graphql

mtrezza · mtrezza · commit 88fa3aaede38 · 2026-03-07T20:57:09.000Z
diff --git a/spec/GraphQLQueryComplexity.spec.js b/spec/GraphQLQueryComplexity.spec.js
@@ -0,0 +1,149 @@
+'use strict';
+
+const http = require('http');
+const express = require('express');
+const fetch = (...args) => import('node-fetch').then(({ default: fetch }) => fetch(...args));
+require('./helper');
+const { ParseGraphQLServer } = require('../lib/GraphQL/ParseGraphQLServer');
+
+describe('graphql query complexity', () => {
+  let httpServer;
+  let graphQLServer;
+  const headers = {
+    'X-Parse-Application-Id': 'test',
+    'X-Parse-Javascript-Key': 'test',
+    'Content-Type': 'application/json',
+  };
+
+  async function setupGraphQL(serverOptions = {}) {
+    if (httpServer) {
+      await new Promise(resolve => httpServer.close(resolve));
+    }
+    const server = await reconfigureServer(serverOptions);
+    const expressApp = express();
+    httpServer = http.createServer(expressApp);
+    expressApp.use('/parse', server.app);
+    graphQLServer = new ParseGraphQLServer(server, {
+      graphQLPath: '/graphql',
+    });
+    graphQLServer.applyGraphQL(expressApp);
+    await new Promise(resolve => httpServer.listen({ port: 13378 }, resolve));
+  }
+
+  async function graphqlRequest(query, requestHeaders = headers) {
+    const response = await fetch('http://localhost:13378/graphql', {
+      method: 'POST',
+      headers: requestHeaders,
+      body: JSON.stringify({ query }),
+    });
+    return response.json();
+  }
+
+  function buildDeepQuery(depth) {
+    let query = '{ users { edges { node {';
+    let closing = '';
+    // Each 'users' nesting adds depth through edges > node
+    // Start at depth 4 for the base: users > edges > node > objectId
+    // We add more depth by nesting pointer fields won't work easily,
+    // so instead we build depth with repeated nested field selections
+    for (let i = 0; i < depth; i++) {
+      query += ` f${i} {`;
+      closing += ' }';
+    }
+    query += ' objectId' + closing + ' } } } }';
+    return query;
+  }
+
+  function buildWideQuery(fieldCount) {
+    const fields = Array.from({ length: fieldCount }, (_, i) => `field${i}: objectId`).join('\n      ');
+    return `{ users { edges { node { ${fields} } } } }`;
+  }
+
+  afterEach(async () => {
+    if (httpServer) {
+      await new Promise(resolve => httpServer.close(resolve));
+      httpServer = null;
+    }
+  });
+
+  describe('depth limit', () => {
+    it('should reject query exceeding depth limit', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLDepth: 3 },
+      });
+      // Depth: users(1) > edges(2) > node(3) > objectId(4) = depth 4
+      const result = await graphqlRequest('{ users { edges { node { objectId } } } }');
+      expect(result.errors).toBeDefined();
+      expect(result.errors[0].message).toMatch(
+        /GraphQL query depth of \d+ exceeds maximum allowed depth of 3/
+      );
+    });
+
+    it('should allow query within depth limit', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLDepth: 10 },
+      });
+      const result = await graphqlRequest('{ users { edges { node { objectId } } } }');
+      expect(result.errors).toBeUndefined();
+    });
+
+    it('should allow deep query with master key', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLDepth: 3 },
+      });
+      const result = await graphqlRequest('{ users { edges { node { objectId } } } }', {
+        ...headers,
+        'X-Parse-Master-Key': 'test',
+      });
+      expect(result.errors).toBeUndefined();
+    });
+
+    it('should allow unlimited depth when graphQLDepth is -1', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLDepth: -1 },
+      });
+      const result = await graphqlRequest('{ users { edges { node { objectId } } } }');
+      expect(result.errors).toBeUndefined();
+    });
+  });
+
+  describe('fields limit', () => {
+    it('should reject query exceeding fields limit', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLFields: 5 },
+      });
+      const result = await graphqlRequest(buildWideQuery(10));
+      expect(result.errors).toBeDefined();
+      expect(result.errors[0].message).toMatch(
+        /Number of GraphQL fields \(\d+\) exceeds maximum allowed \(5\)/
+      );
+    });
+
+    it('should allow query within fields limit', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLFields: 200 },
+      });
+      const result = await graphqlRequest('{ users { edges { node { objectId } } } }');
+      expect(result.errors).toBeUndefined();
+    });
+
+    it('should allow wide query with master key', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLFields: 5 },
+      });
+      const result = await graphqlRequest(buildWideQuery(10), {
