fix: Prevent TypeError when type is not a string

[rgunindi]

Added a type check in mongoFieldToParseSchemaField to ensure type is a string before calling startsWith. This prevents crashes when Parse Server processes MongoDB schema fields with undefined, null, or unexpected type values.

Closes #9847

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

• Link to issue issue

Approach

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • None.

• Bug Fixes

  • Improved schema validation for Mongo-backed storage: invalid/empty field types now produce clear, user-friendly errors instead of causing crashes or TypeErrors, and list allowed field types to guide fixes.

• Chores

  • Added internal safeguards to reduce ambiguous errors and improve reliability during schema setup.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a guard in mongoFieldToParseSchemaField to validate that the input type is a non-empty string and throws Parse.Error(INVALID_SCHEMA_OPERATION) with an allowed types message when invalid. This prevents invoking string methods on invalid inputs. No public APIs changed.

Changes

Cohort / File(s)	Summary
Mongo schema field type validation src/Adapters/Storage/Mongo/MongoSchemaCollection.js	Added upfront validation of the type argument in mongoFieldToParseSchemaField; throws Parse.Error with INVALID_SCHEMA_OPERATION and a descriptive allowed-types message if type is falsy or not a string. Core logic otherwise unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Caller as Caller
  participant MSC as MongoSchemaCollection.mongoFieldToParseSchemaField

  Caller->>MSC: mongoFieldToParseSchemaField(type)
  alt type is not a non-empty string
    MSC-->>Caller: throw Parse.Error(INVALID_SCHEMA_OPERATION, message)
  else type is a valid string
    MSC-->>Caller: proceed with existing mapping logic (relation, pointer, etc.)
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Prevent TypeError by ensuring type is a string before calling startsWith (#9847)	✅
Handle malformed or unexpected schema type values gracefully on startup (#9847)	✅

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8d90d30 and 1f9b6fe.

📒 Files selected for processing (1)

• src/Adapters/Storage/Mongo/MongoSchemaCollection.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Adapters/Storage/Mongo/MongoSchemaCollection.js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[parseplatformorg]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

src/Adapters/Storage/Mongo/MongoSchemaCollection.js (4)

54-55: Optional: add field context to the error for easier debugging

If we keep throwing inside mongoFieldToParseSchemaField, wrapping this call to append className/fieldName context improves operator UX when boot fails on bad schemas.

-    obj[fieldName] = mongoFieldToParseSchemaField(schema[fieldName]);
+    try {
+      obj[fieldName] = mongoFieldToParseSchemaField(schema[fieldName]);
+    } catch (e) {
+      if (e && e.code != null) {
+        // Preserve code; enrich message
+        e.message = `Invalid field type for "${fieldName}" in class "${schema._id}": ${e.message}`;
+      }
+      throw e;
+    }

---

5-11: Add regression tests for non-string/whitespace input types

To lock this down, please add tests covering:

• type: undefined, null, number, boolean, object, array, function
• type: '' and ' ' (whitespace)
• type: 'number ' (trailing space) → with the trim change, should map to Number; without it, it silently fails

If helpful, I can draft a spec in spec/schemas.spec.js that exercises mongoSchemaFieldsToParseSchemaFields with a mocked schema input.

---

25-47: Add a default case in mongoFieldToParseSchemaField to reject unsupported types

I’ve confirmed that the only call site for mongoFieldToParseSchemaField is within mongoSchemaFieldsToParseSchemaFields, and no code relies on it returning undefined. Failing fast on unrecognized types will surface schema misconfigurations immediately without breaking existing behavior.

• File: src/Adapters/Storage/Mongo/MongoSchemaCollection.js
• Location: inside the switch (type) in mongoFieldToParseSchemaField

Recommended diff:

   switch (type) {
     // …existing cases…
     case 'polygon':
       return { type: 'Polygon' };
+    default:
+      throw new Parse.Error(
+        Parse.Error.INVALID_SCHEMA_OPERATION,
+        `Unsupported field type: "${type}".`
+      );
   }

---

5-13: Tighten type validation and normalize input

Great addition to guard against TypeError. Two optional hardening tweaks:

• Reject empty or whitespace-only strings by using type.trim().
• Trim type before downstream checks so trailing (or leading) spaces can’t sneak through.

Proposed diff in src/Adapters/Storage/Mongo/MongoSchemaCollection.js (lines 5–13):

   // Add type validation to prevent TypeError
-  if (!type || typeof type !== 'string') {
+  if (typeof type !== 'string' || type.trim() === '') {
     throw new Parse.Error(
       Parse.Error.INVALID_SCHEMA_OPERATION,
-      `Invalid field type: ${type}. Expected a string. Field type must be one of: string, number, boolean, date, map, object, array, geopoint, file, bytes, polygon, or a valid relation/pointer format.`
+      `Invalid field type: ${String(type)}. Expected a non-empty string. Field type must be one of: string, number, boolean, date, map, object, array, geopoint, file, bytes, polygon, or a valid relation/pointer format.`
     );
   }
+
+  // Normalize input
+  type = type.trim();

Follow-up question:

• All other “invalid field type” guards (e.g. in SchemaController) use Parse.Error.INCORRECT_TYPE. Should we switch from INVALID_SCHEMA_OPERATION to INCORRECT_TYPE here for consistency?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4b3f10b and 8d90d30.

📒 Files selected for processing (1)

• src/Adapters/Storage/Mongo/MongoSchemaCollection.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/Adapters/Storage/Mongo/MongoSchemaCollection.js (7)

spec/schemas.spec.js (1)

• Parse (3-3)

src/Controllers/SchemaController.js (1)

• Parse (18-18)

src/Adapters/Auth/apple.js (1)

• Parse (48-48)

src/Adapters/Auth/facebook.js (1)

• Parse (62-62)

src/Adapters/Auth/ldap.js (1)

• Parse (77-77)

src/SchemaMigrations/DefinedSchemas.js (1)

• Parse (3-3)

spec/ReadPreferenceOption.spec.js (1)

• Parse (3-3)