Add max_depth limit to GraphQL queries once again

We accidentally removed this code in commit c984e666f. As mentioned in our GraphQL documentation, limiting the depth of the queries helps against DoS attacks.
2024-09-25 14:21:06 +02:00
parent d28854802e
commit 90bb7484a5
2 changed files with 39 additions and 0 deletions
--- a/app/graphql/consul_schema.rb
+++ b/app/graphql/consul_schema.rb
@@ -1,4 +1,6 @@
 class ConsulSchema < GraphQL::Schema
  mutation(Types::MutationType)
  query(Types::QueryType)
+
+  max_depth 8
 end
--- a/spec/graphql/consul_schema_spec.rb
+++ b/spec/graphql/consul_schema_spec.rb
@@ -0,0 +1,37 @@
+require "rails_helper"
+
+describe ConsulSchema do
+  let(:user) { create(:user) }
+
+  it "returns an error for queries exceeding max depth" do
+    query = <<~GRAPHQL
+      {
+        user(id: #{user.id}) {
+          public_proposals {
+            edges {
+              node {
+                public_author {
+                  username
+                  public_proposals {
+                    edges {
+                      node {
+                        public_author {
+                          username
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    GRAPHQL
+
+    response = execute(query)
+
+    expect(response["errors"]).not_to be nil
+    expect(response["errors"].first["message"]).to match(/exceeds max depth/)
+  end
+end