Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Browse Source

Feature: Mobile View - Added GraphQL max_depth handling to protect the system.

Martin Gruner 3 years ago
parent
4d1e4ac545
commit
978f8a8b5f
3 changed files with 51 additions and 4 deletions
Split View Show Diff Stats
  1. 3 3
      app/graphql/gql/zammad_schema.rb
  2. 1 1
      lib/generators/graphql_introspection/graphql_introspection_generator.rb
  3. 47 0
      spec/graphql/gql/zammad_schema_max_depth_spec.rb

+ 3 - 3
app/graphql/gql/zammad_schema.rb
View File 

@@ -11,10 +11,10 @@ class Gql::ZammadSchema < GraphQL::Schema
 
   # Enable batch loading
 
   use GraphQL::Batch
 
 
+  # Set maximum page size and depth to protect the system.
 
+  #   Values may need to be adjusted in future.
 
   default_max_page_size 1000
 
-
 
-  # # Enable ActionCable and GraphQL connection
 
-  # use GraphQL::Subscriptions::ActionCableSubscriptions
 
+  max_depth 10
 
 
   # Union and Interface Resolution
 
   def self.resolve_type(_abstract_type, obj, _ctx)

+ 1 - 1
lib/generators/graphql_introspection/graphql_introspection_generator.rb
View File 

@@ -3,7 +3,7 @@
 
 class Generators::GraphqlIntrospection::GraphqlIntrospectionGenerator < Rails::Generators::Base
 
 
   def generate
 
-    result = Gql::ZammadSchema.execute(introspection_query, variables: {}, context: { is_graphql_introspection_generator: true })
 
+    result = Gql::ZammadSchema.execute(introspection_query, variables: {}, context: { is_graphql_introspection_generator: true }, max_depth: 13)
 
     raise 'GraphQL schema could not be successfully generated' if result['errors']
 
 
     # rubocop:disable Rails/Output

+ 47 - 0
spec/graphql/gql/zammad_schema_max_depth_spec.rb
View File 

@@ -0,0 +1,47 @@
 
+# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
 
+
 
+require 'rails_helper'
 
+
 
+RSpec.describe Gql::ZammadSchema, type: :graphql do
 
+
 
+  context 'when making queries that are too complex', authenticated_as: :agent do
 
+    let(:agent) { create(:agent, department: 'TestDepartment') }
 
+    let(:query) do
 
+      <<~QUERY
 
+        query currentUser {
 
+          currentUser {
 
+            organization {
 
+              members {
 
+                nodes {
 
+                  firstname
 
+                  organization {
 
+                    members {
 
+                      nodes {
 
+                        firstname
 
+                        organization {
 
+                          members {
 
+                            nodes {
 
+                              firstname
 
+                            }
 
+                          }
 
+                        }
 
+                      }
 
+                    }
 
+                  }
 
+                }
 
+              }
 
+            }
 
+          }
 
+        }
 
+      QUERY
 
+    end
 
+
 
+    before do
 
+      graphql_execute(query)
 
+    end
 
+
 
+    it 'has data' do
 
+      expect(graphql_response['errors']).to eq([{ 'message'=>'Query has depth of 11, which exceeds max depth of 10' }])
 
+    end
 
+  end
 
+end