key, value|
+          body[key] =
+            begin
+              JSON.parse(value)
+            rescue JSON::ParserError, TypeError
+              value
+            end
+        end
+        body.to_json
+      end
     end
   end #Middleware
 end

data/lib/parse/client/caching.rb

@@ -190,8 +190,13 @@ module Parse
               body = cache_data.respond_to?(:body) ? cache_data.body : nil
               response_headers = cache_data.response_headers || {}
             elsif cache_data.is_a?(Hash)
-              body = cache_data[:body]
-              response_headers = cache_data[:headers] || {}
+              # New entries are stored with string keys so they survive a
+              # JSON round-trip (the Redis cache wrapper serializes values as
+              # JSON, not Marshal — see Parse::Cache::Redis). Fall back to
+              # symbol keys for legacy in-memory / Marshal-backed entries
+              # written before that switch.
+              body = cache_data["body"] || cache_data[:body]
+              response_headers = cache_data["headers"] || cache_data[:headers] || {}
             end
 
             if cache_data.present? && body.present?
@@ -244,8 +249,12 @@ module Parse
              response_env.body.present? && response_env.response_headers[CONTENT_LENGTH_KEY].to_i.between?(20, 1_250_000)
             store_start = Process.clock_gettime(Process::CLOCK_MONOTONIC)
             begin
+              # Store with string keys (and a plain Hash of headers) so the
+              # value round-trips losslessly through the Redis cache wrapper's
+              # JSON serialization. The read path above reads string keys first
+              # with a symbol-key fallback for legacy entries.
               @store.store(@cache_key,
-                           { headers: response_env.response_headers, body: response_env.body },
+                           { "headers" => response_env.response_headers.to_h, "body" => response_env.body },
                            expires: @expires)
               duration_ms = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - store_start) * 1000.0).round(3)
               instrument_cache(:store, method: method, url_path: url_path, duration_ms: duration_ms)

data/lib/parse/client/logging.rb

@@ -186,6 +186,15 @@ module Parse
             end
           end
 
+        # Scrub credentials before logging. At :debug level this method emits
+        # both the request body (login/signup carries a cleartext `password`)
+        # and the response body (auth responses carry a fresh `sessionToken`,
+        # `authData`, and MFA secrets). `log_headers` already redacts headers;
+        # the body path must use the same canonical scrubber or it leaks live
+        # credentials to anyone with log access. Redact BEFORE the length cap
+        # so truncation can't split a token across the boundary and slip past.
+        content = Parse::Middleware::BodyBuilder.redact(content)
+
         if content.length > max_length
           logger.debug "  [#{prefix} Body] #{content[0...max_length]}... (truncated, #{content.length} total)"
         elsif content.length > 0

data/lib/parse/client.rb

@@ -716,10 +716,26 @@ module Parse
             warn "[Parse::Client] Cache store provided but :expires is not set or is 0. " \
                  "Caching will be disabled. Set :expires to enable caching (e.g., expires: 10)."
           else
-            # advanced: provide a REDIS url, we'll configure a Moneta Redis store.
+            # advanced: provide a REDIS url, we'll configure a Redis store.
             if opts[:cache].is_a?(String) && opts[:cache].starts_with?("redis://")
               begin
-                opts[:cache] = Moneta.new(:Redis, url: opts[:cache])
+                # Eagerly load the redis adapter so a missing `redis` gem
+                # fails fast here (at setup) with the friendly hint below,
+                # rather than deferring to the first cache access — the
+                # Parse::Cache::Redis pool builds its Moneta-Redis backends
+                # lazily, so without this the LoadError would surface later.
+                require "moneta/adapters/redis"
+                # Route through Parse::Cache::Redis rather than a bare
+                # `Moneta.new(:Redis, ...)`. SECURITY: the Moneta-Redis store
+                # Marshals values by default, so every cache hit would
+                # `Marshal.load` whatever bytes come back from Redis — an
+                # arbitrary-code-execution primitive if the cache is shared,
+                # unauthenticated, or reachable over a plaintext `redis://`
+                # MITM. The wrapper forces `value_serializer: nil` and
+                # JSON-(de)serializes cached values itself, closing that
+                # deserialization vector on this shorthand the same way an
+                # explicitly-constructed wrapper does.
+                opts[:cache] = Parse::Cache::Redis.new(url: opts[:cache])
               rescue LoadError
                 puts "[Parse::Middleware::Caching] Did you forget to load the redis gem (Gemfile)?"
                 raise

