fix: Add configurable batch request sub-request limit via option requestComplexity.batchRequestLimit

[mtrezza]

Issue

Add configurable batch request sub-request limit

Tasks

• Add new Parse Server option
• Add deprecation for future default value
• Add security check
• Add tests

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new requestComplexity option batchRequestLimit (default -1) and enforces it in batch handling; includes option definitions, docs, deprecation entry, security check inclusion, and tests exercising limit behavior and master/maintenance-key bypass.

Changes

Cohort / File(s)	Summary
Options & Docs src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js	Added batchRequestLimit RequestComplexity option (env var PARSE_SERVER_REQUEST_COMPLEXITY_BATCH_REQUEST_LIMIT), number parser, default -1, and JSDoc/type entry.
Batch Handling src/batch.js	Read req.config?.requestComplexity?.batchRequestLimit; when > -1 and requester is not master/maintenance, reject batches whose sub-request count exceeds the limit (400 / INVALID_JSON).
Security & Deprecations src/Security/CheckGroups/CheckGroupServerConfig.js, src/Deprecator/Deprecations.js	Included batchRequestLimit in security check list for disabled/unset values; added deprecation entry with new default guidance.
Tests spec/batch.spec.js, spec/RequestComplexity.spec.js, spec/SecurityCheckGroups.spec.js	Added tests for batch size limit, boundaries, disabled state (-1), default expectations, and master/maintenance-key bypass; updated expected config in existing specs.

Sequence Diagram

sequenceDiagram
    participant Client
    participant BatchHandler as Batch Handler (src/batch.js)
    participant Config as ReqComplexity Config
    participant Auth as Auth Check
    participant Response

    Client->>BatchHandler: POST /batch with N sub-requests
    BatchHandler->>Config: Read batchRequestLimit
    BatchHandler->>Auth: Check isMaster / isMaintenance

    alt batchRequestLimit > -1 AND not master/maintenance
        alt N > batchRequestLimit
            BatchHandler->>Response: HTTP 400 INVALID_JSON (includes N and limit)
            Response->>Client: Reject
        else
            BatchHandler->>BatchHandler: Process sub-requests
            BatchHandler->>Response: HTTP 200 Results
            Response->>Client: Success
        end
    else
        BatchHandler->>BatchHandler: Process sub-requests
        BatchHandler->>Response: HTTP 200 Results
        Response->>Client: Success
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Rate limit bypass via batch request endpoint (GHSA-775h-3xrc-c228) #10147: Also adds pre-flight rejection logic in src/batch.js and tests for batch request limits/validation.
• fix: Rate limit user zone key fallback and batch request bypass #10214: Modifies src/batch.js handleBatch logic (per-subrequest rate-limiting) and touches the same function.
• fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) #9819: Related security checks changes in CheckGroupServerConfig that overlap validation of requestComplexity properties.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is empty; the author did not provide any description despite the repository's description template requiring sections like Issue, Approach, and Tasks.	Provide a pull request description following the repository template: include the Issue being fixed, the Approach taken, and relevant Tasks completed (tests, documentation, security checks).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a configurable batch request sub-request limit via a new option, which aligns with the comprehensive changeset across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spec/batch.spec.js (1)

667-716: Optional: reduce repeated batch payload/request boilerplate.

A tiny helper for request generation/posting would make these tests easier to extend and maintain.

♻️ Suggested refactor

+    const makeRequests = (count, className = 'TestClass') =>
+      Array.from({ length: count }, (_, i) => ({
+        method: 'POST',
+        path: `/1/classes/${className}`,
+        body: { key: `v${i}` },
+      }));
+
+    const postBatch = ({ requests, customHeaders = headers }) =>
+      request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/batch',
+        headers: customHeaders,
+        body: JSON.stringify({ requests }),
+      });

     it('should not limit batch request when batchRequestLimit is -1 (disabled)', async () => {
       await reconfigureServer({
         requestComplexity: { batchRequestLimit: -1 },
       });
-      const requests = Array.from({ length: 20 }, (_, i) => ({
-        method: 'POST',
-        path: '/1/classes/TestClass',
-        body: { key: `v${i}` },
-      }));
-      const result = await request({
-        method: 'POST',
-        url: 'http://localhost:8378/1/batch',
-        headers,
-        body: JSON.stringify({ requests }),
-      });
+      const result = await postBatch({ requests: makeRequests(20) });
       expect(result.data.length).toEqual(20);
     });

     it('should not limit batch request by default (no requestComplexity configured)', async () => {
-      const requests = Array.from({ length: 20 }, (_, i) => ({
-        method: 'POST',
-        path: '/1/classes/TestClass',
-        body: { key: `v${i}` },
-      }));
-      const result = await request({
-        method: 'POST',
-        url: 'http://localhost:8378/1/batch',
-        headers,
-        body: JSON.stringify({ requests }),
-      });
+      const result = await postBatch({ requests: makeRequests(20) });
       expect(result.data.length).toEqual(20);
     });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/batch.spec.js` around lines 667 - 716, Add a small helper to reduce
repeated batch payload/request boilerplate: create a helper (e.g.,
makeBatchRequests(count, method='POST', path='/1/classes/TestClass',
bodyFactory=(i)=>({ key: `v${i}` })) and a wrapper postBatch(requests, headers)
that calls the existing request(...) with JSON.stringify({ requests }); update
the tests that build the Array.from(...) and raw request(...) calls to use
makeBatchRequests(...) and postBatch(...) instead; reuse existing symbols
request and reconfigureServer so changes are local to spec/batch.spec.js.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/batch.js`:
- Around line 71-75: The batch size check uses req.auth?.isMaster but must also
exempt maintenance keys; update the condition that checks batchRequestLimit to
also allow req.auth?.isMaintenance (i.e., change the guard from
!req.auth?.isMaster to !(req.auth?.isMaster || req.auth?.isMaintenance) or
equivalent) so maintenance-authenticated requests are not blocked; keep the same
Parse.Error throw and message in the existing batch handler where
batchRequestLimit and req.body.requests are used.

---

Nitpick comments:
In `@spec/batch.spec.js`:
- Around line 667-716: Add a small helper to reduce repeated batch
payload/request boilerplate: create a helper (e.g., makeBatchRequests(count,
method='POST', path='/1/classes/TestClass', bodyFactory=(i)=>({ key: `v${i}` }))
and a wrapper postBatch(requests, headers) that calls the existing request(...)
with JSON.stringify({ requests }); update the tests that build the
Array.from(...) and raw request(...) calls to use makeBatchRequests(...) and
postBatch(...) instead; reuse existing symbols request and reconfigureServer so
changes are local to spec/batch.spec.js.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c848374a-bf5b-422a-9701-be343c04fab6

📥 Commits

Reviewing files that changed from the base of the PR and between fb9ce56 and d221796.

📒 Files selected for processing (9)

• spec/RequestComplexity.spec.js
• spec/SecurityCheckGroups.spec.js
• spec/batch.spec.js
• src/Deprecator/Deprecations.js
• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js
• src/Security/CheckGroups/CheckGroupServerConfig.js
• src/batch.js

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.49

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.55%. Comparing base (ea68fc0) to head (5354e08).
⚠️ Report is 21 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10265      +/-   ##
==========================================
+ Coverage   92.15%   92.55%   +0.39%     
==========================================
  Files         192      192              
  Lines       16437    16440       +3     
  Branches      226      226              
==========================================
+ Hits        15148    15216      +68     
+ Misses       1265     1204      -61     
+ Partials       24       20       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.6.0