From eea7edc4f943492b1f500cae566bcfe25c82940a Mon Sep 17 00:00:00 2001
From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com>
Date: Wed, 9 Nov 2022 21:07:38 +0100
Subject: [PATCH] fix

---
 spec/vulnerabilities.spec.js          | 11 +++++++++++
 src/Controllers/DatabaseController.js |  6 +++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/spec/vulnerabilities.spec.js b/spec/vulnerabilities.spec.js
index 957277772f..5c83493c94 100644
--- a/spec/vulnerabilities.spec.js
+++ b/spec/vulnerabilities.spec.js
@@ -109,6 +109,17 @@ describe('Vulnerabilities', () => {
       );
     });
 
+    it('denies expanding existing object with polluted keys', async () => {
+      const obj = await new Parse.Object('RCE', { a: { foo: [] } }).save();
+      await reconfigureServer({
+        requestKeywordDenylist: ['foo'],
+      });
+      obj.addUnique('a.foo', 'abc');
+      await expectAsync(obj.save()).toBeRejectedWith(
+        new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Prohibited keyword in request data: "foo".`)
+      );
+    });
+
     it('denies creating a cloud trigger with polluted data', async () => {
       Parse.Cloud.beforeSave('TestObject', ({ object }) => {
         object.set('obj', {
diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
index 7a8cce1479..89461750ce 100644
--- a/src/Controllers/DatabaseController.js
+++ b/src/Controllers/DatabaseController.js
@@ -1768,7 +1768,11 @@ class DatabaseController {
     if (this.options && this.options.requestKeywordDenylist) {
       // Scan request data for denied keywords
       for (const keyword of this.options.requestKeywordDenylist) {
-        const match = Utils.objectContainsKeyValue({ firstKey: undefined }, keyword.key, undefined);
+        const match = Utils.objectContainsKeyValue(
+          { [firstKey]: true, [nextPath]: true },
+          keyword.key,
+          true
+        );
         if (match) {
           throw new Parse.Error(
             Parse.Error.INVALID_KEY_NAME,