data/lib/parse/embeddings/cache.rb

@@ -3,6 +3,7 @@
 
 require "digest"
 require "monitor"
+require "json"
 
 module Parse
   module Embeddings
@@ -89,14 +90,25 @@ module Parse
       # shared across processes:
       #
       #   require "moneta"
-      #   moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"])
+      #   moneta = Moneta.new(:Redis, url: ENV["REDIS_URL"], value_serializer: nil)
       #   Parse::Embeddings::Cache.enable!(
       #     store: Parse::Embeddings::Cache::MonetaStore.new(moneta, ttl: 30 * 24 * 3600),
       #   )
       #
       # Keys are namespaced (`emb:` by default) so the entries are
-      # recognizable next to other application keys; values are the
-      # raw vector Arrays (Moneta's own serializer handles encoding).
+      # recognizable next to other application keys; values are
+      # JSON-encoded vector Arrays (see {#get}/{#set}).
+      #
+      # SECURITY — build the Moneta store with `value_serializer: nil`
+      # (as above). Moneta's default value serializer is Marshal, so a
+      # cache read would `Marshal.load` whatever bytes are in the backing
+      # store — an arbitrary-code-execution primitive if that store is
+      # shared, unauthenticated, or reachable over a plaintext `redis://`
+      # MITM, and the cache key is derived from (often user-supplied)
+      # embedded text. `MonetaStore` JSON-(de)serializes values itself, but
+      # that only closes the vector IF Moneta is not also Marshaling on top;
+      # `value_serializer: nil` ensures it is not. `MonetaStore` emits a
+      # one-time warning if it is handed a Marshal-serializing store.
       # TTL is forwarded via Moneta's `expires:` option when the
       # backend supports it, ignored otherwise.
       #
@@ -121,6 +133,13 @@ module Parse
                   "Parse::Embeddings::Cache::MonetaStore expects a Moneta-compatible " \
                   "store responding to #[] and #[]= (got #{moneta.class})."
           end
+          if marshaling_value_store?(moneta)
+            warn "[Parse::Embeddings::Cache::MonetaStore] SECURITY: the supplied Moneta " \
+                 "store deserializes values with Marshal. A cache read Marshal.loads bytes " \
+                 "from the backing store, which is a remote-code-execution vector when the " \
+                 "store is shared/untrusted. Rebuild it with value_serializer: nil, e.g. " \
+                 "Moneta.new(:Redis, url: ..., value_serializer: nil)."
+          end
           @moneta = moneta
           @ttl = ttl && Float(ttl)
           @namespace = namespace.to_s
@@ -128,8 +147,7 @@ module Parse
 
         # @return [Array<Float>, nil]
         def get(key)
-          value = @moneta[@namespace + key]
-          value.is_a?(Array) ? value : nil
+          decode_vector(@moneta[@namespace + key])
         rescue StandardError
           nil
         end
@@ -137,23 +155,57 @@ module Parse
         # @return [Array<Float>] the vector, unchanged.
         def set(key, vector)
           k = @namespace + key
+          encoded = encode_vector(vector)
           if @ttl && @moneta.respond_to?(:store)
             begin
-              @moneta.store(k, vector, expires: @ttl)
+              @moneta.store(k, encoded, expires: @ttl)
             rescue ArgumentError
               # Hash-like backends define #store(key, value) with no
               # options arg, so the expires: form raises ArgumentError.
               # Fall back to a plain write (no expiry) rather than letting
               # the fail-open rescue below silently drop every vector.
-              @moneta[k] = vector
+              @moneta[k] = encoded
             end
           else
-            @moneta[k] = vector
+            @moneta[k] = encoded
           end
           vector
         rescue StandardError
           vector
         end
+
+        private
+
+        # Vectors are JSON-encoded here rather than left to the Moneta
+        # store's own (Marshal-by-default) value serializer. Combined with a
+        # store built with `value_serializer: nil`, this keeps Marshal off
+        # the read path entirely: a JSON parse of attacker-influenced backing-
+        # store bytes can at worst yield inert data or raise — never a
+        # deserialized Ruby gadget object graph (RCE-if-cache-compromised).
+        # Embedding vectors are Array<Float>, which round-trips losslessly
+        # through JSON.
+        def encode_vector(vector)
+          JSON.generate(vector)
+        end
+
+        def decode_vector(raw)
+          return raw if raw.is_a?(Array) # legacy/non-serializing store entry
+          return nil if raw.nil?
+          parsed = JSON.parse(raw)
+          parsed.is_a?(Array) ? parsed : nil
+        rescue JSON::ParserError, TypeError, EncodingError
+          nil
+        end
+
+        # Best-effort detection of a Moneta store that serializes VALUES with
+        # Marshal. Moneta names its transformer proxy after the active
+        # serializers (e.g. "...MarshalValue"); a store built with
+        # value_serializer: nil has no "...Value" segment. Used only to warn.
+        def marshaling_value_store?(moneta)
+          moneta.class.name.to_s.include?("MarshalValue")
+        rescue StandardError
+          false
+        end
       end
 
