[CVE-2023-40180] Add protection against recursive queries

README.md

@@ -71,7 +71,8 @@ composer require silverstripe/graphql
  - [CSRF tokens (required for mutations)](#csrf-tokens-required-for-mutations)
  - [Cross-Origin Resource Sharing (CORS)](#cross-origin-resource-sharing-cors)
    - [Sample Custom CORS Config](#sample-custom-cors-config)
- - [Persisting Queries](#persisting-queries)   
+ - [Recursive or complex queries](#recursive-or-complex-queries)
+ - [Persisting Queries](#persisting-queries)
  - [Schema introspection](#schema-introspection)
  - [Setting up a new GraphQL schema](#setting-up-a-new-graphql-schema)
  - [Strict HTTP Method Checking](#strict-http-method-checking)
@@ -2391,8 +2392,42 @@ SilverStripe\Core\Injector\Injector:
     properties:
       corsConfig:
         Enabled: false
-``` 
+```
+
+## Recursive or complex queries
+
+GraphQL schemas can contain recursive types and circular dependencies. Recursive or overly complex queries can take up a lot of resources,
+and could have a high impact on server performance and even result in a denial of service if not handled carefully.
+
+Before parsing queries, if a query is found to have more than 500 nodes, it is rejected.
+
+While executing queries, there is a default query depth limit of 15 for all schemas, and no current complexity limit.
+
+For calculating the query complexity, every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the query is the sum of all field scores.
+
+You can customise the node limit and query depth and complexity limits by setting the following configuration:
+
+**app/_config/graphql.yml**
+
+```yaml
+SilverStripe\GraphQL\Manager:
+  default_max_query_nodes: 250 # default 500
+  default_max_query_depth: 20 # default 15
+  default_max_query_complexity: 100 # default unlimited
+```
+
+You can also configure these settings for individual schemas. This allows you to fine-tune the security of your custom public-facing schema without affecting the security of the schema used in the CMS. To do so, set the values for your schema like so:
+
+**app/_config/graphql.yml**
 
+```yaml
+SilverStripe\GraphQL\Manager:
+  schemas:
+    default:
+      max_query_nodes: 250
+      max_query_depth: 20
+      max_query_complexity: 100
+```
 
 ## Persisting queries
 

src/Manager.php

@@ -28,6 +28,13 @@
 use SilverStripe\Security\Security;
 use BadMethodCallException;
 use Exception;
+use GraphQL\Language\Lexer;
+use GraphQL\Language\Source;
+use GraphQL\Language\Token;
+use GraphQL\Utils\Utils;
+use GraphQL\Validator\DocumentValidator;
+use GraphQL\Validator\Rules\QueryComplexity;
+use GraphQL\Validator\Rules\QueryDepth;
 
 /**
  * Manager is the master container for a graphql endpoint, and contains
@@ -47,6 +54,36 @@ class Manager implements ConfigurationApplier
 
     const TYPES_ROOT = 'types';
 
+    /**
+     * Default maximum query nodes if not defined in the current schema config
+     */
+    private static $default_max_query_nodes = 500;
+
+    /**
+     * Default maximum query depth if not defined in the current schema config
+     */
+    private static $default_max_query_depth = 15;
+
+    /**
+     * Default maximum query complexity if not defined in the current schema config
+     */
+    private static $default_max_query_complexity = 0;
+
+    /**
+     * Maximum query nodes allowed for the current schema config
+     */
+    private ?int $maxQueryNodes = null;
+
+    /**
+     * Maximum query depth allowed for the current schema config
+     */
+    private ?int $maxQueryDepth = null;
+
+    /**
+     * Maximum query complexity allowed for the current schema config
+     */
+    private ?int $maxQueryComplexity = null;
+
     /**
      * @var string
      */
@@ -204,6 +241,17 @@ public function applyConfig(array $config)
     {
         $this->extend('updateConfig', $config);
 
+        // Security validation rules
+        if (array_key_exists('max_query_nodes', $config)) {
+            $this->maxQueryNodes = $config['max_query_nodes'];
+        }
+        if (array_key_exists('max_query_depth', $config)) {
+            $this->maxQueryDepth = $config['max_query_depth'];
+        }
+        if (array_key_exists('max_query_complexity', $config)) {
+            $this->maxQueryComplexity = $config['max_query_complexity'];
+        }
+
         // Bootstrap schema class mapping from config
         if (array_key_exists('typeNames', $config ?? [])) {
             StaticSchema::inst()->setTypeNames($config['typeNames']);
@@ -372,12 +420,78 @@ public function queryAndReturnResult($query, $params = [])
         $context = $this->getContext();
 
         $last = function ($schema, $query, $context, $params) {
-            return GraphQL::executeQuery($schema, $query, null, $context, $params);
+            if (is_string($query)) {
+                $this->validateQueryBeforeParsing($query, $context);
+            }
+
+            $validationRules = DocumentValidator::allRules();
+            $maxDepth = $this->getMaxQueryDepth();
+            $maxComplexity = $this->getMaxQueryComplexity();
+            if ($maxDepth) {
+                $validationRules[QueryDepth::class] = new QueryDepth($maxDepth);
+            }
+            if ($maxComplexity) {
+                $validationRules[QueryComplexity::class] = new QueryComplexity($maxComplexity);
+            }
+            return GraphQL::executeQuery($schema, $query, null, $context, $params, null, null, $validationRules);
         };
 
         return $this->callMiddleware($schema, $query, $context, $params, $last);
     }
 
+    /**
+     * Validate a query before parsing it in case there are issues we can catch early.
+     */
+    private function validateQueryBeforeParsing(string $query): void
+    {
+        $maxNodes = $this->getMaxQueryNodes();
+
+        if (!$maxNodes) {
+            return;
+        }
+
+        $lexer = new Lexer(new Source($query));
+        $numNodes = 0;
+
+        // Check how many nodes there are in this query
+        do {
+            $next = $lexer->advance();
+            if ($next->kind === Token::NAME) {
+                $numNodes++;
+            }
+        } while ($next->kind !== Token::EOF && $numNodes <= $maxNodes);
+
+        // Throw a GraphQL Invariant violation if there are too many nodes
+        Utils::invariant(
+            $maxNodes >= $numNodes,
+            "GraphQL query body must not be longer than $maxNodes nodes."
+        );
+    }
+
+    private function getMaxQueryNodes()
+    {
+        if ($this->maxQueryNodes !== null) {
+            return $this->maxQueryNodes;
+        }
+        return static::config()->get('default_max_query_nodes');
+    }
+
+    private function getMaxQueryDepth()
+    {
+        if ($this->maxQueryDepth !== null) {
+            return $this->maxQueryDepth;
+        }
+        return static::config()->get('default_max_query_depth');
+    }
+
+    private function getMaxQueryComplexity()
+    {
+        if ($this->maxQueryComplexity !== null) {
+            return $this->maxQueryComplexity;
+        }
+        return static::config()->get('default_max_query_complexity');
+    }
+
     /**
      * Register a new type
      *