Add query depth and field count limits to Validator #4230
+1,067
−101
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andimarek
force-pushed
the
query-complexity-limits
branch
4 times, most recently
from
2a2074b to
2656347
Compare
This provides a lightweight alternative to ExecutableNormalizedOperation
(ENO) for tracking query complexity during validation.
New features:
- QueryComplexityLimits class with maxDepth and maxFieldsCount settings
- Configuration via GraphQLContext using QueryComplexityLimits.KEY
- Fragment fields counted at each spread site (like ENO)
- Depth tracking measures nested Field nodes
- New validation error types: MaxQueryDepthExceeded, MaxQueryFieldsExceeded
Implementation notes:
- Fragment complexity is calculated lazily during first spread traversal
- No additional AST traversal needed - complexity tracked during normal
validation traversal
- Subsequent spreads of the same fragment add the stored complexity
Usage:
```java
QueryComplexityLimits limits = QueryComplexityLimits.newLimits()
.maxDepth(10)
.maxFieldsCount(100)
.build();
ExecutionInput input = ExecutionInput.newExecutionInput()
.query(query)
.graphQLContext(ctx -> ctx.put(QueryComplexityLimits.KEY, limits))
.build();
```
Co-Authored-By: Claude Opus 4.5 <[email protected]>
andimarek
force-pushed
the
query-complexity-limits
branch
from
2656347 to
2c49495
Compare
Move introspection abuse detection from execution-time ENO creation to the validation layer. This eliminates the expensive ExecutableNormalizedOperation construction for every introspection query. The validator now enforces two checks when GOOD_FAITH_INTROSPECTION is enabled: field repetition (__schema/__type max once, __Type cycle fields max once) and tightened complexity limits (500 fields, 20 depth). Co-Authored-By: Claude Opus 4.6 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
QueryComplexityLimitsclass for configuringmaxDepthandmaxFieldsCountlimitsExecutableNormalizedOperation(ENO) for tracking query complexityMaxQueryDepthExceeded,MaxQueryFieldsExceededUsage
Test plan
🤖 Generated with Claude Code