parse-community
Allow `Parse.Query.includeAll` when `maxIncludeQueryComplexity` is set
New Feature / Enhancement Checklist
- Report security issues confidentially.
- Any contribution is under this license.
- Before posting search existing issues.
Current Limitation
https://github.com/parse-community/parse-server/pull/9920 was merged with the understanding that its limitation of disabling the feature of Parse.Query.includeAll when maxIncludeQueryComplexity is set is an unnecessary restriction.
Since maxIncludeQueryComplexity is a security feature, which is considered to be enabled by default, it equates to removing the practical usability of the Parse.Query.includeAll feature.
Feature / Enhancement Description
Allow Parse.Query.includeAll when maxIncludeQueryComplexity is set.
The restriction for includeAll should rather be:
- if max depth < 1 AND includeAll is used AND the schema contains a pointer field -> deny with invalid query
Or simpler, because why would someone use includeAll on a schema without pointers:
- if max depth < 1 and includeAll is used -> deny with invalid query
The option also adds a field count limit, so when using includeAll on a class with n pointer fields, and the count limit is < n then there should also be an invalid query response. This may be easy to implement as the schema is known and we can compare the pointer field count early in the process.
See discussion in https://github.com/parse-community/parse-server/pull/9920#discussion_r2540948092.
Alternatives / Workarounds
Refactor developer app code to not use Parse.Query.includeAll.
🚀 Thanks for opening this issue! We are excited about your ideas for improvement!
![parse-github-assistant[bot] avatar](https://avatars.githubusercontent.com/in/136195?v=4 "Published by a pub.dev verified publisher"){kind=small}