Prevent invalid column names

dplewis · dplewis · commit 90af079da8a8 · 2020-12-08T15:19:12.000-06:00
diff --git a/spec/CloudCode.spec.js b/spec/CloudCode.spec.js
@@ -216,6 +216,21 @@ describe('Cloud Code', () => {
     );
   });
 
+  it('test beforeSave with invalid field', async () => {
+    Parse.Cloud.beforeSave('BeforeSaveChanged', function (req) {
+      req.object.set('length', 0);
+    });
+
+    const obj = new Parse.Object('BeforeSaveChanged');
+    obj.set('foo', 'bar');
+    try {
+      await obj.save();
+      expect(false).toBe(true);
+    } catch (e) {
+      expect(e.message).toBe('Invalid field name: length.');
+    }
+  });
+
   it("test beforeSave changed object fail doesn't change object", async function () {
     Parse.Cloud.beforeSave('BeforeSaveChanged', function (req) {
       if (req.object.has('fail')) {
diff --git a/spec/ParseObject.spec.js b/spec/ParseObject.spec.js
@@ -2045,4 +2045,15 @@ describe('Parse.Object testing', () => {
     const object = new Parse.Object('CloudCodeIsNew');
     await object.save();
   });
+
+  it('cannot save object with invalid field', async () => {
+    const obj = new TestObject();
+    obj.set('className', 'bar');
+    try {
+      await obj.save();
+      expect(false).toBe(true);
+    } catch (e) {
+      expect(e.message).toBe('Invalid field name: className.');
+    }
+  });
 });
diff --git a/spec/Schema.spec.js b/spec/Schema.spec.js
@@ -123,6 +123,16 @@ describe('SchemaController', () => {
       );
   });
 
+  it('validate invalid column names', async () => {
+    const schema = await config.database.loadSchema();
+    try {
+      await schema.validateObject('Stuff', { className: 'Unknown' });
+      expect(false).toBe(true);
+    } catch (e) {
+      expect(e.message).toBe('Invalid field name: className.');
+    }
+  });
+
   it('updates when new fields are added', done => {
     config.database
       .loadSchema()
diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js
@@ -155,6 +155,8 @@ const requiredColumns = Object.freeze({
   _Role: ['name', 'ACL'],
 });
 
+const invalidColumns = ['className', 'length'];
+
 const systemClasses = Object.freeze([
   '_User',
   '_Installation',
@@ -427,8 +429,9 @@ function classNameIsValid(className: string): boolean {
 }
 
 // Valid fields must be alpha-numeric, and not start with an underscore or number
+// must not be a reserved key
 function fieldNameIsValid(fieldName: string): boolean {
-  return classAndFieldRegex.test(fieldName);
+  return classAndFieldRegex.test(fieldName) && !invalidColumns.includes(fieldName);
 }
 
 // Checks that it's not trying to clobber one of the default fields of the class.
