Merge branch 'main' into tony/coverage-single-upload

Author: lvthanh03

.github/workflows/ci.yml

@@ -15,23 +15,25 @@ concurrency:
 permissions:
   contents: "read"
   id-token: "write"
+  issues: "write"
+  pull-requests: "write"
 
 jobs:
   lint:
     name: Run Lint
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
 
   build:
     name: Build API
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
     secrets: inherit
     with:
       repo: ${{ vars.CODECOV_IMAGE_V2 || 'codecov/self-hosted-api' }}
 
   codecovstartup:
     name: Codecov Startup
     needs: build
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
     secrets: inherit
 
   # ats:
@@ -47,15 +49,15 @@ jobs:
   test:
     name: Test
     needs: [build]
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
     secrets: inherit
     with:
       repo: ${{ vars.CODECOV_IMAGE_V2 || 'codecov/self-hosted-api' }}
 
   build-self-hosted:
     name: Build Self Hosted API
     needs: [build, test]
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
     secrets: inherit
     with:
       repo: ${{ vars.CODECOV_IMAGE_V2 || 'codecov/self-hosted-api' }}
@@ -64,7 +66,7 @@ jobs:
     name: Push Staging Image
     needs: [build, test]
     if: ${{ github.event_name == 'push' && github.event.ref == 'refs/heads/staging' && github.repository_owner == 'codecov' }}
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
     secrets: inherit
     with:
       environment: staging
@@ -74,7 +76,7 @@ jobs:
     name: Push Production Image
     needs: [build, test]
     if: ${{ github.event_name == 'push' && github.event.ref == 'refs/heads/main' && github.repository_owner == 'codecov' }}
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
     secrets: inherit
     with:
       environment: production
@@ -85,7 +87,7 @@ jobs:
     needs: [build-self-hosted, test]
     secrets: inherit
     if: ${{ github.event_name == 'push' && github.event.ref == 'refs/heads/main' && github.repository_owner == 'codecov' }}
-    uses: codecov/gha-workflows/.github/workflows/[email protected].24
+    uses: codecov/gha-workflows/.github/workflows/[email protected].26
     with:
       push_rolling: true
       repo: ${{ vars.CODECOV_IMAGE_V2 || 'codecov/self-hosted-api' }}

codecov/settings_base.py

@@ -106,6 +106,10 @@
 
 GRAPHQL_INTROSPECTION_ENABLED = False
 
+GRAPHQL_MAX_DEPTH = get_config("setup", "graphql", "max_depth", default=20)
+
+GRAPHQL_MAX_ALIASES = get_config("setup", "graphql", "max_aliases", default=10)
+
 # Database
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 
@@ -166,6 +170,8 @@
     "'sha256-eKdXhLyOdPl2/gp1Ob116rCU2Ox54rseyz1MwCmzb6w='",
     "'sha256-a1pELtDJXf8fPX1YL2JiBM91RQBeIAswunzgwMEsvwA='",
     "'sha256-cNIcuS0BVLuBVP5rpfeFE42xHz7r5hMyf9YdfknWuCg='",
+    "'sha256-bmwAzHxhO1mBINfkKkKPopyKEv4ppCHx/z84wQJ9nOY='",
+    "'sha256-jQoC6QpIonlMBPFbUGlJFRJFFWbbijMl7Z8XqWrb46o='",
     "https://cdn.jsdelivr.net/npm/graphql-playground-react/build/static/js/middleware.js",
     "https://cdn.jsdelivr.net/npm/graphql-playground-react/build/favicon.png",
     "https://cdn.jsdelivr.net/npm/graphql-playground-react/build/static/css/index.css",

