fix: RateLimit on exact static routes is bypassed by appending a query string

[mtrezza]

Issue

Rate limits configured for exact static routes (such as /login and /requestPasswordReset) are silently not enforced when a request includes a query string. The rate-limit middleware matches the configured path against req.url, which includes the query string, while Express routes on the path only — so appending any query parameter (e.g. /login?x=1) evades the limiter while the request still reaches the route.

Tasks

• Add tests

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR fixes rate-limiting and session routing logic by changing three Express request path checks from req.url to req.path, ensuring query strings do not create separate rate-limit windows. New test coverage validates the fix across /login, /requestPasswordReset, /sessions/me, and batch endpoints.

Changes

Query-string rate-limit normalization

Layer / File(s)	Summary
Middleware fixes for query-string-independent path matching src/middlewares.js	handleParseHeaders, handleRateLimit, and handleParseSession now use req.path instead of req.url for route matching, so that query strings do not fragment rate-limit windows or bypass session-token handling.
Test coverage for query-string rate-limiting behavior spec/RateLimit.spec.js	Six new test cases verify that /login, /requestPasswordReset, and /sessions/me remain rate-limited when query parameters are appended; that batch sub-requests with query strings in their path fail early; and that requests with and without query strings count against the same rate-limit window.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• parse-community/parse-server#10214: Fixes user-zone keying fallback and batch request rate-limit bypass logic that these query-string tests directly validate.
• parse-community/parse-server#10147: Focuses on preventing rate-limit bypass via the /batch endpoint, which aligns with this PR's test coverage for batch sub-requests with query strings.
• parse-community/parse-server#10234: Updates rate-limiting logic in src/middlewares.js for method-overriding and batch sub-request keying, parallel to this PR's query-string path-matching fix.

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided; required sections like Issue, Approach, and Tasks are missing entirely.	Add a comprehensive description following the repository template, including the issue being fixed, the approach taken, and checklist items for tests and documentation updates.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	The PR fixes a rate-limit bypass vulnerability by switching from req.url to req.path in three middleware locations. This properly excludes query strings from path matching, preventing attackers fro...
Engage In Review Feedback	✅ Passed	PR #10500 was just created (2026-06-11) and has no review feedback comments yet; therefore there is nothing for the user to have ignored or resolved improperly.
Title check	✅ Passed	The title begins with 'fix:' prefix as required and clearly describes the main change: fixing rate-limit bypass when query strings are appended to exact static routes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.62%. Comparing base (3fad4fb) to head (f316650).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10500      +/-   ##
==========================================
+ Coverage   92.60%   92.62%   +0.01%     
==========================================
  Files         193      193              
  Lines       16941    16941              
  Branches      240      240              
==========================================
+ Hits        15689    15692       +3     
+ Misses       1229     1226       -3     
  Partials       23       23              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parseplatformorg]

🎉 This change has been released in version 9.9.1-alpha.9