add depth limiting (#22)

Add config option to configure max allowed depth for queries:

example config:
```
max_depth:
  enable: true
  # The maximum number of allowed aliases within a single request.
  max: 3
  # Reject the request when the rule fails. Disable this to allow the request
  reject_on_failure: true
```

For example the query below has a depth of 4.
```
query{
  activeExperiments {
    variants {
      experimentKey
      allocations {
        end
      }
    }
  }
}

```

With the config above it would fail with error:
```

{
  "data": {},
  "errors": [
    {
      "message": "syntax error: Depth limit of 3 exceeded, found 4",
      "locations": [
        {
          "line": 1,
          "column": 1
        }
      ]
    }
  ]
}
```

---------

Co-authored-by: Rick Bijkerk <[email protected]>
Co-authored-by: Lars de Bruijn <[email protected]>

Author: 3 people

README.md

@@ -13,7 +13,7 @@ It is dead-simple yet highly customizable security sidecar compatible with any H
 * [Block Field Suggestions](docs/block_field_suggestions.md)
 * [Max Aliases](docs/max_aliases.md)
 * [Max Tokens](docs/max_tokens.md)
-* _Max Depth (coming soon)_
+* [Max Depth](docs/max_depth.md)
 * _Max Directives (coming soon)_
 * _Cost Limit (coming soon)_
 

cmd/main.go

@@ -11,6 +11,7 @@ import (
 	"github.com/ldebruijn/go-graphql-armor/internal/business/aliases"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/block_field_suggestions"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/gql"
+	"github.com/ldebruijn/go-graphql-armor/internal/business/max_depth"
 	middleware2 "github.com/ldebruijn/go-graphql-armor/internal/business/middleware"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/persisted_operations"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/proxy"
@@ -183,6 +184,7 @@ func middleware(log *slog.Logger, cfg *config.Config, po *persisted_operations.P
 	httpInstrumentation := HTTPInstrumentation()
 
 	aliases.NewMaxAliasesRule(cfg.MaxAliases)
+	max_depth.NewMaxDepthRule(cfg.MaxDepth)
 	tks := tokens.MaxTokens(cfg.MaxTokens)
 	vr := ValidationRules(schema, tks, cfg.ObfuscateValidationErrors)
 

docs/configuration.md

@@ -69,6 +69,13 @@ max_aliases:
 block_field_suggestions:
   enabled: true
   mask: [redacted]
+  
+max_depth:
+  enable: true
+  # The maximum allowed depth within a single request.
+  max: 15
+  # Reject the request when the rule fails. Disable this to allow the request
+  reject_on_failure: false
 
 max_tokens:
   # Enable the feature

docs/max_depth.md

@@ -0,0 +1,36 @@
+# Max depth
+
+Restricting the maximum depth of operations that are allowed within a single operation to protect your API from abuse.
+
+<!-- TOC -->
+
+## Configuration
+
+You can configure `go-graphql-armor` to limit the maximum depth on an operation.
+
+```yaml
+max_depth:
+  # Enable the feature
+  enable: "true"
+  # The maximum depth allowed within a single request.
+  max: 15
+  # Reject the request when the rule fails. Disable this to allow the request
+  reject_on_failure: "true"
+```
+
+## Metrics
+
+This rule produces metrics to help you gain insights into the behavior of the rule.
+
+```
+go_graphql_armor_max_depth_results{result}
+```
+
+
+| `result`  | Description                                                                                                  |
+|---------|--------------------------------------------------------------------------------------------------------------|
+| `allowed` | The rule condition succeeded                                                                                 |
+| `rejected` | The rule condition failed and the request was rejected                                                       |
+| `failed` | The rule condition failed but the request was not rejected. This happens when `reject_on_failure` is `false` |
+
+No metrics are produced when the rule is disabled.

internal/app/config/config.go

@@ -7,6 +7,7 @@ import (
 	"github.com/ardanlabs/conf/v3/yaml"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/aliases"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/block_field_suggestions"
+	"github.com/ldebruijn/go-graphql-armor/internal/business/max_depth"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/persisted_operations"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/proxy"
 	"github.com/ldebruijn/go-graphql-armor/internal/business/schema"
@@ -33,6 +34,7 @@ type Config struct {
 	BlockFieldSuggestions     block_field_suggestions.Config `yaml:"block_field_suggestions"`
 	MaxTokens                 tokens.Config                  `yaml:"max_tokens"`
 	MaxAliases                aliases.Config                 `yaml:"max_aliases"`
+	MaxDepth                  max_depth.Config               `yaml:"max_depth"`
 }
 
 func NewConfig(configPath string) (*Config, error) {

internal/business/aliases/aliases.go

@@ -77,6 +77,7 @@ func countSelectionSet(set ast.SelectionSet) int {
 
 	for _, selection := range set {
 		if v, ok := selection.(*ast.Field); ok {
+			// When a query has no alias defined it defaults to the name of the query
 			if v.Alias != "" && v.Alias != v.Name {
 				count++
 			}

