gitlab-ce/lib/gitlab/graphql/query_analyzers/ast/recursion_analyzer.rb

# frozen_string_literal: true

# Recursive queries, with relatively low effort, can quickly spiral out of control exponentially
# and may not be picked up by depth and complexity alone.
module Gitlab
  module Graphql
    module QueryAnalyzers
      module AST
        class RecursionAnalyzer < GraphQL::Analysis::AST::Analyzer
          IGNORED_FIELDS = %w[node edges nodes ofType].freeze
          RECURSION_THRESHOLD = 2

          def initialize(query)
            super

            @node_visits = {}
            @recurring_fields = {}
          end

          def on_enter_field(node, _parent, visitor)
            return if skip_node?(node, visitor)

            node_name = node.name
            node_visits[node_name] ||= 0
            node_visits[node_name] += 1

            times_encountered = @node_visits[node_name]
            recurring_fields[node_name] = times_encountered if recursion_too_deep?(node_name, times_encountered)
          end

          # Visitors are all defined on the AST::Analyzer base class
          # We override them for custom analyzers.
          def on_leave_field(node, _parent, visitor)
            return if skip_node?(node, visitor)

            node_name = node.name
            node_visits[node_name] ||= 0
            node_visits[node_name] -= 1
          end

          def result
            @recurring_fields = @recurring_fields.select { |k, v| recursion_too_deep?(k, v) }

            if @recurring_fields.any?
              GraphQL::AnalysisError.new(<<~MSG)
                Recursive query - too many of fields '#{@recurring_fields}' detected
                in single branch of the query")
              MSG
            end
          end

          private

          attr_reader :node_visits, :recurring_fields

          def recursion_too_deep?(node_name, times_encountered)
            return if IGNORED_FIELDS.include?(node_name)

            times_encountered > recursion_threshold
          end

          def skip_node?(node, visitor)
            # We don't want to count skipped fields or fields
            # inside fragment definitions
            return false if visitor.skipping? || visitor.visiting_fragment_definition?

            !node.is_a?(GraphQL::Language::Nodes::Field) || node.selections.empty?
          end

          # separated into a method for use in allow_high_graphql_recursion
          def recursion_threshold
            RECURSION_THRESHOLD
          end
        end
      end
    end
  end
end