Skip to content

ci: Improve coverage #2861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtrezza merged 2 commits into from
Jan 8, 2026
Merged

ci: Improve coverage #2861

mtrezza merged 2 commits into from
Jan 8, 2026

Conversation

@dplewis
Copy link
Member

@dplewis dplewis commented Jan 8, 2026
edited by coderabbitai bot
Loading

Pull Request

Issue

Coverage was decreased when merging #2749

Summary by CodeRabbit

  • Tests
    • Added comprehensive unit tests covering removal of dot-notation array changes when values are undefined, extended coverage for prototype-pollution resistance across multiple state/attribute operations, and expanded existing dot-notation scenarios. All changes are test-only; no production logic was modified.

✏️ Tip: You can customize this high-level summary in your review settings.

@parse-github-assistant
Copy link

parse-github-assistant bot commented Jan 8, 2026

🚀 Thanks for opening this pull request!

@coderabbitai
Copy link

coderabbitai bot commented Jan 8, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds unit tests (no production code changes) that validate ObjectStateMutations functions correctly handle malicious attribute names (e.g., proto, constructor, prototype) and remove dot-notation array changes when target values are undefined.

Changes

Cohort / File(s) Summary
Prototype-pollution & undefined-array tests
src/__tests__/ObjectStateMutations-test.js		 +102 lines of tests covering prototype-pollution safety for estimateAttribute, estimateAttributes, setServerData, mergeFirstPendingState, setPendingOp, and commitServerChanges. Adds cases for nested __proto__/constructor/prototype keys and removal of dot-notation array changes when target is undefined.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2
❌ Failed checks (1 warning, 1 inconclusive)
Check name Status Explanation Resolution
Description check ⚠️ Warning The description identifies the motivation (coverage decrease from PR #2749) but lacks the required 'Approach' section and leaves the 'Closes' issue field empty, making it incomplete. Fill in the 'Closes' field with the linked issue number and add an 'Approach' section describing the test additions for Object.prototype pollution and undefined-value scenarios.
Title check ❓ Inconclusive The title 'ci: Improve coverage' is too vague and doesn't accurately describe the main change; the PR adds test cases to improve code coverage for security-related scenarios, not CI improvements. Consider a more specific title like 'Add tests for Object.prototype pollution prevention' or 'Add security-related coverage tests for state mutations' to better reflect the actual changes.
✅ Passed checks (1 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c45295d and bcf0746.

📒 Files selected for processing (1)
  • src/__tests__/ObjectStateMutations-test.js
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/tests/ObjectStateMutations-test.js
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: build (Node 22, 22.12.0)
  • GitHub Check: build (Node 20, 20.19.0)
  • GitHub Check: build (Node 24, 24.1.0)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Jan 8, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codecov
Copy link

codecov bot commented Jan 8, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (cf2ef13) to head (bcf0746).
⚠️ Report is 7 commits behind head on alpha.

Additional details and impacted files 
@@             Coverage Diff             @@
##            alpha     #2861      +/-   ##
===========================================
+ Coverage   99.88%   100.00%   +0.11%     
===========================================
  Files          64        64              
  Lines        6222      6222              
  Branches     1473      1489      +16     
===========================================
+ Hits         6215      6222       +7     
+ Misses          7         0       -7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai bot requested changes Jan 8, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Fix all issues with AI agents 
In @src/__tests__/ObjectStateMutations-test.js:
- Around line 499-500: The test is passing ParseOps.SetOp objects where
commitServerChanges expects plain attribute values; find the failing data object
in the test (the entry using __proto__: new ParseOps.SetOp({ polluted: 'yes' })
and constructor: new ParseOps.SetOp({ malicious: 'data' })) and replace those
ParseOps.SetOp wrappers with the raw values/objects (e.g., __proto__: {
polluted: 'yes' } or simply polluted: 'yes', and constructor: 'malicious data'
or the plain value you intend) so the payload matches other uses of
commitServerChanges (like the plain { name: 'foo', data: { count: 5 } }
examples).
- Around line 474-490: Update the test to match the actual function being called
and supply the missing third argument: change the description from
"mergeFirstPendingState" to "setPendingOp", and call
ObjectStateMutations.setPendingOp(pendingOps, '__proto__',
pendingOps[0]['__proto__']) (using the third arg from the pendingOps element) so
the function signature (pendingOps, key, op) is satisfied and the test still
verifies Object.prototype is not polluted.
- Around line 438-454: The test is passing ParseOps.SetOp objects to
ObjectStateMutations.setServerData but that function expects plain values;
update the test's attributes to use plain values (e.g., __proto__: { polluted:
'yes' } and constructor: { malicious: 'data' }) before calling
ObjectStateMutations.setServerData(serverData, attributes) so the behavior
matches other tests and the prototype pollution assertions remain valid.
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf2ef13 and c45295d.

📒 Files selected for processing (1)
  • src/__tests__/ObjectStateMutations-test.js
🧰 Additional context used
🧬 Code graph analysis (1)
src/__tests__/ObjectStateMutations-test.js (2)
src/__tests__/SingleInstanceStateController-test.js (1)
  • ParseOps (23-23)
src/__tests__/UniqueInstanceStateController-test.js (1)
  • ParseOps (26-26)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: build (Node 22, 22.12.0)
  • GitHub Check: build (Node 20, 20.19.0)
  • GitHub Check: build (Node 24, 24.1.0)
🔇 Additional comments (3)
src/__tests__/ObjectStateMutations-test.js (3)

304-325: LGTM!

The test correctly validates that when a dot notation array property is set to undefined, the property is removed from the array element rather than being set to undefined.

392-413: LGTM!

The test properly validates prototype pollution protection in estimateAttribute by attempting to use malicious attribute names and verifying that Object.prototype remains unpolluted.

456-472: LGTM!

The test correctly validates prototype pollution protection in mergeFirstPendingState using malicious attribute names with ParseOps objects, which matches the expected usage pattern.

coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 8, 2026
View reviewed changes
@mtrezza mtrezza merged commit 4f44412 into parse-community:alpha Jan 8, 2026
13 checks passed
@dplewis dplewis deleted the security-coverage branch January 9, 2026 10:58
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Jan 15, 2026

🎉 This change has been released in version 8.0.1

@parseplatformorg parseplatformorg added the state:released Released as stable version label Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrezza mtrezza mtrezza approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

state:released Released as stable version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dplewis @parseplatformorg @mtrezza