Initial field and query complexity limits58405-basic-limiting-complexity-of-graphql-queries

It makes all Types::BaseField default to a complexity of 1.

Queries themselves now have limited complexity, scaled
to the type of user: no user, authenticated user, or an
admin user.

1 files changed, 30 insertions, 0 deletions

diff --git a/app/graphql/gitlab_schema.rb b/app/graphql/gitlab_schema.rb
index 06d26309b5b..ff4d0611da9 100644
--- a/app/graphql/gitlab_schema.rb
+++ b/app/graphql/gitlab_schema.rb
@@ -1,13 +1,43 @@
 # frozen_string_literal: true
 
 class GitlabSchema < GraphQL::Schema
+  # Took our current most complicated query in use, issues.graphql,
+  # with a complexity of 19, and added a 20 point buffer to it.
+  # These values will evolve over time.
+  DEFAULT_MAX_COMPLEXITY   = 40
+  AUTHENTICATED_COMPLEXITY = 50
+  ADMIN_COMPLEXITY         = 60
+
   use BatchLoader::GraphQL
   use Gitlab::Graphql::Authorize
   use Gitlab::Graphql::Present
   use Gitlab::Graphql::Connections
 
+  query_analyzer Gitlab::Graphql::QueryAnalyzers::LogQueryComplexity.analyzer
+
   query(Types::QueryType)
 
   default_max_page_size 100
+
+  max_complexity DEFAULT_MAX_COMPLEXITY
+
   mutation(Types::MutationType)
+
+  def self.execute(query_str = nil, **kwargs)
+    kwargs[:max_complexity] ||= max_query_complexity(kwargs[:context])
+
+    super(query_str, **kwargs)
+  end
+
+  def self.max_query_complexity(ctx)
+    current_user = ctx&.fetch(:current_user)
+
+    if current_user&.admin
+      ADMIN_COMPLEXITY
+    elsif current_user
+      AUTHENTICATED_COMPLEXITY
+    else
+      DEFAULT_MAX_COMPLEXITY
+    end
+  end
 end