Added options.MaximumIncludeDepth

Author: Bart Koelman

docs/usage/options.md

@@ -65,12 +65,20 @@ options.UseRelativeLinks = true;
 ## Unknown Query String Parameters
 
 If you would like to use unknown query string parameters (parameters not reserved by the json:api specification or registered using ResourceDefinitions), you can set `AllowUnknownQueryStringParameters = true`.
-When set, an HTTP 400 Bad Request for unknown query string parameters.
+When set, an HTTP 400 Bad Request is returned for unknown query string parameters.
 
 ```c#
 options.AllowUnknownQueryStringParameters = true;
 ```
 
+## Maximum include depth
+
+To limit the maximum depth of nested includes, use `MaximumIncludeDepth`. This is null by default, which means unconstrained. If set and a request exceeds the limit, an HTTP 400 Bad Request is returned.
+
+```c#
+options.MaximumIncludeDepth = 1;
+```
+
 ## Custom Serializer Settings
 
 We use Newtonsoft.Json for all serialization needs.
@@ -82,6 +90,8 @@ options.SerializerSettings.Converters.Add(new StringEnumConverter());
 options.SerializerSettings.Formatting = Formatting.Indented;
 ```
 
+Because we copy resource properties into an intermediate object before serialization, Newtonsoft.Json annotations on properties are ignored.
+
 ## Enable ModelState Validation
 
 If you would like to use ASP.NET Core ModelState validation into your controllers when creating / updating resources, set `ValidateModelState = true`. By default, no model validation is performed.

src/JsonApiDotNetCore/Configuration/IJsonApiOptions.cs

@@ -163,7 +163,12 @@ public interface IJsonApiOptions
         /// </summary>
         bool AllowQueryStringOverrideForSerializerDefaultValueHandling { get; }
 
-        // TODO: Add MaximumIncludeDepth
+        /// <summary>
+        /// Controls how many levels deep includes are allowed to be nested.
+        /// For example, MaximumIncludeDepth=1 would allow ?include=articles but not ?include=articles.revisions.
+        /// <c>null</c> by default, which means unconstrained.
+        /// </summary>
+        int? MaximumIncludeDepth { get; }
 
         /// <summary>
         /// Specifies the settings that are used by the <see cref="JsonSerializer"/>.

src/JsonApiDotNetCore/Configuration/JsonApiOptions.cs

@@ -68,6 +68,8 @@ public class JsonApiOptions : IJsonApiOptions
         /// <inheritdoc/>
         public bool AllowQueryStringOverrideForSerializerDefaultValueHandling { get; set; }
 
+        public int? MaximumIncludeDepth { get; set; }
+
         /// <inheritdoc/>
         public JsonSerializerSettings SerializerSettings { get; } = new JsonSerializerSettings
         {

src/JsonApiDotNetCore/Internal/QueryStrings/IncludeQueryStringParameterReader.cs

@@ -1,4 +1,6 @@
 using System.Collections.Generic;
+using System.Linq;
+using JsonApiDotNetCore.Configuration;
 using JsonApiDotNetCore.Controllers;
 using JsonApiDotNetCore.Exceptions;
 using JsonApiDotNetCore.Internal.Contracts;
@@ -20,12 +22,14 @@ public interface IIncludeQueryStringParameterReader : IQueryStringParameterReade
 
     public class IncludeQueryStringParameterReader : QueryStringParameterReader, IIncludeQueryStringParameterReader
     {
+        private readonly IJsonApiOptions _options;
         private IncludeExpression _includeExpression;
         private string _lastParameterName;
 
-        public IncludeQueryStringParameterReader(ICurrentRequest currentRequest, IResourceContextProvider resourceContextProvider)
+        public IncludeQueryStringParameterReader(ICurrentRequest currentRequest, IResourceContextProvider resourceContextProvider, IJsonApiOptions options)
             : base(currentRequest, resourceContextProvider)
         {
+            _options = options;
         }
 
         public bool IsEnabled(DisableQueryAttribute disableQueryAttribute)
@@ -58,7 +62,31 @@ private IncludeExpression GetInclude(string parameterValue)
             var parser = new IncludeParser(parameterValue,
                 (path, _) => ChainResolver.ResolveRelationshipChain(RequestResource, path, ValidateInclude));
 
-            return parser.Parse();
+            IncludeExpression include = parser.Parse();
+
+            ValidateMaximumIncludeDepth(include);
+
+            return include;
+        }
+
+        private void ValidateMaximumIncludeDepth(IncludeExpression include)
+        {
+            if (_options.MaximumIncludeDepth != null)
+            {
+                var chains = IncludeChainConverter.GetRelationshipChains(include);