+        ...headers,
+        'X-Parse-Master-Key': 'test',
+      });
+      expect(result.errors).toBeUndefined();
+    });
+
+    it('should allow unlimited fields when graphQLFields is -1', async () => {
+      await setupGraphQL({
+        requestComplexity: { graphQLFields: -1 },
+      });
+      const result = await graphqlRequest(buildWideQuery(50));
+      expect(result.errors).toBeUndefined();
+    });
+  });
+});
diff --git a/src/GraphQL/ParseGraphQLServer.js b/src/GraphQL/ParseGraphQLServer.js
@@ -11,6 +11,7 @@ import requiredParameter from '../requiredParameter';
 import defaultLogger from '../logger';
 import { ParseGraphQLSchema } from './ParseGraphQLSchema';
 import ParseGraphQLController, { ParseGraphQLConfig } from '../Controllers/ParseGraphQLController';
+import { createComplexityValidationPlugin } from './helpers/queryComplexity';
 
 
 const hasTypeIntrospection = (query) => {
@@ -155,7 +156,7 @@ class ParseGraphQLServer {
           // We need always true introspection because apollo server have changing behavior based on the NODE_ENV variable
           // we delegate the introspection control to the IntrospectionControlPlugin
           introspection: true,
-          plugins: [ApolloServerPluginCacheControlDisabled(), IntrospectionControlPlugin(this.config.graphQLPublicIntrospection)],
+          plugins: [ApolloServerPluginCacheControlDisabled(), IntrospectionControlPlugin(this.config.graphQLPublicIntrospection), createComplexityValidationPlugin(() => this.parseServer.config.requestComplexity)],
           schema,
         });
         await apollo.start();
diff --git a/src/GraphQL/helpers/queryComplexity.js b/src/GraphQL/helpers/queryComplexity.js
@@ -0,0 +1,95 @@
+import { GraphQLError } from 'graphql';
+
+function calculateQueryComplexity(document, fragments) {
+  let maxDepth = 0;
+  let totalFields = 0;
+
+  function visitSelectionSet(selectionSet, depth, visitedFragments) {
+    if (!selectionSet) return;
+    for (const selection of selectionSet.selections) {
+      if (selection.kind === 'Field') {
+        totalFields++;
+        const newDepth = depth + 1;
+        if (newDepth > maxDepth) {
+          maxDepth = newDepth;
+        }
+        if (selection.selectionSet) {
+          visitSelectionSet(selection.selectionSet, newDepth, visitedFragments);
+        }
+      } else if (selection.kind === 'InlineFragment') {
+        visitSelectionSet(selection.selectionSet, depth, visitedFragments);
+      } else if (selection.kind === 'FragmentSpread') {
+        const name = selection.name.value;
+        if (visitedFragments.has(name)) continue;
+        visitedFragments.add(name);
+        const fragment = fragments[name];
+        if (fragment) {
+          visitSelectionSet(fragment.selectionSet, depth, visitedFragments);
+        }
+      }
+    }
+  }
+
+  for (const definition of document.definitions) {
+    if (definition.kind === 'OperationDefinition') {
+      visitSelectionSet(definition.selectionSet, 0, new Set());
+    }
+  }
+
+  return { depth: maxDepth, fields: totalFields };
+}
+
+function createComplexityValidationPlugin(getConfig) {
+  return {
+    requestDidStart: (requestContext) => ({
+      didResolveOperation: async () => {
+        const auth = requestContext.contextValue?.auth;
+        if (auth?.isMaster || auth?.isMaintenance) {
+          return;
+        }
+
+        const config = getConfig();
+        if (!config) return;
+
+        const { graphQLDepth, graphQLFields } = config;
+        if (graphQLDepth === -1 && graphQLFields === -1) return;
+
+        const fragments = {};
+        for (const definition of requestContext.document.definitions) {
+          if (definition.kind === 'FragmentDefinition') {
+            fragments[definition.name.value] = definition;
+          }
+        }
+
+        const { depth, fields } = calculateQueryComplexity(
+          requestContext.document,
+          fragments
+        );
+
+        if (graphQLDepth !== -1 && depth > graphQLDepth) {
+          throw new GraphQLError(
+            `GraphQL query depth of ${depth} exceeds maximum allowed depth of ${graphQLDepth}`,
+            {
+              extensions: {
+                http: { status: 400 },
+              },
+            }
+          );
+        }
+
+        if (graphQLFields !== -1 && fields > graphQLFields) {
+          throw new GraphQLError(
+            `Number of GraphQL fields (${fields}) exceeds maximum allowed (${graphQLFields})`,
+            {
+              extensions: {
+                http: { status: 400 },
+              },
+            }
+          );
+        }
+      },
+    }),
+  };
+}
+
+export { calculateQueryComplexity, createComplexityValidationPlugin };
