Support validation "maxErrors" option

[mo4islona]

We faced an DoS attack which simply was exploiting invalid requests like

query AAA ($a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a } query AAB ($b:b, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a } query AAC ($c:c, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a }

It it produces huge latency and blocks other concurrent queries (NodeJS loop is blocked by validating and/or errors generating) which is the most crucial point.

Graphql validate function has an option to configure maxErrors and aborts the validation if it hits the limit.

Before (unlimited, maxErrors: undefined)

After (maxErrors: 10)

[glasser]

I'm surprised to see you're saying the default is unlimited — isn't the default in graphql-js (or versions with the maxErrors flag) 100?

[mo4islona]

Yep, you are right. Sorry for the confusion.

We haven't migrated yet and I tested a quick patch to outdated [email protected] and [email protected]

https://github.com/graphql/graphql-js/blob/15.x.x/src/validation/validate.js#L38

The latest [email protected] changed the default value to 100.

[mo4islona]

It is much better with 100, but anyway I'd like to be able to configure this. The difference is very noticeable on not very performant cores.