graphql_api/tests/test_validation.py

@@ -0,0 +1,100 @@
+from graphql import (
+    GraphQLField,
+    GraphQLObjectType,
+    GraphQLSchema,
+    GraphQLString,
+    parse,
+    validate,
+)
+
+from ..validation import (
+    create_max_aliases_rule,
+    create_max_depth_rule,
+)
+
+
+def resolve_field(*args):
+    return "test"
+
+
+QueryType = GraphQLObjectType(
+    "Query", {"field": GraphQLField(GraphQLString, resolve=resolve_field)}
+)
+schema = GraphQLSchema(query=QueryType)
+
+
+def validate_query(query, *rules):
+    ast = parse(query)
+    return validate(schema, ast, rules=rules)
+
+
+def test_max_depth_rule_allows_within_depth():
+    query = """
+    query {
+        field
+    }
+    """
+    errors = validate_query(query, create_max_depth_rule(2))
+    assert not errors, "Expected no errors for depth within the limit"
+
+
+def test_max_depth_rule_rejects_exceeding_depth():
+    query = """
+    query {
+        field {
+            field {
+                field
+            }
+        }
+    }
+    """
+    errors = validate_query(query, create_max_depth_rule(2))
+    assert errors, "Expected errors for exceeding depth limit"
+    assert any(
+        "Query depth exceeds the maximum allowed depth" in str(e) for e in errors
+    )
+
+
+def test_max_depth_rule_exact_depth():
+    query = """
+    query {
+        field
+    }
+    """
+    errors = validate_query(query, create_max_depth_rule(2))
+    assert not errors, "Expected no errors when query depth matches the limit"
+
+
+def test_max_aliases_rule_allows_within_alias_limit():
+    query = """
+    query {
+        alias1: field
+        alias2: field
+    }
+    """
+    errors = validate_query(query, create_max_aliases_rule(2))
+    assert not errors, "Expected no errors for alias count within the limit"
+
+
+def test_max_aliases_rule_rejects_exceeding_alias_limit():
+    query = """
+    query {
+        alias1: field
+        alias2: field
+        alias3: field
+    }
+    """
+    errors = validate_query(query, create_max_aliases_rule(2))
+    assert errors, "Expected errors for exceeding alias limit"
+    assert any("Query uses too many aliases" in str(e) for e in errors)
+
+
+def test_max_aliases_rule_exact_alias_limit():
+    query = """
+    query {
+        alias1: field
+        alias2: field
+    }
+    """
+    errors = validate_query(query, create_max_aliases_rule(2))
+    assert not errors, "Expected no errors when alias count matches the limit"

graphql_api/validation.py

@@ -0,0 +1,65 @@
+from typing import Any, Type
+
+from graphql import GraphQLError, ValidationRule
+from graphql.language.ast import DocumentNode, FieldNode, OperationDefinitionNode
+from graphql.validation import ValidationContext
+
+
+def create_max_depth_rule(max_depth: int) -> Type[ValidationRule]:
+    class MaxDepthRule(ValidationRule):
+        def __init__(self, context: ValidationContext) -> None:
+            super().__init__(context)
+            self.operation_depth: int = 1
+            self.max_depth_reached: bool = False
+            self.max_depth: int = max_depth
+
+        def enter_operation_definition(
+            self, node: OperationDefinitionNode, *_args: Any
+        ) -> None:
+            self.operation_depth = 1
+            self.max_depth_reached = False
+
+        def enter_field(self, node: FieldNode, *_args: Any) -> None:
+            self.operation_depth += 1
+
+            if self.operation_depth > self.max_depth and not self.max_depth_reached:
+                self.max_depth_reached = True
+                self.report_error(
+                    GraphQLError(
+                        "Query depth exceeds the maximum allowed depth",
+                        node,
+                    )
+                )
+
+        def leave_field(self, node: FieldNode, *_args: Any) -> None:
+            self.operation_depth -= 1
+
+    return MaxDepthRule
+
+
+def create_max_aliases_rule(max_aliases: int) -> Type[ValidationRule]:
+    class MaxAliasesRule(ValidationRule):
+        def __init__(self, context: ValidationContext) -> None:
+            super().__init__(context)
+            self.alias_count: int = 0
+            self.has_reported_error: bool = False
+            self.max_aliases: int = max_aliases
+
+        def enter_document(self, node: DocumentNode, *_args: Any) -> None:
+            self.alias_count = 0
+            self.has_reported_error = False
+
+        def enter_field(self, node: FieldNode, *_args: Any) -> None:
+            if node.alias:
+                self.alias_count += 1
+
+                if self.alias_count > self.max_aliases and not self.has_reported_error:
+                    self.has_reported_error = True
+                    self.report_error(
+                        GraphQLError(
+                            "Query uses too many aliases",
+                            node,
+                        )
+                    )
+
+    return MaxAliasesRule

graphql_api/views.py

@@ -28,6 +28,7 @@
 from services.redis_configuration import get_redis_connection
 
 from .schema import schema
+from .validation import create_max_aliases_rule, create_max_depth_rule
 
 log = logging.getLogger(__name__)
 
