sec chk

mtrezza · mtrezza · commit 0078273704d8 · 2026-03-07T21:04:32.000Z
diff --git a/spec/SecurityCheckGroups.spec.js b/spec/SecurityCheckGroups.spec.js
@@ -48,6 +48,7 @@ describe('Security Check Groups', () => {
       expect(group.checks()[5].checkState()).toBe(CheckState.success);
       expect(group.checks()[6].checkState()).toBe(CheckState.success);
       expect(group.checks()[8].checkState()).toBe(CheckState.success);
+      expect(group.checks()[9].checkState()).toBe(CheckState.success);
     });
 
     it('checks fail correctly', async () => {
@@ -59,6 +60,13 @@ describe('Security Check Groups', () => {
       config.mountPlayground = true;
       config.readOnlyMasterKey = 'someReadOnlyMasterKey';
       config.readOnlyMasterKeyIps = ['0.0.0.0/0'];
+      config.requestComplexity = {
+        includeDepth: -1,
+        includeCount: -1,
+        subqueryDepth: -1,
+        graphQLDepth: -1,
+        graphQLFields: -1,
+      };
       await reconfigureServer(config);
 
       const group = new CheckGroupServerConfig();
@@ -70,6 +78,7 @@ describe('Security Check Groups', () => {
       expect(group.checks()[5].checkState()).toBe(CheckState.fail);
       expect(group.checks()[6].checkState()).toBe(CheckState.fail);
       expect(group.checks()[8].checkState()).toBe(CheckState.fail);
+      expect(group.checks()[9].checkState()).toBe(CheckState.fail);
     });
 
     it_only_db('mongo')('checks succeed correctly (MongoDB specific)', async () => {
diff --git a/src/Security/CheckGroups/CheckGroupServerConfig.js b/src/Security/CheckGroups/CheckGroupServerConfig.js
@@ -134,6 +134,23 @@ class CheckGroupServerConfig extends CheckGroup {
           }
         },
       }),
+      new Check({
+        title: 'Request complexity limits enabled',
+        warning:
+          'One or more request complexity limits are disabled, which may allow denial-of-service attacks through deeply nested or excessively broad queries.',
+        solution:
+          "Ensure all properties in 'requestComplexity' are set to positive integers. Set to '-1' only if you have other mitigations in place.",
+        check: () => {
+          const rc = config.requestComplexity;
+          if (!rc) {
+            throw 1;
+          }
+          const values = [rc.includeDepth, rc.includeCount, rc.subqueryDepth, rc.graphQLDepth, rc.graphQLFields];
+          if (values.some(v => v === -1)) {
+            throw 1;
+          }
+        },
+      }),
       new Check({
         title: 'LiveQuery regex timeout enabled',
         warning:
