From 9fb816facef888b8fcdbc443af304105c480547b Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 3 Dec 2021 10:05:57 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

---
 app/controllers/graphql_controller.rb | 16 +++++++++++++++-
 app/graphql/gitlab_schema.rb          |  3 +++
 2 files changed, 18 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index fde0f133e53..899fa614949 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -9,6 +9,9 @@ class GraphqlController < ApplicationController
   # Header can be passed by tests to disable SQL query limits.
   DISABLE_SQL_QUERY_LIMIT_HEADER = 'HTTP_X_GITLAB_DISABLE_SQL_QUERY_LIMIT'
 
+  # Max size of the query text in characters
+  MAX_QUERY_SIZE = 10_000
+
   # If a user is using their session to access GraphQL, we need to have session
   # storage, since the admin-mode check is session wide.
   # We can't enable this for anonymous users because that would cause users using
@@ -29,6 +32,7 @@ class GraphqlController < ApplicationController
   before_action :set_user_last_activity
   before_action :track_vs_code_usage
   before_action :disable_query_limiting
+  before_action :limit_query_size
 
   before_action :disallow_mutations_for_get
 
@@ -81,6 +85,16 @@ class GraphqlController < ApplicationController
     raise ::Gitlab::Graphql::Errors::ArgumentError, "Mutations are forbidden in #{request.request_method} requests"
   end
 
+  def limit_query_size
+    total_size = if multiplex?
+                   params[:_json].sum { _1[:query].size }
+                 else
+                   query.size
+                 end
+
+    raise ::Gitlab::Graphql::Errors::ArgumentError, "Query too large" if total_size > MAX_QUERY_SIZE
+  end
+
   def any_mutating_query?
     if multiplex?
       multiplex_queries.any? { |q| mutation?(q[:query], q[:operation_name]) }
@@ -126,7 +140,7 @@ class GraphqlController < ApplicationController
   end
 
   def query
-    params[:query]
+    params.fetch(:query, '')
   end
 
   def multiplex_queries
diff --git a/app/graphql/gitlab_schema.rb b/app/graphql/gitlab_schema.rb
index e15a185a743..9b23aa60eab 100644
--- a/app/graphql/gitlab_schema.rb
+++ b/app/graphql/gitlab_schema.rb
@@ -32,6 +32,9 @@ class GitlabSchema < GraphQL::Schema
 
   default_max_page_size 100
 
+  validate_max_errors 5
+  validate_timeout 0.2.seconds
+
   lazy_resolve ::Gitlab::Graphql::Lazy, :force
 
   class << self
-- 
cgit v1.2.3