overblog · mcg-web · Aug 21, 2017 · Aug 18, 2017
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -198,13 +198,13 @@ private function addBuilderSection($name)
     private function addSecurityQuerySection($name, $disabledValue)
     {
         $builder = new TreeBuilder();
-        $node = $builder->root($name, 'integer');
+        $node = $builder->root($name, 'scalar');
         $node->beforeNormalization()
                 ->ifTrue(function ($v) {
                     return is_string($v) && is_numeric($v);
                 })
                 ->then(function ($v) {
-                    return intval($v);
+                    return (int) $v;
                 })
             ->end();
 
@@ -221,7 +221,7 @@ private function addSecurityQuerySection($name, $disabledValue)
             ->defaultFalse()
             ->validate()
                 ->ifTrue(function ($v) {
-                    return $v < 0;
+                    return is_int($v) && $v < 0;
                 })
                 ->thenInvalid('"overblog_graphql.security.'.$name.'" must be greater or equal to 0.')
             ->end()

diff --git a/Tests/Functional/Security/QueryComplexityTest.php b/Tests/Functional/Security/QueryComplexityTest.php
@@ -56,6 +56,19 @@ public function testComplexityReachLimitation()
         $this->assertResponse($this->userFriendsWithoutLimitQuery, $expected, self::ANONYMOUS_USER, 'queryComplexity');
     }
 
+    public function testComplexityReachLimitationEnv()
+    {
+        $expected = [
+            'errors' => [
+                [
+                    'message' => 'Max query complexity should be 10 but got 54.',
+                ],
+            ],
+        ];
+
+        $this->assertResponse($this->userFriendsWithoutLimitQuery, $expected, self::ANONYMOUS_USER, 'queryComplexityEnv');
+    }
+
     public function testComplexityUnderLimitation()
     {
         $expected = [

diff --git a/Tests/Functional/Security/QueryMaxDepthTest.php b/Tests/Functional/Security/QueryMaxDepthTest.php
@@ -0,0 +1,95 @@
+<?php
+
+/*
+ * This file is part of the OverblogGraphQLBundle package.
+ *
+ * (c) Overblog <http://github.com/overblog/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Overblog\GraphQLBundle\Tests\Functional\Security;
+
+use Overblog\GraphQLBundle\Tests\Functional\TestCase;
+
+class QueryMaxDepthTest extends TestCase
+{
+    private $userFriendsWithoutViolationQuery = <<<'EOF'
+query {
+  user {
+    friends(first:1) {
+      edges {
+        node {
+          name
+        }
+      }
+    }
+  }
+}
+EOF;
+
+    private $userFriendsWithViolationQuery = <<<'EOF'
+query {
+  user {
+    friends(first: 1) {
+      edges {
+        node {
+          name
+          friends {
+            edges {
+              node {
+                name
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+EOF;
+
+    public function testMaxDepthReachLimitation()
+    {
+        $expected = [
+            'errors' => [
+                [
+                    'message' => 'Max query depth should be 3 but got 6.',
+                ],
+            ],
+        ];
+
+        $this->assertResponse($this->userFriendsWithViolationQuery, $expected, self::ANONYMOUS_USER, 'queryMaxDepth');
+    }
+
+    public function testMaxDepthReachLimitationEnv()
+    {
+        $expected = [
+            'errors' => [
+                [
+                    'message' => 'Max query depth should be 3 but got 6.',
+                ],
+            ],
+        ];
+
+        $this->assertResponse($this->userFriendsWithViolationQuery, $expected, self::ANONYMOUS_USER, 'queryMaxDepthEnv');
+    }
+
+    public function testComplexityUnderLimitation()
+    {
+        $expected = [
+            'data' => [
+                'user' => [
+                    'friends' => [
+                        'edges' => [
+                            ['node' => ['name' => 'Nick']],
+                        ],
+                    ],
+                ],
+            ],
+        ];
+
+        $this->assertResponse($this->userFriendsWithoutViolationQuery, $expected, self::ANONYMOUS_USER, 'queryMaxDepth');
+    }
+}
diff --git a/Tests/Functional/app/config/queryComplexityEnv/config.yml b/Tests/Functional/app/config/queryComplexityEnv/config.yml
@@ -0,0 +1,20 @@
+imports:
+    - { resource: ../config.yml }
+    - { resource: ../connection/services.yml }
+
+parameters:
+    overblog_graphql.type_class_namespace: "Overblog\\GraphQLBundle\\QueryComplexity\\__DEFINITIONS__"
+    env(GRAPHQL_QUERY_MAX_COMPLEXITY): 10
+
+overblog_graphql:
+    security:
+        query_max_complexity: '%env(GRAPHQL_QUERY_MAX_COMPLEXITY)%'
+    definitions:
+        schema:
+            query: Query
+            mutation: ~
+        mappings:
+            types:
+                -
+                    type: yml
+                    dir: "%kernel.root_dir%/config/queryComplexity/mapping"
diff --git a/Tests/Functional/app/config/queryMaxDepth/config.yml b/Tests/Functional/app/config/queryMaxDepth/config.yml
@@ -0,0 +1,19 @@
+imports:
+    - { resource: ../config.yml }
+    - { resource: ../connection/services.yml }
+
+parameters:
+    overblog_graphql.type_class_namespace: "Overblog\\GraphQLBundle\\QueryComplexity\\__DEFINITIONS__"
+
+overblog_graphql:
+    security:
+        query_max_depth: '3'
+    definitions:
+        schema:
+            query: Query
+            mutation: ~
+        mappings:
+            types:
+                -
+                    type: yml
+                    dir: "%kernel.root_dir%/config/queryMaxDepth/mapping"
diff --git a/Tests/Functional/app/config/queryMaxDepth/mapping/connectionSimple.types.yml b/Tests/Functional/app/config/queryMaxDepth/mapping/connectionSimple.types.yml
@@ -0,0 +1,32 @@
+Query:
+    type: object
+    config:
+        fields:
+            user:
+                type: User
+                resolve: '@=resolver("query")'
+
+User:
+    type: object
+    config:
+        fields:
+            name:
+                type: String
+            friends:
+                type: friendConnection
+                argsBuilder: "Relay::Connection"
+                resolve: '@=resolver("friends", [value, args])'
+
+friendConnection:
+    type: relay-connection
+    config:
+        nodeType: User
+        resolveNode: '@=resolver("node", [value])'
+        edgeFields:
+            friendshipTime:
+                type: String
+                resolve: "Yesterday"
+        connectionFields:
+            totalCount:
+                type: Int
+                resolve: '@=resolver("connection")'
diff --git a/Tests/Functional/app/config/queryMaxDepthEnv/config.yml b/Tests/Functional/app/config/queryMaxDepthEnv/config.yml
@@ -0,0 +1,20 @@
+imports:
+    - { resource: ../config.yml }
+    - { resource: ../connection/services.yml }
+
+parameters:
+    overblog_graphql.type_class_namespace: "Overblog\\GraphQLBundle\\QueryComplexity\\__DEFINITIONS__"
+    env(GRAPHQL_QUERY_MAX_DEPTH): 3
+
+overblog_graphql:
+    security:
+        query_max_depth: '%env(GRAPHQL_QUERY_MAX_DEPTH)%'
+    definitions:
+        schema:
+            query: Query
+            mutation: ~
+        mappings:
+            types:
+                -
+                    type: yml
+                    dir: "%kernel.root_dir%/config/queryMaxDepth/mapping"