fix: nested batch sub-requests cause unclear error

mtrezza · mtrezza · commit e2595cf4534a · 2026-03-31T20:19:46.000+01:00
diff --git a/spec/batch.spec.js b/spec/batch.spec.js
@@ -852,4 +852,61 @@ describe('batch', () => {
       expect(result.data).toEqual(jasmine.any(Array));
     });
   });
+
+  describe('nested batch requests', () => {
+    it('rejects sub-request that targets the batch endpoint', async () => {
+      await expectAsync(
+        request({
+          method: 'POST',
+          url: 'http://localhost:8378/1/batch',
+          headers,
+          body: JSON.stringify({
+            requests: [
+              {
+                method: 'POST',
+                path: '/1/batch',
+                body: {
+                  requests: [{ method: 'GET', path: '/1/classes/TestClass' }],
+                },
+              },
+            ],
+          }),
+        })
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          status: 400,
+          data: jasmine.objectContaining({
+            error: 'nested batch requests are not allowed',
+          }),
+        })
+      );
+    });
+
+    it('rejects when any sub-request among valid ones targets the batch endpoint', async () => {
+      await expectAsync(
+        request({
+          method: 'POST',
+          url: 'http://localhost:8378/1/batch',
+          headers,
+          body: JSON.stringify({
+            requests: [
+              { method: 'GET', path: '/1/classes/TestClass' },
+              {
+                method: 'POST',
+                path: '/1/batch',
+                body: { requests: [{ method: 'GET', path: '/1/classes/TestClass' }] },
+              },
+            ],
+          }),
+        })
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          status: 400,
+          data: jasmine.objectContaining({
+            error: 'nested batch requests are not allowed',
+          }),
+        })
+      );
+    });
+  });
 });
diff --git a/src/batch.js b/src/batch.js
@@ -78,6 +78,9 @@ async function handleBatch(router, req) {
     if (!restRequest || typeof restRequest !== 'object' || typeof restRequest.path !== 'string') {
       throw new Parse.Error(Parse.Error.INVALID_JSON, 'batch request path must be a string');
     }
+    if (restRequest.method === 'POST' && restRequest.path.endsWith(batchPath)) {
+      throw new Parse.Error(Parse.Error.INVALID_JSON, 'nested batch requests are not allowed');
+    }
   }
 
   // The batch paths are all from the root of our domain.

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,9 @@ async function handleBatch(router, req) {`
`78`	`78`	`if (!restRequest \|\| typeof restRequest !== 'object' \|\| typeof restRequest.path !== 'string') {`
`79`	`79`	`throw new Parse.Error(Parse.Error.INVALID_JSON, 'batch request path must be a string');`
`80`	`80`	`}`
	`81`	`+ if (restRequest.method === 'POST' && restRequest.path.endsWith(batchPath)) {`
	`82`	`+ throw new Parse.Error(Parse.Error.INVALID_JSON, 'nested batch requests are not allowed');`
	`83`	`+ }`
`81`	`84`	`}`
`82`	`85`
`83`	`86`	`// The batch paths are all from the root of our domain.`