goto-bus-stop
commented
11 months ago Also added tests for input objects and directives. Directives in particular didn't cause a stack overflow even with thousands of definitions, but they did take over 60 seconds to validate, so the limit also helps with that.
I lowered the limit to 200 because fragments could still overflow with 500 (the cycles detection works with 500, but the recursion in validate_fragment_definition is more expensive as it cycles through a few different and bigger methods).
Thinking about the serde_json limit, 200 is still a lot!
Fixes https://github.com/apollographql/apollo-rs/issues/742
The validation code already had protections for cycles. However if you provided a very long chain of types or fragments referencing each other, it could chase each reference and still cause a stack overflow. This does pretty much require malicious input, but the failure mode is quite bad, so it's worth protecting against.
Self-referential directives and input objects now also show the chain that was followed in diagnostics. The directives one can be a bit incomplete because there may be a different kind of node in between (eg there might be a directive applied to an enum used inside an input type used as an argument to the same directive... and only directive names are tracked in the chain.) I think we can improve that with other diagnostics work soon, this is already an improvement.