fix: Add graphql max depth and aliases limits

Author: suejung-sentry

codecov/settings_base.py

@@ -92,7 +92,6 @@
 
 WSGI_APPLICATION = "codecov.wsgi.application"
 
-
 # GraphQL
 
 GRAPHQL_QUERY_COST_THRESHOLD = get_config(
@@ -105,6 +104,10 @@
 
 GRAPHQL_RATE_LIMIT_RPM = get_config("setup", "graphql", "rate_limit_rpm", default=300)
 
+GRAPHQL_MAX_DEPTH = 15
+
+GRAPHQL_MAX_ALIASES = 15
+
 # Database
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 
@@ -184,7 +187,6 @@
 
 USE_TZ = True
 
-
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
@@ -308,7 +310,6 @@
     "gitlab", "bots", "tokenless", "key", default=GITLAB_BOT_KEY
 )
 
-
 GITLAB_ENTERPRISE_CLIENT_ID = get_config("gitlab_enterprise", "client_id")
 GITLAB_ENTERPRISE_CLIENT_SECRET = get_config("gitlab_enterprise", "client_secret")
 GITLAB_ENTERPRISE_REDIRECT_URI = get_config(
@@ -323,7 +324,6 @@
 GITLAB_ENTERPRISE_URL = get_config("gitlab_enterprise", "url")
 GITLAB_ENTERPRISE_API_URL = get_config("gitlab_enterprise", "api_url")
 
-
 CORS_ALLOW_HEADERS = (
     list(default_headers)
     + ["token-type"]
@@ -344,7 +344,6 @@
     "setup", "http", "file_upload_max_memory_size", default=2621440
 )
 
-
 CORS_ALLOWED_ORIGIN_REGEXES = get_config(
     "setup", "api_cors_allowed_origin_regexes", default=[]
 )
@@ -362,7 +361,6 @@
 
 HIDE_ALL_CODECOV_TOKENS = get_config("setup", "hide_all_codecov_tokens", default=False)
 
-
 SENTRY_JWT_SHARED_SECRET = get_config(
     "sentry", "jwt_shared_secret", default=None
 ) or get_config("setup", "sentry", "jwt_shared_secret", default=None)

graphql_api/tests/test_validation.py

@@ -0,0 +1,97 @@
+from graphql import (
+    GraphQLField,
+    GraphQLObjectType,
+    GraphQLSchema,
+    GraphQLString,
+    parse,
+    validate,
+)
+
+from ..validation import (
+    create_max_aliases_rule,
+    create_max_depth_rule,
+)
+
+QueryType = GraphQLObjectType(
+    "Query", {"field": GraphQLField(GraphQLString, resolve=lambda *args: "test")}
+)
+schema = GraphQLSchema(query=QueryType)
+
+
+def validate_query(query, *rules):
+    ast = parse(query)
+    return validate(schema, ast, rules=rules)
+
+
+# Tests for MaxDepthRule
+def test_max_depth_rule_allows_within_depth():
+    query = """
+    query {
+        field
+    }
+    """
+    errors = validate_query(query, create_max_depth_rule(2))
+    assert not errors, "Expected no errors for depth within the limit"
+
+
+def test_max_depth_rule_rejects_exceeding_depth():
+    query = """
+    query {
+        field {
+            field {
+                field
+            }
+        }
+    }
+    """
+    errors = validate_query(query, create_max_depth_rule(2))
+    assert errors, "Expected errors for exceeding depth limit"
+    assert any(
+        "Query depth exceeds the maximum allowed depth" in str(e) for e in errors
+    )
+
+
+# Tests for MaxAliasesRule
+def test_max_aliases_rule_allows_within_alias_limit():
+    query = """
+    query {
+        alias1: field
+        alias2: field
+    }
+    """
+    errors = validate_query(query, create_max_aliases_rule(2))
+    assert not errors, "Expected no errors for alias count within the limit"
+
+
+def test_max_aliases_rule_rejects_exceeding_alias_limit():
+    query = """
+    query {
+        alias1: field
+        alias2: field
+        alias3: field
+    }
+    """
+    errors = validate_query(query, create_max_aliases_rule(2))
+    assert errors, "Expected errors for exceeding alias limit"
+    assert any("Query uses too many aliases" in str(e) for e in errors)
+
+
+def test_max_depth_rule_exact_depth():
+    query = """
+    query {
+        field
+    }
+    """
+    errors = validate_query(query, create_max_depth_rule(2))
+    assert not errors, "Expected no errors when query depth matches the limit"
+
+
+def test_max_aliases_rule_exact_alias_limit():
+    query = """
+    query {
+        alias1: field
+        alias2: field
+    }
+    """
+    errors = validate_query(query, create_max_aliases_rule(2))
+    assert not errors, "Expected no errors when alias count matches the limit"

graphql_api/validation.py

@@ -0,0 +1,60 @@
+from graphql import GraphQLError, ValidationRule
+from graphql.language.ast import DocumentNode, FieldNode, OperationDefinitionNode
+
+
+def create_max_depth_rule(max_depth: int):
+    class MaxDepthRule(ValidationRule):
+        def __init__(self, context):
+            super().__init__(context)
+            self.operation_depth = 1
+            self.max_depth_reached = False
+            self.max_depth = max_depth
+
+        def enter_operation_definition(self, node: OperationDefinitionNode, *_args):
+            self.operation_depth = 1
+            self.max_depth_reached = False
+
+        def enter_field(self, node: FieldNode, *_args):
+            self.operation_depth += 1
+
+            if self.operation_depth > self.max_depth and not self.max_depth_reached:
+                self.max_depth_reached = True
+                self.report_error(
+                    GraphQLError(
+                        f"Query depth exceeds the maximum allowed depth of {self.max_depth}.",
+                        node,
+                    )
+                )
+
+        def leave_field(self, node: FieldNode, *_args):
+            self.operation_depth -= 1
+
+    return MaxDepthRule
+
+
+def create_max_aliases_rule(max_aliases: int):
+    class MaxAliasesRule(ValidationRule):
+        def __init__(self, context):
+            super().__init__(context)
+            self.alias_count = 0
+            self.has_reported_error = False
+            self.max_aliases = max_aliases
+
+        def enter_document(self, node: DocumentNode, *_args):
+            self.alias_count = 0
+            self.has_reported_error = False
+
+        def enter_field(self, node: FieldNode, *_args):
+            if node.alias:
+                self.alias_count += 1
+
+                if self.alias_count > self.max_aliases and not self.has_reported_error:
+                    self.has_reported_error = True
+                    self.report_error(
+                        GraphQLError(
+                            f"Query uses too many aliases. Maximum allowed is {self.max_aliases}.",
+                            node,
+                        )
+                    )
+
+    return MaxAliasesRule

graphql_api/views.py

@@ -28,6 +28,7 @@
 from services.redis_configuration import get_redis_connection
 
 from .schema import schema
+from .validation import create_max_aliases_rule, create_max_depth_rule
 
 log = logging.getLogger(__name__)
 
@@ -200,7 +201,11 @@ def get_validation_rules(
                 maximum_cost=settings.GRAPHQL_QUERY_COST_THRESHOLD,
                 default_cost=1,
                 variables=data.get("variables"),
-            )
+            ),
+            create_max_depth_rule(max_depth=getattr(settings, "GRAPHQL_MAX_DEPTH", 15)),
+            create_max_aliases_rule(
+                max_aliases=getattr(settings, "GRAPHQL_MAX_ALIASES", 15)
+            ),
         ]
 
     validation_rules = get_validation_rules  # type: ignore