feat(graphql): allow to configure max query depth and max query complexity (#6880)

soyuka · mauriau · web-flow · commit 6d593ddcc9c4 · 2024-12-20T10:37:49.000+01:00
Co-authored-by: mauriau &lt;m.auriau@toovalu.com&gt;
diff --git a/Executor.php b/Executor.php
@@ -18,6 +18,8 @@
 use GraphQL\Type\Schema;
 use GraphQL\Validator\DocumentValidator;
 use GraphQL\Validator\Rules\DisableIntrospection;
+use GraphQL\Validator\Rules\QueryComplexity;
+use GraphQL\Validator\Rules\QueryDepth;
 
 /**
  * Wrapper for the GraphQL facade.
@@ -26,13 +28,19 @@
  */
 final class Executor implements ExecutorInterface
 {
-    public function __construct(private readonly bool $graphQlIntrospectionEnabled = true)
+    public function __construct(private readonly bool $graphQlIntrospectionEnabled = true, private readonly int $maxQueryComplexity = 500, private readonly int $maxQueryDepth = 20)
     {
         DocumentValidator::addRule(
             new DisableIntrospection(
                 $this->graphQlIntrospectionEnabled ? DisableIntrospection::DISABLED : DisableIntrospection::ENABLED
             )
         );
+
+        $queryComplexity = new QueryComplexity($this->maxQueryComplexity);
+        DocumentValidator::addRule($queryComplexity);
+
+        $queryDepth = new QueryDepth($this->maxQueryDepth);
+        DocumentValidator::addRule($queryDepth);
     }
 
     /**
diff --git a/Tests/ExecutorTest.php b/Tests/ExecutorTest.php
@@ -16,6 +16,8 @@
 use ApiPlatform\GraphQl\Executor;
 use GraphQL\Validator\DocumentValidator;
 use GraphQL\Validator\Rules\DisableIntrospection;
+use GraphQL\Validator\Rules\QueryComplexity;
+use GraphQL\Validator\Rules\QueryDepth;
 use PHPUnit\Framework\TestCase;
 
 /**
@@ -38,4 +40,20 @@ public function testDisableIntrospectionQuery(): void
         $expected = new DisableIntrospection(DisableIntrospection::ENABLED);
         $this->assertEquals($expected, DocumentValidator::getRule(DisableIntrospection::class));
     }
+
+    public function testChangeValueOfMaxQueryDepth(): void
+    {
+        $executor = new Executor(true, 20);
+
+        $expected = new QueryComplexity(20);
+        $this->assertEquals($expected, DocumentValidator::getRule(QueryComplexity::class));
+    }
+
+    public function testChangeValueOfMaxQueryComplexity(): void
+    {
+        $executor = new Executor(true, maxQueryDepth: 20);
+
+        $expected = new QueryDepth(20);
+        $this->assertEquals($expected, DocumentValidator::getRule(QueryDepth::class));
+    }
 }
