lib/gitlab/graphql/query_analyzers/ast/recursion_analyzer.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

# frozen_string_literal: true

# Recursive queries, with relatively low effort, can quickly spiral out of control exponentially
# and may not be picked up by depth and complexity alone.
module Gitlab
  module Graphql
    module QueryAnalyzers
      module AST
        class RecursionAnalyzer < GraphQL::Analysis::AST::Analyzer
          IGNORED_FIELDS = %w(node edges nodes ofType).freeze
          RECURSION_THRESHOLD = 2

          def initialize(query)
            super

            @node_visits = {}
            @recurring_fields = {}
          end

          def on_enter_field(node, _parent, visitor)
            return if skip_node?(node, visitor)

            node_name = node.name
            node_visits[node_name] ||= 0
            node_visits[node_name] += 1

            times_encountered = @node_visits[node_name]
            recurring_fields[node_name] = times_encountered if recursion_too_deep?(node_name, times_encountered)
          end

          # Visitors are all defined on the AST::Analyzer base class
          # We override them for custom analyzers.
          def on_leave_field(node, _parent, visitor)
            return if skip_node?(node, visitor)

            node_name = node.name
            node_visits[node_name] ||= 0
            node_visits[node_name] -= 1
          end

          def result
            @recurring_fields = @recurring_fields.select { |k, v| recursion_too_deep?(k, v) }

            if @recurring_fields.any?
              GraphQL::AnalysisError.new(<<~MSG)
                Recursive query - too many of fields '#{@recurring_fields}' detected
                in single branch of the query")
              MSG
            end
          end

          private

          attr_reader :node_visits, :recurring_fields

          def recursion_too_deep?(node_name, times_encountered)
            return if IGNORED_FIELDS.include?(node_name)

            times_encountered > recursion_threshold
          end

          def skip_node?(node, visitor)
            # We don't want to count skipped fields or fields
            # inside fragment definitions
            return false if visitor.skipping? || visitor.visiting_fragment_definition?

            !node.is_a?(GraphQL::Language::Nodes::Field) || node.selections.empty?
          end

          # separated into a method for use in allow_high_graphql_recursion
          def recursion_threshold
            RECURSION_THRESHOLD
          end
        end
      end
    end
  end
end