@@ -188,7 +189,7 @@ def __exit__(self, exc_type, exc_value, exc_traceback):
 class AsyncGraphqlView(GraphQLAsyncView):
     schema = schema
     extensions = [QueryMetricsExtension]
-    introspection = getattr(settings, "GRAPHQL_INTROSPECTION_ENABLED", False)
+    introspection = settings.GRAPHQL_INTROSPECTION_ENABLED
 
     def get_validation_rules(
         self,
@@ -197,11 +198,13 @@ def get_validation_rules(
         data: dict,
     ) -> Optional[Collection]:
         return [
+            create_max_aliases_rule(max_aliases=settings.GRAPHQL_MAX_ALIASES),
+            create_max_depth_rule(max_depth=settings.GRAPHQL_MAX_DEPTH),
             cost_validator(
                 maximum_cost=settings.GRAPHQL_QUERY_COST_THRESHOLD,
                 default_cost=1,
                 variables=data.get("variables"),
-            )
+            ),
         ]
 
     validation_rules = get_validation_rules  # type: ignore

upload/helpers.py

@@ -754,9 +754,9 @@ def dispatch_upload_task(
 
 def validate_activated_repo(repository):
     if repository.active and not repository.activated:
-        settings_url = f"{settings.CODECOV_DASHBOARD_URL}/{repository.author.service}/{repository.author.username}/{repository.name}/settings"
+        config_url = f"{settings.CODECOV_DASHBOARD_URL}/{repository.author.service}/{repository.author.username}/{repository.name}/config/general"
         raise ValidationError(
-            f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings_url}"
+            f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {config_url}"
         )
 
 

upload/tests/test_helpers.py

@@ -259,12 +259,12 @@ def test_validate_upload_too_many_uploads_for_commit(
 
 def test_deactivated_repo(db, mocker):
     repository = RepositoryFactory.create(active=True, activated=False)
-    settings_url = f"{settings.CODECOV_DASHBOARD_URL}/{repository.author.service}/{repository.author.username}/{repository.name}/settings"
+    config_url = f"{settings.CODECOV_DASHBOARD_URL}/{repository.author.service}/{repository.author.username}/{repository.name}/config/general"
 
     with pytest.raises(ValidationError) as exp:
         validate_activated_repo(repository)
     assert exp.match(
-        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings_url}"
+        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {config_url}"
     )
 
 

upload/tests/views/test_commits.py

@@ -68,7 +68,7 @@ def test_deactivated_repo(db):
     response_json = response.json()
     assert response.status_code == 400
     assert response_json == [
-        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings.CODECOV_DASHBOARD_URL}/github/codecov/the_repo/settings"
+        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings.CODECOV_DASHBOARD_URL}/github/codecov/the_repo/config/general"
     ]
 
 

upload/tests/views/test_reports.py

@@ -65,7 +65,7 @@ def test_deactivated_repo(db):
     response_json = response.json()
     assert response.status_code == 400
     assert response_json == [
-        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings.CODECOV_DASHBOARD_URL}/github/codecov/the_repo/settings"
+        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings.CODECOV_DASHBOARD_URL}/github/codecov/the_repo/config/general"
     ]
 
 

upload/tests/views/test_uploads.py

@@ -793,7 +793,7 @@ def test_deactivated_repo(db, mocker, mock_redis):
     response_json = response.json()
     assert response.status_code == 400
     assert response_json == [
-        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings.CODECOV_DASHBOARD_URL}/github/codecov/the_repo/settings"
+        f"This repository is deactivated. To resume uploading to it, please activate the repository in the codecov UI: {settings.CODECOV_DASHBOARD_URL}/github/codecov/the_repo/config/general"
     ]