Limit GraphQL queries complexity once again
We accidentally removed the code for maximum complexity in commitc984e666f. As mentioned in the documentation: > The main risk factor is multiple collections of resources being > requested in the same query. We reject these requests by limiting the complexity. The `max_complexity` option depends on the page size being set. Without it, we get an error: ``` Can't calculate complexity for User.public_debates, no `first:`, `last:`, `max_page_size` or `default_max_page_size` ``` So we're also adding a default max page size. Note that the documentation mentioned that the default page size was 25. However, before commitc984e666f, we were using a page size of 50 in some cases. We're going with the one mentioned in the documentation since we don't fully understand the old code.
This commit is contained in:
Javi Martín
@@ -2,5 +2,7 @@ class ConsulSchema < GraphQL::Schema
|
||||
mutation(Types::MutationType)
|
||||
query(Types::QueryType)
|
||||
|
||||
default_max_page_size 25
|
||||
max_complexity 2500
|
||||
max_depth 8
|
||||
end
|
||||
|
||||
@@ -34,4 +34,43 @@ describe ConsulSchema do
|
||||
expect(response["errors"]).not_to be nil
|
||||
expect(response["errors"].first["message"]).to match(/exceeds max depth/)
|
||||
end
|
||||
|
||||
it "returns an error for queries requesting all records from more than 2 collections" do
|
||||
query = <<~GRAPHQL
|
||||
{
|
||||
users {
|
||||
edges {
|
||||
node {
|
||||
public_debates {
|
||||
edges {
|
||||
node {
|
||||
title
|
||||
}
|
||||
}
|
||||
}
|
||||
public_proposals {
|
||||
edges {
|
||||
node {
|
||||
title
|
||||
}
|
||||
}
|
||||
}
|
||||
public_comments {
|
||||
edges {
|
||||
node {
|
||||
body
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
GRAPHQL
|
||||
|
||||
response = execute(query)
|
||||
|
||||
expect(response["errors"]).not_to be nil
|
||||
expect(response["errors"].first["message"]).to match(/Query has complexity/)
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user