+
+                foreach (var chain in chains)
+                {
+                    if (chain.Fields.Count > _options.MaximumIncludeDepth)
+                    {
+                        var path = string.Join('.', chain.Fields.Select(field => field.PublicName));
+
+                        throw new InvalidQueryStringParameterException(_lastParameterName,
+                            "Including at the requested depth is not allowed.",
+                            $"Including '{path}' exceeds the maximum inclusion depth of {_options.MaximumIncludeDepth}.");
+                    }
+                }
+            }
         }
 
         private void ValidateInclude(RelationshipAttribute relationship, ResourceContext resourceContext, string path)

test/JsonApiDotNetCoreExampleTests/IntegrationTests/Includes/IncludeTests.cs

@@ -4,6 +4,8 @@
 using System.Threading.Tasks;
 using FluentAssertions;
 using FluentAssertions.Extensions;
+using JsonApiDotNetCore;
+using JsonApiDotNetCore.Configuration;
 using JsonApiDotNetCore.Models;
 using JsonApiDotNetCore.Models.JsonApiDocuments;
 using JsonApiDotNetCore.Services;
@@ -27,6 +29,9 @@ public IncludeTests(IntegrationTestContext<Startup, AppDbContext> testContext)
             {
                 services.AddScoped<IResourceService<Article>, JsonApiResourceService<Article>>();
             });
+
+            var options = (JsonApiOptions) testContext.Factory.Services.GetRequiredService<IJsonApiOptions>();
+            options.MaximumIncludeDepth = null;
         }
 
         [Fact]
@@ -786,5 +791,52 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
             responseDocument.Included[0].Id.Should().Be(todoItems[0].Owner.StringId);
             responseDocument.Included[0].Attributes["firstName"].Should().Be(todoItems[0].Owner.FirstName);
         }
+
+        [Fact]
+        public async Task Can_include_at_configured_maximum_inclusion_depth()
+        {
+            // Arrange
+            var options = (JsonApiOptions) _testContext.Factory.Services.GetRequiredService<IJsonApiOptions>();
+            options.MaximumIncludeDepth = 1;
+
+            var blog = new Blog();
+
+            await _testContext.RunOnDatabaseAsync(async dbContext =>
+            {
+                dbContext.Blogs.Add(blog);
+
+                await dbContext.SaveChangesAsync();
+            });
+
+            var route = $"/api/v1/blogs/{blog.StringId}/articles?include=author,revisions";
+
+            // Act
+            var (httpResponse, _) = await _testContext.ExecuteGetAsync<Document>(route);
+
+            // Assert
+            httpResponse.Should().HaveStatusCode(HttpStatusCode.OK);
+        }
+
+        [Fact]
+        public async Task Cannot_exceed_configured_maximum_inclusion_depth()
+        {
+            // Arrange
+            var options = (JsonApiOptions) _testContext.Factory.Services.GetRequiredService<IJsonApiOptions>();
+            options.MaximumIncludeDepth = 1;
+
+            var route = "/api/v1/blogs/123/owner?include=articles.revisions";
+
+            // Act
+            var (httpResponse, responseDocument) = await _testContext.ExecuteGetAsync<ErrorDocument>(route);
+
+            // Assert
+            httpResponse.Should().HaveStatusCode(HttpStatusCode.BadRequest);
+            
+            responseDocument.Errors.Should().HaveCount(1);
+            responseDocument.Errors[0].StatusCode.Should().Be(HttpStatusCode.BadRequest);
+            responseDocument.Errors[0].Title.Should().Be("Including at the requested depth is not allowed.");
+            responseDocument.Errors[0].Detail.Should().Be("Including 'articles.revisions' exceeds the maximum inclusion depth of 1.");
+            responseDocument.Errors[0].Source.Parameter.Should().Be("include");
+        }
     }
 }

test/UnitTests/QueryStringParameters/IncludeParseTests.cs

@@ -2,6 +2,7 @@
 using System.Linq;
 using System.Net;
 using FluentAssertions;
+using JsonApiDotNetCore.Configuration;
 using JsonApiDotNetCore.Controllers;
 using JsonApiDotNetCore.Exceptions;
 using JsonApiDotNetCore.Internal.QueryStrings;
@@ -15,7 +16,7 @@ public sealed class IncludeParseTests : ParseTestsBase
 
         public IncludeParseTests()
         {
-            _reader = new IncludeQueryStringParameterReader(CurrentRequest, ResourceGraph);
+            _reader = new IncludeQueryStringParameterReader(CurrentRequest, ResourceGraph, new JsonApiOptions());
         }
 
         [Theory]