       MONITOR = Monitor.new

data/lib/parse/model/core/properties.rb

@@ -79,11 +79,33 @@ module Parse
     CORE_FIELDS = { id: :string, created_at: :date, updated_at: :date, acl: :acl }.freeze
     # The delete operation hash.
     DELETE_OP = { "__op" => "Delete" }.freeze
+    # Shared stateless boolean caster used by {#format_value}. One instance
+    # for the process lifetime — `cast` only consults a frozen FALSE_VALUES
+    # set, so reuse is thread-safe.
+    BOOLEAN_CASTER = ActiveModel::Type::Boolean.new.freeze
     # @!visibility private
     def self.included(base)
       base.extend(ClassMethods)
     end
 
+    # Process-once deprecation warning emitted when an ACL is set through
+    # mass-assignment (`Parse::Object#attributes=`). Setting ACL this way is
+    # still permitted in this release for backward compatibility, but is a
+    # mass-assignment foot-gun (a caller-supplied params hash bearing an
+    # `ACL` key can grant public write). A future release may block it; the
+    # supported path is the explicit `obj.acl =` setter. One-time so loops
+    # over many records do not spam the log.
+    # @!visibility private
+    def self.warn_acl_mass_assignment_once!
+      return if @acl_mass_assignment_warned
+      @acl_mass_assignment_warned = true
+      warn "[Parse::Stack:SECURITY] Setting `acl`/`ACL` via mass-assignment " \
+           "(Parse::Object#attributes=) is deprecated and may be blocked in a " \
+           "future release. A caller-supplied params hash bearing an ACL key can " \
+           "grant unintended access — filter input with StrongParameters and set " \
+           "ACL via the explicit `obj.acl = ...` setter instead."
+    end
+
     # The class methods added to Parse::Objects
     module ClassMethods
 
@@ -723,6 +745,17 @@ module Parse
     # @return (see #apply_attributes!)
     def attributes=(hash)
       return unless hash.is_a?(Hash)
+      # `acl`/`ACL` is still accepted here (a user-facing property), but
+      # mass-assigning an ACL from a caller-supplied hash — e.g. a Rails
+      # controller doing `record.attributes = params` without
+      # StrongParameters — lets an attacker grant themselves write by
+      # sending `{"ACL" => {"*" => {"write" => true}}}`. Warn (once) so the
+      # foot-gun is visible; callers should set ACL via the explicit
+      # `obj.acl =` setter. The constructor path (`Klass.new(acl:)`) calls
+      # apply_attributes! directly and is intentionally not warned.
+      if hash.key?("ACL") || hash.key?("acl") || hash.key?(:ACL) || hash.key?(:acl)
+        Parse::Properties.warn_acl_mass_assignment_once!
+      end
       # - [:id, :objectId]
       # only overwrite @id if it hasn't been set.
       apply_attributes!(hash, dirty_track: true)
@@ -838,11 +871,15 @@ module Parse
           val = val.to_i
         end
       when :boolean
-        if val.nil?
-          val = nil
-        else
-          val = val ? true : false
-        end
+        # Coerce via ActiveModel's boolean caster rather than Ruby
+        # truthiness. Plain `val ? true : false` treats every non-nil,
+        # non-false object as true, so the strings "false", "0", and "off"
+        # — exactly what arrives on the Rails-form / query-string ingestion
+        # path — would coerce to `true` and silently flip a boolean the
+        # wrong way (e.g. an `archived` or admin gate). ActiveModel maps the
+        # string forms ("false"/"0"/"f"/"off"/"") to false/nil. Parse wire
+        # JSON already sends real booleans, which pass through unchanged.
+        val = val.nil? ? nil : BOOLEAN_CASTER.cast(val)
       when :string
         val = val.to_s unless val.blank?
       when :float

