feat: depth limits

Author: 0xneves

indexer/package.json

@@ -8,6 +8,7 @@
   "dependencies": {
     "@apollo/server": "^4.11.0",
     "@aws-sdk/client-s3": "^3.514.0",
+    "@graphile/depth-limit": "^0.3.1",
     "@graphql-codegen/cli": "^5.0.2",
     "@graphql-codegen/typescript": "^4.0.9",
     "@graphql-codegen/typescript-resolvers": "^4.2.1",
@@ -23,7 +24,7 @@
     "cors": "^2.8.5",
     "dataloader": "^2.2.2",
     "express": "^4.18.2",
-    "graphql": "^16.9.0",
+    "graphql": "^16.10.0",
     "graphql-query-complexity": "^1.0.0",
     "graphql-scalars": "^1.23.0",
     "graphql-subscriptions": "^2.0.0",

indexer/src/kadena-server/server.ts

@@ -26,15 +26,12 @@ import { dispatchInfoSchema } from '../jobs/publisher-job';
 import initCache from '../cache/init';
 import { getRequiredEnvString } from '../utils/helpers';
 import ipRangeCheck from 'ip-range-check';
-import {
-  createComplexityRule,
-  fieldExtensionsEstimator,
-  getComplexity,
-  simpleEstimator,
-} from 'graphql-query-complexity';
+import { fieldExtensionsEstimator, getComplexity, simpleEstimator } from 'graphql-query-complexity';
+import { depthLimit } from '@graphile/depth-limit';
 
 // Maximum allowed complexity
 const MAX_COMPLEXITY = 100;
+const MAX_DEPTH = 5;
 
 const typeDefs = readFileSync(join(__dirname, './config/schema.graphql'), 'utf-8');
 
@@ -125,6 +122,17 @@ export async function useKadenaGraphqlServer() {
     typeDefs,
     resolvers,
     introspection: true,
+    validationRules: [
+      depthLimit({
+        maxDepth: 7, // Reasonable depth for most queries
+        maxListDepth: 5, // Prevent deeply nested array queries
+        maxSelfReferentialDepth: 2, // Limit recursive queries
+        maxIntrospectionDepth: 15, // Limit introspection query depth
+        maxIntrospectionListDepth: 8, // Limit introspection array depth
+        maxIntrospectionSelfReferentialDepth: 2,
+        revealDetails: false, // Don't expose limits to clients
+      }),
+    ],
     plugins: [
       validatePaginationParamsPlugin,
       ApolloServerPluginDrainHttpServer({ httpServer }),

yarn.lock

@@ -1525,6 +1525,11 @@
   resolved "https://registry.yarnpkg.com/@eslint/js/-/js-8.57.0.tgz#a5417ae8427873f1dd08b70b3574b453e67b5f7f"
   integrity sha512-Ys+3g2TaW7gADOJzPt83SJtCDhMjndcDMFVQ/Tj9iA1BfJzFKD9mAUXT3OenpuPHbI6P/myECxRJrofUsDx/5g==
 
+"@graphile/depth-limit@^0.3.1":
+  version "0.3.1"
+  resolved "https://registry.yarnpkg.com/@graphile/depth-limit/-/depth-limit-0.3.1.tgz#b0872a3a1cd7ac99555a39f897442f9b366d95e5"
+  integrity sha512-3MwdOEScb7yZJnU/qM4sR7MEW7Nge8XxsvBmj33YamP+1e2st43M1VDYviPnOvqAPrIg2PJvvuNux+IId8sn0A==
+
 "@graphile/[email protected]":
   version "4.11.0"
   resolved "https://registry.yarnpkg.com/@graphile/lru/-/lru-4.11.0.tgz#dd805ee083063488796ec0eac5a8b50b21c076f9"
@@ -5913,10 +5918,10 @@ graphql-ws@^5.14.0, graphql-ws@^5.16.0, graphql-ws@^5.6.2:
   resolved "https://registry.yarnpkg.com/graphql/-/graphql-15.8.0.tgz#33410e96b012fa3bdb1091cc99a94769db212b38"
   integrity sha512-5gghUc24tP9HRznNpV2+FIoq3xKkj5dTQqf4v0CpdPbFVwFkWoxOM+o+2OC9ZSvjEMTjfmG9QT+gcvggTwW1zw==
 
-graphql@^16.9.0:
-  version "16.9.0"
-  resolved "https://registry.yarnpkg.com/graphql/-/graphql-16.9.0.tgz#1c310e63f16a49ce1fbb230bd0a000e99f6f115f"
-  integrity sha512-GGTKBX4SD7Wdb8mqeDLni2oaRGYQWjWHGKPQ24ZMnUtKfcsVoiv4uX8+LJr1K6U5VW2Lu1BwJnj7uiori0YtRw==
+graphql@^16.10.0:
+  version "16.10.0"
+  resolved "https://registry.yarnpkg.com/graphql/-/graphql-16.10.0.tgz#24c01ae0af6b11ea87bf55694429198aaa8e220c"
+  integrity sha512-AjqGKbDGUFRKIRCP9tCKiIGHyriz2oHEbPIbEtcSLSs4YjReZOIPQQWek4+6hjw62H9QShXHyaGivGiYVLeYFQ==
 
 h3@^1.10.2, h3@^1.11.1:
   version "1.11.1"