Merge branch '58404-set-default-max-depth-for-GraphQL' into 'master'

58404 - setup max depth for graphql

Closes #58404

See merge request gitlab-org/gitlab-ce!25737

1 files changed, 30 insertions, 12 deletions

diff --git a/app/graphql/gitlab_schema.rb b/app/graphql/gitlab_schema.rb
index a12568d5d31..897e12c1b56 100644
--- a/app/graphql/gitlab_schema.rb
+++ b/app/graphql/gitlab_schema.rb
@@ -7,6 +7,9 @@ class GitlabSchema < GraphQL::Schema
   AUTHENTICATED_COMPLEXITY = 250
   ADMIN_COMPLEXITY         = 300
 
+  ANONYMOUS_MAX_DEPTH = 10
+  AUTHENTICATED_MAX_DEPTH = 15
+
   use BatchLoader::GraphQL
   use Gitlab::Graphql::Authorize
   use Gitlab::Graphql::Present
@@ -23,21 +26,36 @@ class GitlabSchema < GraphQL::Schema
 
   mutation(Types::MutationType)
 
-  def self.execute(query_str = nil, **kwargs)
-    kwargs[:max_complexity] ||= max_query_complexity(kwargs[:context])
+  class << self
+    def execute(query_str = nil, **kwargs)
+      kwargs[:max_complexity] ||= max_query_complexity(kwargs[:context])
+      kwargs[:max_depth] ||= max_query_depth(kwargs[:context])
 
-    super(query_str, **kwargs)
-  end
+      super(query_str, **kwargs)
+    end
+
+    private
+
+    def max_query_complexity(ctx)
+      current_user = ctx&.fetch(:current_user, nil)
+
+      if current_user&.admin
+        ADMIN_COMPLEXITY
+      elsif current_user
+        AUTHENTICATED_COMPLEXITY
+      else
+        DEFAULT_MAX_COMPLEXITY
+      end
+    end
 
-  def self.max_query_complexity(ctx)
-    current_user = ctx&.fetch(:current_user, nil)
+    def max_query_depth(ctx)
+      current_user = ctx&.fetch(:current_user, nil)
 
-    if current_user&.admin
-      ADMIN_COMPLEXITY
-    elsif current_user
-      AUTHENTICATED_COMPLEXITY
-    else
-      DEFAULT_MAX_COMPLEXITY
+      if current_user
+        AUTHENTICATED_MAX_DEPTH
+      else
+        ANONYMOUS_MAX_DEPTH
+      end
     end
   end
 end