feat: implement default GraphQL query depth limiting #9789#9831
Open
envsecure wants to merge 2 commits intokeystonejs:mainfrom
Open
feat: implement default GraphQL query depth limiting #9789#9831envsecure wants to merge 2 commits intokeystonejs:mainfrom
envsecure wants to merge 2 commits intokeystonejs:mainfrom
Conversation
This PR implements query depth limiting to protect the Keystone server from deeply nested circular queries that can cause resource exhaustion (DoS). - Added 'maxDepth' option to KeystoneConfig (default: 20). - Integrated 'graphql-depth-limit' validation rule into Apollo Server setup. - Added 'graphql-depth-limit' as a dependency to @keystone-6/core. Resolves keystonejs#9789
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR addresses the security concern raised in #9789 by implementing a default GraphQL query depth limit.
🛡️ Why is this needed?
Without a depth limit, malicious users can send deeply nested circular queries (e.g.,
author -> posts -> author -> posts...) that consume exponential server resources, leading to a Denial of Service (DoS).🛠️ Changes
maxDepthto thegraphqlsection ofKeystoneConfig. It defaults to20levels, which is a sensible balance between security and flexibility.graphql-depth-limitpackage as a validation rule in the Apollo Server setup.graphql-depth-limitto@keystone-6/core.Verification
maxDepthtype to the config so it's discoverable via IntelliSense.depthLimitrule before any user-defined rules.Resolves #9789