data/lib/parse/mongodb.rb

@@ -1651,6 +1651,18 @@ module Parse
             collection_name, perms_for_clp,
           )
           Parse::CLPScope.redact_protected_fields!(results, strip_set) if strip_set.any?
+
+          # Process-level floor: recursively strip Parse-internal credential
+          # columns (_hashed_password, _session_token, _auth_data_*, _rperm,
+          # ...) from every row AND every embedded sub-document. The
+          # protectedFields strip above is keyed on the OUTER class, and the
+          # ACL sub-doc walk only DROPS ACL-failing sub-docs — neither covers
+          # a foreign class (e.g. _User / _Session) pulled in via $lookup /
+          # $graphLookup / $unionWith under an arbitrary alias. Runs last, for
+          # scoped (non-master) callers only; master is unredacted by design.
+          results.each do |row|
+            Parse::PipelineSecurity.redact_internal_fields_deep!(row)
+          end
         end
 
         payload[:result_count] = results.size

data/lib/parse/pipeline_security.rb

@@ -105,6 +105,7 @@ module Parse
     DENIED_FIELD_REFS = %w[
       $_hashed_password $_password_history
       $_session_token $_sessionToken
+      $sessionToken $session_token
       $_email_verify_token $_perishable_token
       $_failed_login_count $_account_lockout_expires_at
       $_rperm $_wperm
@@ -161,6 +162,19 @@ module Parse
     # walk_for_denied! field-name screen.
     INTERNAL_FIELDS_PREFIX_DENYLIST = %w[_auth_data_].freeze
 
+    # The credential / sensitive subset of {INTERNAL_FIELDS_DENYLIST}. These
+    # columns must NEVER appear as a user-influenced `$match` field name —
+    # even on a pipeline that runs with `allow_internal_fields: true` (which
+    # exists to permit SDK-emitted `_rperm`/`_wperm` references from
+    # `readable_by_role` / `publicly_readable`). A `$match`/`$count` on a
+    # password hash, session/reset token, or auth-data column is a credential-
+    # exfiltration oracle (bisect the value char-by-char), and these columns
+    # have NO legitimate SDK query use — so the `allow_internal_fields` escape
+    # hatch must not relax them. Derived from {INTERNAL_FIELDS_DENYLIST} minus
+    # the ACL/bookkeeping columns (`_rperm`/`_wperm`/`_tombstone`) the ACL DSL
+    # legitimately emits, so the two lists never drift.
+    CREDENTIAL_FIELDS_DENYLIST = (INTERNAL_FIELDS_DENYLIST - %w[_rperm _wperm _tombstone]).freeze
+
     # Forensic string-introspection operators. When any of these
     # appears INSIDE `$expr` with a field-reference input string, the
     # query becomes a per-character oracle even though the operator
@@ -336,6 +350,48 @@ module Parse
       end
     end
 
