Limit GraphQL queries complexity once again
We accidentally removed the code for maximum complexity in commitc984e666f. As mentioned in the documentation: > The main risk factor is multiple collections of resources being > requested in the same query. We reject these requests by limiting the complexity. The `max_complexity` option depends on the page size being set. Without it, we get an error: ``` Can't calculate complexity for User.public_debates, no `first:`, `last:`, `max_page_size` or `default_max_page_size` ``` So we're also adding a default max page size. Note that the documentation mentioned that the default page size was 25. However, before commitc984e666f, we were using a page size of 50 in some cases. We're going with the one mentioned in the documentation since we don't fully understand the old code.
This commit is contained in:
Javi Martín
@@ -2,5 +2,7 @@ class ConsulSchema < GraphQL::Schema
|
|||||||
mutation(Types::MutationType)
|
mutation(Types::MutationType)
|
||||||
query(Types::QueryType)
|
query(Types::QueryType)
|
||||||
|
|
||||||
|
default_max_page_size 25
|
||||||
|
max_complexity 2500
|
||||||
max_depth 8
|
max_depth 8
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -34,4 +34,43 @@ describe ConsulSchema do
|
|||||||
expect(response["errors"]).not_to be nil
|
expect(response["errors"]).not_to be nil
|
||||||
expect(response["errors"].first["message"]).to match(/exceeds max depth/)
|
expect(response["errors"].first["message"]).to match(/exceeds max depth/)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "returns an error for queries requesting all records from more than 2 collections" do
|
||||||
|
query = <<~GRAPHQL
|
||||||
|
{
|
||||||
|
users {
|
||||||
|
edges {
|
||||||
|
node {
|
||||||
|
public_debates {
|
||||||
|
edges {
|
||||||
|
node {
|
||||||
|
title
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
public_proposals {
|
||||||
|
edges {
|
||||||
|
node {
|
||||||
|
title
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
public_comments {
|
||||||
|
edges {
|
||||||
|
node {
|
||||||
|
body
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
GRAPHQL
|
||||||
|
|
||||||
|
response = execute(query)
|
||||||
|
|
||||||
|
expect(response["errors"]).not_to be nil
|
||||||
|
expect(response["errors"].first["message"]).to match(/Query has complexity/)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user