internal/business/max_depth/max_depth.go

@@ -0,0 +1,77 @@
+package max_depth // nolint:revive
+
+import (
+	"fmt"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/vektah/gqlparser/v2/ast"
+	"github.com/vektah/gqlparser/v2/validator"
+)
+
+var resultCounter = prometheus.NewCounterVec(prometheus.CounterOpts{
+	Namespace: "go_graphql_armor",
+	Subsystem: "max_depth",
+	Name:      "results",
+	Help:      "The results of the max_depth rule",
+},
+	[]string{"result"},
+)
+
+type Config struct {
+	Enabled         bool `conf:"default:true" yaml:"enabled"`
+	Max             int  `conf:"default:15" yaml:"max"`
+	RejectOnFailure bool `conf:"default:true" yaml:"reject_on_failure"`
+}
+
+func init() {
+	prometheus.MustRegister(resultCounter)
+}
+
+func NewMaxDepthRule(cfg Config) {
+	if cfg.Enabled {
+		validator.AddRule("MaxDepth", func(observers *validator.Events, addError validator.AddErrFunc) {
+			observers.OnOperation(func(walker *validator.Walker, operation *ast.OperationDefinition) {
+				var maxDepth = countDepth(operation.SelectionSet)
+
+				if maxDepth > cfg.Max {
+					if cfg.RejectOnFailure {
+						err := fmt.Sprintf("syntax error: Depth limit of %d exceeded, found %d", cfg.Max, maxDepth)
+						addError(
+							validator.Message(err),
+							validator.At(operation.Position),
+						)
+						resultCounter.WithLabelValues("rejected").Inc()
+					} else {
+						resultCounter.WithLabelValues("failed").Inc()
+					}
+				} else {
+					resultCounter.WithLabelValues("allowed").Inc()
+				}
+			})
+		})
+	}
+}
+
+func countDepth(selectionSet ast.SelectionSet) int {
+	if selectionSet == nil {
+		return 0
+	}
+
+	depth := 1
+
+	for _, selection := range selectionSet {
+		switch v := selection.(type) {
+		case *ast.Field:
+			selectionDepth := countDepth(v.SelectionSet) + 1
+			if selectionDepth > depth {
+				depth = selectionDepth
+			}
+		case *ast.FragmentSpread:
+			selectionDepth := countDepth(v.Definition.SelectionSet)
+			if selectionDepth > depth {
+				depth = selectionDepth
+			}
+		}
+	}
+	return depth
+
+}

internal/business/max_depth/max_depth_test.go

@@ -0,0 +1,147 @@
+package max_depth // nolint:revive
+
+import (
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	"github.com/vektah/gqlparser/v2"
+	"github.com/vektah/gqlparser/v2/ast"
+	"github.com/vektah/gqlparser/v2/parser"
+	"github.com/vektah/gqlparser/v2/validator"
+	"testing"
+)
+
+func Test_MaxDepthRule(t *testing.T) {
+	schema := `
+type Query {
+   getBook(title: String): Book
+}
+
+type Book {
+	id: ID!
+	title: String
+	author: Author!
+	price: Price!
+}
+type Author {
+	id: ID!
+	name: String
+}
+type Price {
+	price: Int!
+	id: ID!
+}
+`
+	type args struct {
+		query  string
+		schema string
+		cfg    Config
+	}
+	tests := []struct {
+		name string
+		args args
+		want error
+	}{
+		{
+			name: "no query yields zero count",
+			args: args{
+				query:  "",
+				schema: schema,
+				cfg: Config{
+					Max:     15,
+					Enabled: true,
+				},
+			},
+			want: nil,
+		},
+		{
+			name: "Calculate the depth properly with fragments",
+			args: args{
+				cfg: Config{
+					Max:             3,
+					Enabled:         true,
+					RejectOnFailure: true,
+				},
+				query: `
+				query A {
+					getBook(title: "null") {
+						id
+				   		...BookFragment
+				 	}
+				}
+				fragment BookFragment on Book {
+				 	author {
+						name
+					}
+				}`,
+				schema: schema,
+			},
+			want: nil,
+		},
+		{
+			name: "Calculate depth properly",
+			args: args{
+				cfg: Config{
+					Enabled:         true,
+					Max:             2,
+					RejectOnFailure: true,
+				},
+				query: `
+					query {
+						getBook(title: "null") {
+						  title
+						  price {
+							price
+							id
+						  }
+						}
+					}`,
+				schema: schema,
+			},
+			want: fmt.Errorf("syntax error: Depth limit of %d exceeded, found %d", 2, 3),
+		},
+		{
+			name: "Works correctly with fragments",
+			args: args{
+				cfg: Config{
+					Max:             2,
+					Enabled:         true,
+					RejectOnFailure: true,
+				},
+				query: `
+				query A {
+					getBook(title: "null") {
+						id
+				   		...BookFragment
+				 	}
+				}
+				fragment BookFragment on Book {
+				 	author {
+						name
+					}
+				}`,
+				schema: schema,
+			},
+			want: fmt.Errorf("syntax error: Depth limit of %d exceeded, found %d", 2, 3),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			NewMaxDepthRule(tt.args.cfg)
+
+			query, _ := parser.ParseQuery(&ast.Source{Name: "ff", Input: tt.args.query})
+			schema := gqlparser.MustLoadSchema(&ast.Source{
+				Name:    "graph/schema.graphqls",
+				Input:   tt.args.schema,
+				BuiltIn: false,
+			})
+
+			errs := validator.Validate(schema, query)
+
+			if tt.want == nil {
+				assert.Empty(t, errs)
+			} else {
+				assert.Equal(t, tt.want.Error(), errs[0].Message)
+			}
+		})
+	}
+}