+    # Depth bound for {redact_internal_fields_deep!}. `$lookup`/`$graphLookup`/
+    # `$unionWith` embed foreign documents at shallow alias depth, so this is
+    # generous; the bound exists only to fail safe on cyclic/pathological docs.
+    INTERNAL_REDACT_MAX_DEPTH = 32
+
+    # Recursively delete {INTERNAL_FIELDS_DENYLIST} / {INTERNAL_FIELDS_PREFIX_DENYLIST}
+    # keys from `node` AND every embedded sub-document/array element, in place.
+    #
+    # This is the process-level floor that stops Parse-Server-internal
+    # credential columns (`_hashed_password`, `_session_token`, `_auth_data_*`,
+    # `_rperm`/`_wperm`, ...) from reaching a scoped caller through ANY result
+    # shape — most importantly a foreign-class document pulled in via
+    # `$lookup`/`$graphLookup`/`$unionWith` under an arbitrary alias. Neither
+    # the per-class protectedFields strip (keyed on the OUTER class) nor the
+    # ACL sub-document walk (which only DROPS ACL-failing sub-docs, never
+    # strips field names) covers that alias. Unlike {strip_internal_fields}
+    # (one level, non-mutating), this walks the whole tree and mutates in
+    # place so it can run as the last step over a result set.
+    #
+    # Structural columns (`_id`, `_p_*`, `_created_at`, `_updated_at`, `_acl`)
+    # are intentionally NOT in the denylist, so object/ACL reconstruction is
+    # unaffected.
+    #
+    # @param node [Object] a result row (Hash), array, or scalar.
+    # @return [Object] the same node, mutated.
+    def redact_internal_fields_deep!(node, depth: INTERNAL_REDACT_MAX_DEPTH)
+      case node
+      when Hash
+        # Always clean the current level (even at the depth floor) so an
+        # embedded document sitting exactly at the bound is still scrubbed.
+        node.delete_if do |key, _value|
+          ks = key.to_s
+          INTERNAL_FIELDS_DENYLIST.include?(ks) ||
+            INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| ks.start_with?(prefix) }
+        end
+        node.each_value { |v| redact_internal_fields_deep!(v, depth: depth - 1) } if depth > 0
+      when Array
+        node.each { |el| redact_internal_fields_deep!(el, depth: depth - 1) } if depth > 0
+      end
+      node
+    end
+
     # Wave-3 TRACK-CLP-4: refuse caller-supplied pipelines that
     # reference a protected field via `$<field>` on the RHS of a
     # `$project` / `$addFields` / `$set` / `$group` / `$bucket` /
@@ -510,21 +566,31 @@ module Parse
           # oracle as the where:-constraint path in ConstraintTranslator.
           # Operators ($-prefixed) are excluded because they are validated
           # separately by DENIED_OPERATORS.
-          if !allow_internal_fields &&
-             !key_str.start_with?("$") &&
-             (INTERNAL_FIELDS_DENYLIST.include?(key_str) ||
-              INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| key_str.start_with?(prefix) })
-            raise Error.new(
-              "SECURITY: Pipeline references internal Parse Server field " \
-              "'#{key_str}' at nesting depth #{depth}" \
-              "#{stage_idx ? " inside stage #{stage_idx}" : ""}. " \
-              "This column (password hash, session token, auth data, or ACL " \
-              "pointer) must not appear in a user-influenced pipeline — " \
-              "it enables credential exfiltration via count/match oracles.",
-              stage: stage_idx,
-              operator: key_str,
-              reason: :denied_internal_field,
-            )
+          #
+          # CREDENTIAL columns (password hash, session/reset token, auth data)
+          # are refused UNCONDITIONALLY — `allow_internal_fields` (which exists
+          # so SDK-emitted `_rperm`/`_wperm` references survive on the mongo-
+          # direct path) must NOT relax them, or a `*_direct` terminal becomes
+          # a credential-bisection oracle. The remaining internal columns
+          # (`_rperm`/`_wperm`/`_tombstone`) stay gated by allow_internal_fields.
+          if !key_str.start_with?("$")
+            is_credential = CREDENTIAL_FIELDS_DENYLIST.include?(key_str) ||
+                            INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| key_str.start_with?(prefix) }
+            is_internal = INTERNAL_FIELDS_DENYLIST.include?(key_str) ||
+                          INTERNAL_FIELDS_PREFIX_DENYLIST.any? { |prefix| key_str.start_with?(prefix) }
+            if is_credential || (is_internal && !allow_internal_fields)
+              raise Error.new(
+                "SECURITY: Pipeline references internal Parse Server field " \
+                "'#{key_str}' at nesting depth #{depth}" \
+                "#{stage_idx ? " inside stage #{stage_idx}" : ""}. " \
+                "This column (password hash, session token, auth data, or ACL " \
+                "pointer) must not appear in a user-influenced pipeline — " \
+                "it enables credential exfiltration via count/match oracles.",
+                stage: stage_idx,
+                operator: key_str,
+                reason: :denied_internal_field,
+              )
+            end
           end
           # Cap caller-supplied regex pattern length. Catches the two
           # shapes Mongo accepts: the find-form `{ field: { $regex: "..." } }`