Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce "recommended" validation rules #4118

Merged
merged 37 commits into from
Jun 21, 2024
Merged

Introduce "recommended" validation rules #4118

merged 37 commits into from
Jun 21, 2024

Conversation

benjie
Copy link
Member

@benjie benjie commented Jun 21, 2024

The GraphQL specification mandates certain validation rules that all compliant GraphQL services must implement. Beyond these, services are free to add their own validation rules. The TSC has been discussing the idea of "recommended" validation rules for some time, rules that are not mandatory for compliance but are recommended to enhance the resilience of GraphQL schemas.

@enisdenjo has developed a new validation rule to limit introspection query depth; the TSC saw this as an excellent opportunity to introduce the new "recommended" validation rules system.

This PR introduces a new recommendedRules export to contain these recommended rules, starting with Denis' rule. To ensure seamless integration we are merging these recommendedRules into the existing specifiedRules export, which acts as the default list of validation rules (we may adjust this approach in a future major release, possibly by exposing a defaultRules export, but for now we aim to ease adoption).

Services can opt-out of the recommended rules by creating their own rules list without them:

const rules = specifiedRules.filter(rule => !recommendedRules.includes(rule));

We anticipate adding to these recommended rules over time and iterating them based on community feedback. Ultimately they may become recommended as part of the official specification, or be removed from the defaults.

enisdenjo and others added 30 commits April 11, 2024 23:11
@enisdenjo
introduce rule
16850e1
@enisdenjo
also __type
5fe9959
@enisdenjo
shorter error
f2a56e7
@enisdenjo
fragment spread wont have more selections
3b90c85
@enisdenjo
MaxIntrospectionDepthRule
d388992
@enisdenjo
count or reach
8f45b75
@enisdenjo
ultra shorter
48cb905
@enisdenjo
unused arg
290091a
@enisdenjo
validationcontext
860e1f6
@enisdenjo
max fields 4 appearances
1d5f90a
@enisdenjo
failing test
c7b84f1
@enisdenjo
back to counter
b09145b
@enisdenjo
max introspection nodes
b63e328
@enisdenjo
typo
363257d
@enisdenjo
simpler
38f7638
@enisdenjo
introspection depth
8ede99f
@enisdenjo
varying parents and no copy-paste query
d9e48f6
@enisdenjo
same same
ae49605
@enisdenjo
no arr
3205004
@enisdenjo
inline fragments
0c36d59
@enisdenjo
disallow fields, interfaces, possibleTypes, inputFields
6892b20
@enisdenjo
start from OperationDefinition and pass in node
0398d7b
@enisdenjo
use kind.field
62b5d73
@enisdenjo
better comment
a61085b
@enisdenjo
opts out if fragment is missing
537eda5
@enisdenjo
use fields and inline fragment on schema
a2a5060
@enisdenjo
we're counting lists
4ba281e
@enisdenjo
less clever
1fa81c0
@enisdenjo
dont break, just dont visit further
572b51f
@enisdenjo
3 input fields
95fcced
@netlify Netlify
Copy link

netlify bot commented Jun 21, 2024
edited
Loading

Deploy Preview for compassionate-pike-271cb3 ready!

Name Link
🔨 Latest commit 73e2166
🔍 Latest deploy log https://app.netlify.com/sites/compassionate-pike-271cb3/deploys/667565064feae80008d4d3d7
😎 Deploy Preview https://deploy-preview-4118--compassionate-pike-271cb3.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@github-actions GitHub Actions
Copy link

Hi @benjie, I'm @github-actions bot happy to help you with this PR 👋

Supported commands

Please post this commands in separate comments and only one per comment:

  • @github-actions run-benchmark - Run benchmark comparing base and merge commits for this PR
  • @github-actions publish-pr-on-npm - Build package from this PR and publish it on NPM

@benjie benjie merged commit 2744f58 into main Jun 21, 2024
35 checks passed
@benjie benjie deleted the maxintfields branch June 21, 2024 11:35
This was referenced Jun 21, 2024
Merged
Merged
@benjie benjie added the PR: feature 🚀 requires increase of "minor" version number label Jun 21, 2024
SimonSapin added a commit to apollographql/router that referenced this pull request Sep 9, 2024
@SimonSapin
Rust intropsection: disable max depth rule
82847f6 
This protection against introspection queries generating huge responses
was added recently in graphql-js graphql/graphql-js#4118
and ported to rust apollographql/apollo-rs#904,
but is not yet present in the graphql-js version used by router-bridge.

This disables it for now from Rust introspection, in order to match
the current state of JS introspection.

Adding this rule (in both implementations) can be revisited separately.
In particular: the depth limit is hard-coded to 3. Is that the right number?
Should it be configurable? Is the rule checking the right set of fields?
@SimonSapin SimonSapin mentioned this pull request Sep 9, 2024
Merged
SimonSapin added a commit to apollographql/router that referenced this pull request Sep 10, 2024
@SimonSapin
Rust intropsection: disable max depth rule
ae329a4 
This protection against introspection queries generating huge responses
was added recently in graphql-js graphql/graphql-js#4118
and ported to rust apollographql/apollo-rs#904,
but is not yet present in the graphql-js version used by router-bridge.

This disables it for now from Rust introspection, in order to match
the current state of JS introspection.

Adding this rule (in both implementations) can be revisited separately.
In particular: the depth limit is hard-coded to 3. Is that the right number?
Should it be configurable? Is the rule checking the right set of fields?
TylerBloom pushed a commit to apollographql/router that referenced this pull request Sep 16, 2024
@SimonSapin @TylerBloom
Rust intropsection: disable max depth rule
d5b552b 
This protection against introspection queries generating huge responses
was added recently in graphql-js graphql/graphql-js#4118
and ported to rust apollographql/apollo-rs#904,
but is not yet present in the graphql-js version used by router-bridge.

This disables it for now from Rust introspection, in order to match
the current state of JS introspection.

Adding this rule (in both implementations) can be revisited separately.
In particular: the depth limit is hard-coded to 3. Is that the right number?
Should it be configurable? Is the rule checking the right set of fields?
@jasonkuhrt jasonkuhrt mentioned this pull request Oct 29, 2024
Open
@yaacovCR yaacovCR mentioned this pull request Nov 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelstaib michaelstaib michaelstaib approved these changes

Assignees
No one assigned
Labels
PR: feature 🚀 requires increase of "minor" version number
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@benjie @michaelstaib @enisdenjo