Add query depth and field count limits to Validator#4230
Open
andimarek wants to merge 3 commits intovalidation-refactorfrom
Open
Add query depth and field count limits to Validator#4230andimarek wants to merge 3 commits intovalidation-refactorfrom
andimarek wants to merge 3 commits intovalidation-refactorfrom
Conversation
2a2074b to
2656347
Compare
This provides a lightweight alternative to ExecutableNormalizedOperation
(ENO) for tracking query complexity during validation.
New features:
- QueryComplexityLimits class with maxDepth and maxFieldsCount settings
- Configuration via GraphQLContext using QueryComplexityLimits.KEY
- Fragment fields counted at each spread site (like ENO)
- Depth tracking measures nested Field nodes
- New validation error types: MaxQueryDepthExceeded, MaxQueryFieldsExceeded
Implementation notes:
- Fragment complexity is calculated lazily during first spread traversal
- No additional AST traversal needed - complexity tracked during normal
validation traversal
- Subsequent spreads of the same fragment add the stored complexity
Usage:
```java
QueryComplexityLimits limits = QueryComplexityLimits.newLimits()
.maxDepth(10)
.maxFieldsCount(100)
.build();
ExecutionInput input = ExecutionInput.newExecutionInput()
.query(query)
.graphQLContext(ctx -> ctx.put(QueryComplexityLimits.KEY, limits))
.build();
```
Co-Authored-By: Claude Opus 4.5 <[email protected]>
2656347 to
2c49495
Compare
Move introspection abuse detection from execution-time ENO creation to the validation layer. This eliminates the expensive ExecutableNormalizedOperation construction for every introspection query. The validator now enforces two checks when GOOD_FAITH_INTROSPECTION is enabled: field repetition (__schema/__type max once, __Type cycle fields max once) and tightened complexity limits (500 fields, 20 depth). Co-Authored-By: Claude Opus 4.6 <[email protected]>
Update to use renamed methods from validation-refactor: - shouldRunNonFragmentSpreadChecks() → shouldRunDocumentLevelRules() - fragmentSpreadVisitDepth → fragmentRetraversalDepth - operationScope checks → shouldRunOperationScopedRules() Fix NullAway errors from master's @NullMarked additions by adding @nullable annotations to ParseAndValidate.validate() limits param, GoodFaithIntrospection.goodFaithLimits() param, and ValidationContext constructor limits param.
Member
|
Adding a breaking change label, this is technically a breaking change to add a new depth/field limit |
dondonz
approved these changes
Mar 22, 2026
Member
dondonz
left a comment
There was a problem hiding this comment.
Approved, although there's a merge conflict with another recent PR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
QueryComplexityLimitsclass for configuringmaxDepthandmaxFieldsCountlimitsExecutableNormalizedOperation(ENO) for tracking query complexityMaxQueryDepthExceeded,MaxQueryFieldsExceededUsage
Test plan
🤖 Generated with Claude Code