feat(graphql): more security : with max query depth and max query complexity

[mauriau]

Q	A
Branch?	main
Tickets	-
License	MIT
Doc PR	api-platform/docs#2107

On our GraphQL APi, we run GraphQL COP and it's detected some security leak.

So I tried to fix some of this like "Alias overloading" and "Field Duplication".

Webonyx has this following rules : QueryComplexity and QueryDepth. So I implemented this on Api Platform to be configurable in api_platform.yml. And setted by default to 100

api_platform:
  graphql:
     max_query_depth: 20
     max_query_complexity: 500
`

[masseuro]

Really important for avoid dos attack

[mauriau]

🤔 Hmm, the scenario "Introspect the GraphQL schema" from features/graphql/introspection.feature need a max query depth configured to 200. But I dont want to put this value as default value. How can I change this value only for the introspection test ?

[mauriau]

🤔 Hmm, the scenario "Introspect the GraphQL schema" from features/graphql/introspection.feature need a max query depth configured to 200. But I dont want to put this value as default value. How can I change this value only for the introspection test ?

I changed the value in tests/Fixtures/app/AppKernel.php to 200 to pass the introspection tests

[soyuka]

Nice one, just a few comments, thanks for this addition!

[soyuka]

I see this file modified but it looks like cs fixes that I should probably do in another PR. Would you be able to add the configuration at https://github.com/api-platform/core/blob/main/src/Laravel/ApiPlatformProvider.php#L1295 as well?

[mauriau]

Yes, cs fixer did it :)

[mauriau]

@soyuka I have some failed on behat's tests (features/hydra/docs.feature:10), but I don't know why