Apply validate_timeout to analysis, too

Author: rmosolgo

guides/queries/timeout.md

@@ -63,16 +63,17 @@ class MySchema < GraphQL::Schema
 end
 ```
 
-## Validation
+## Validation and Analysis
 
 Queries can originate from a user, and may be crafted in a manner to take a long time to validate against the schema.
 
-It is possible to limit how many seconds the static validation rules are allowed to run before returning a validation timeout error. The default is no timeout.
+It is possible to limit how many seconds the static validation rules and analysers are allowed to run before returning a validation timeout error. The default is no timeout.
 
 For example:
 
 ```ruby
 class MySchema < GraphQL::Schema
+  # Applies to static validation and query analysis
   validate_timeout 10
 end
 ```

lib/graphql/analysis/ast.rb

@@ -6,6 +6,7 @@
 require "graphql/analysis/ast/max_query_complexity"
 require "graphql/analysis/ast/query_depth"
 require "graphql/analysis/ast/max_query_depth"
+require "timeout"
 
 module GraphQL
   module Analysis
@@ -63,7 +64,10 @@ def analyze_query(query, analyzers, multiplex_analyzers: [])
                 analyzers: analyzers_to_run
               )
 
-              visitor.visit
+              # `nil` or `0` causes no timeout
+              Timeout::timeout(query.validate_timeout_remaining) do
+                visitor.visit
+              end
 
               if visitor.rescued_errors.any?
                 return visitor.rescued_errors
@@ -75,6 +79,8 @@ def analyze_query(query, analyzers, multiplex_analyzers: [])
             []
           end
         end
+      rescue Timeout::Error
+        [GraphQL::AnalysisError.new("Timeout on validation of query")]
       end
 
       def analysis_errors(results)

lib/graphql/query.rb

@@ -317,7 +317,7 @@ def validation_pipeline
     end
 
     def_delegators :validation_pipeline, :validation_errors,
-                   :analyzers, :ast_analyzers, :max_depth, :max_complexity
+                   :analyzers, :ast_analyzers, :max_depth, :max_complexity, :validate_timeout_remaining
 
     attr_accessor :analysis_errors
     def valid?

lib/graphql/query/validation_pipeline.rb

@@ -14,7 +14,7 @@ class Query
     #
     # @api private
     class ValidationPipeline
-      attr_reader :max_depth, :max_complexity
+      attr_reader :max_depth, :max_complexity, :validate_timeout_remaining
 
       def initialize(query:, parse_error:, operation_name_error:, max_depth:, max_complexity:)
         @validation_errors = []
@@ -71,7 +71,7 @@ def ensure_has_validated
           validator = @query.static_validator || @schema.static_validator
           validation_result = validator.validate(@query, validate: @query.validate, timeout: @schema.validate_timeout, max_errors: @schema.validate_max_errors)
           @validation_errors.concat(validation_result[:errors])
-
+          @validate_timeout_remaining = validation_result[:remaining_timeout]
           if @validation_errors.empty?
             @validation_errors.concat(@query.variables.errors)
           end

lib/graphql/static_validation/validator.rb

@@ -28,6 +28,7 @@ def initialize(schema:, rules: GraphQL::StaticValidation::ALL_RULES)
       # @return [Array<Hash>]
       def validate(query, validate: true, timeout: nil, max_errors: nil)
         query.current_trace.validate(validate: validate, query: query) do
+          begin_t = Time.now
           errors = if validate == false
             []
           else
@@ -52,11 +53,13 @@ def validate(query, validate: true, timeout: nil, max_errors: nil)
           end
 
           {
+            remaining_timeout: timeout ? (timeout - (Time.now - begin_t)) : nil,
             errors: errors,
           }
         end
       rescue GraphQL::ExecutionError => e
         {
+          remaining_timeout: nil,
           errors: [e],
         }
       end

spec/graphql/analysis/ast_spec.rb

@@ -457,4 +457,41 @@ def article(id:)
       assert_equal [[["article", NilClass], ["title", NilClass]]], result
     end
   end
+
+
+  describe ".validate_timeout" do
+    class AnalysisTimeoutSchema < GraphQL::Schema
+      class SlowAnalyzer < GraphQL::Analysis::AST::Analyzer
+        def on_enter_field(node, parent, visitor)
+          sleep 0.1
+          super
+        end
+
+        def result
+          nil
+        end
+      end
+
+      class Query < GraphQL::Schema::Object
+        field :f1, Int
+
+        def f1
+          context[:int] ||= 0
+          context[:int] += 1
+        end
+      end
+
+      query(Query)
+      query_analyzer(SlowAnalyzer)
+      validate_timeout 0.5
+    end
+
+    it "covers analysis too" do
+      res = AnalysisTimeoutSchema.execute("{ f1: f1 f2: f1 }")
+      assert_equal({ "f1" => 1, "f2" => 2}, res["data"])
+
+      res2 = AnalysisTimeoutSchema.execute("{ f1: f1, f2: f1, f3: f1, f4: f1, f5: f1, f6: f1}")
+      assert_equal ["Timeout on validation of query"], res2["errors"].map { |e| e["message"]}
+    end
+  end
 end