From 90bb7484a51fd344e524d49f04628e983d523459 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Wed, 25 Sep 2024 14:21:06 +0200
Subject: [PATCH] Add max_depth limit to GraphQL queries once again

We accidentally removed this code in commit c984e666f. As mentioned in
our GraphQL documentation, limiting the depth of the queries helps
against DoS attacks.
---
 app/graphql/consul_schema.rb       |  2 ++
 spec/graphql/consul_schema_spec.rb | 37 ++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 spec/graphql/consul_schema_spec.rb

diff --git a/app/graphql/consul_schema.rb b/app/graphql/consul_schema.rb
index 3bd1e9ba9..e7a44581d 100644
--- a/app/graphql/consul_schema.rb
+++ b/app/graphql/consul_schema.rb
@@ -1,4 +1,6 @@
 class ConsulSchema < GraphQL::Schema
   mutation(Types::MutationType)
   query(Types::QueryType)
+
+  max_depth 8
 end
diff --git a/spec/graphql/consul_schema_spec.rb b/spec/graphql/consul_schema_spec.rb
new file mode 100644
index 000000000..b0bfae536
--- /dev/null
+++ b/spec/graphql/consul_schema_spec.rb
@@ -0,0 +1,37 @@
+require "rails_helper"
+
+describe ConsulSchema do
+  let(:user) { create(:user) }
+
+  it "returns an error for queries exceeding max depth" do
+    query = <<~GRAPHQL
+      {
+        user(id: #{user.id}) {
+          public_proposals {
+            edges {
+              node {
+                public_author {
+                  username
+                  public_proposals {
+                    edges {
+                      node {
+                        public_author {
+                          username
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    GRAPHQL
+
+    response = execute(query)
+
+    expect(response["errors"]).not_to be nil
+    expect(response["errors"].first["message"]).to match(/exceeds max depth/)
+  end
+end