Sensitive keyword detection may produce false positives

[mtrezza]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

A security feature that rejects requests containing sensitive keywords was introduced in #7843. The detection algorithm has a bug that may produce false positives in certain cases, blocking valid, non-malicious requests and sending a 4xx HTTP error code.

The bug does not produce false negatives, which means the security protection is still intact.

Steps to reproduce

1. Configure Parse Server with option requestKeywordDenylist: [{ key: 'abc' }].
2. Run this:

const obj = new TestObject({ a: { b: { c: 0 } } });
await obj.save();
obj.increment('a.b.c');
await obj.save();

Actual Outcome

The second obj.save() will be rejected.

Expected Outcome

The second obj.save() should be resolved.

Environment

Server

• Parse Server version: 5.2.0-beta.1

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.