graphql icon indicating copy to clipboard operation
graphql copied to clipboard

Published 20 hours ago verified publisher icon nestjs

complexity configuration option not working with federated graphs

Open donverduyn opened this issue 3 years ago • 8 comments

I'm submitting a...


[ ] Regression 
[x] Bug report
[ ] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

Currently, when using federated graphs, the complexity option property does not limit the allowed query depth, when there is a circular reference between two object types (when fields are added by resolvers that are decorated with the ResolveField decorator). ​

Expected behavior

The complexity configuration options property should work with federated graphs and resolvers that are decorated with the ResolveField decorator, when they recursively resolve through circular references between two object types. The complexity of queries still need to be limited on a per resolver basis.

Minimal reproduction of the problem with instructions

https://github.com/hardyscc/nestjs-cqrs-starter ./apps/service-account/src/account/resolver/user.resolver.ts

@Resolver(() => User)
export class UserResolver {
  constructor(private readonly accountService: AccountService) {}

  @ResolveField(() => [Account], { complexity: 1})
  accounts(@Parent() user: User) {
    return this.accountService.findByUserId(user.id);
  }
}

This still allows the accounts field to be resolved from the user field inside an account type.

What is the motivation / use case for changing the behavior?

Circular referencing can pose security risks that can be exploited by malicious queries

Environment


Nest version: 7.6.15
​
For Tooling issues:
- Node version: 14
- Platform:  WSL Ubuntu 18

donverduyn avatar Apr 27 '21 12:04 donverduyn

Would you like to create a PR for this issue?

kamilmysliwiec avatar Apr 28 '21 09:04 kamilmysliwiec

https://github.com/DonnyVerduijn/nestjs-cqrs-starter Should be straightforward to reproduce.

donverduyn avatar Apr 28 '21 15:04 donverduyn

Would you like to create a PR that addresses this issue?

kamilmysliwiec avatar Jul 08 '21 08:07 kamilmysliwiec

I'll try to take a look at this today.

donverduyn avatar Jul 08 '21 10:07 donverduyn

👀

bneigher avatar Aug 03 '22 22:08 bneigher

:eyes:

ahmadxgani avatar Feb 20 '23 10:02 ahmadxgani

Hey, minimal reproduction is not installed graphql-query-complexity. So complexity is not working, but expected behavior. I created minimal example repository. It doesn't use federation, but will be work too.

https://github.com/choco14t/nest-graphql-complexity

choco14t avatar Feb 20 '23 19:02 choco14t

@kamilmysliwiec I tested complexity with federated graph. Complexity extension works fine. testing repo: https://github.com/choco14t/example-gateway-logging/tree/check-complexity

Set default complexity 1 per field, user.posts complexity 5. Return complexity 11 when executed query below.

query QueryPosts {
  posts {
    id
    title
    user {
      id
      posts { # set complexity: 5
        id
      }
    }
  }
}

2023-02-26_062214

choco14t avatar Feb 25 '23 21:02 choco14t