debian-mirror-gitlab/lib/gitlab/graphql/query_analyzers/ast/recursion_analyzer.rb

# frozen_string_literal: true

# Recursive queries, with relatively low effort, can quickly spiral out of control exponentially
# and may not be picked up by depth and complexity alone.
module Gitlab
  module Graphql
    module QueryAnalyzers
      module AST
        class RecursionAnalyzer < GraphQL::Analysis::AST::Analyzer
          IGNORED_FIELDS = %w(node edges nodes ofType).freeze
          RECURSION_THRESHOLD = 2

          def initialize(query)
            super

            @node_visits = {}
            @recurring_fields = {}
          end

          def on_enter_field(node, _parent, visitor)
            return if skip_node?(node, visitor)

            node_name = node.name
            node_visits[node_name] ||= 0
            node_visits[node_name] += 1

            times_encountered = @node_visits[node_name]
            recurring_fields[node_name] = times_encountered if recursion_too_deep?(node_name, times_encountered)
          end

          # Visitors are all defined on the AST::Analyzer base class
          # We override them for custom analyzers.
          def on_leave_field(node, _parent, visitor)
            return if skip_node?(node, visitor)

            node_name = node.name
            node_visits[node_name] ||= 0
            node_visits[node_name] -= 1
          end

          def result
            @recurring_fields = @recurring_fields.select { |k, v| recursion_too_deep?(k, v) }

            if @recurring_fields.any?
              GraphQL::AnalysisError.new(<<~MSG)
                Recursive query - too many of fields '#{@recurring_fields}' detected
                in single branch of the query")
              MSG
            end
          end

          private

          attr_reader :node_visits, :recurring_fields

          def recursion_too_deep?(node_name, times_encountered)
            return if IGNORED_FIELDS.include?(node_name)

            times_encountered > recursion_threshold
          end

          def skip_node?(node, visitor)
            # We don't want to count skipped fields or fields
            # inside fragment definitions
            return false if visitor.skipping? || visitor.visiting_fragment_definition?

            !node.is_a?(GraphQL::Language::Nodes::Field) || node.selections.empty?
          end

          # separated into a method for use in allow_high_graphql_recursion
          def recursion_threshold
            RECURSION_THRESHOLD
          end
        end
      end
    end
  end
end
New upstream version 15.1.3+ds1 2022-07-23 23:45:48 +05:30			`# frozen_string_literal: true`

			`# Recursive queries, with relatively low effort, can quickly spiral out of control exponentially`
			`# and may not be picked up by depth and complexity alone.`
			`module Gitlab`
			`module Graphql`
			`module QueryAnalyzers`
			`module AST`
			`class RecursionAnalyzer < GraphQL::Analysis::AST::Analyzer`
			`IGNORED_FIELDS = %w(node edges nodes ofType).freeze`
			`RECURSION_THRESHOLD = 2`

			`def initialize(query)`
			`super`

			`@node_visits = {}`
			`@recurring_fields = {}`
			`end`

			`def on_enter_field(node, _parent, visitor)`
			`return if skip_node?(node, visitor)`

			`node_name = node.name`
			`node_visits[node_name] \|\|= 0`
			`node_visits[node_name] += 1`

			`times_encountered = @node_visits[node_name]`
			`recurring_fields[node_name] = times_encountered if recursion_too_deep?(node_name, times_encountered)`
			`end`

			`# Visitors are all defined on the AST::Analyzer base class`
			`# We override them for custom analyzers.`
			`def on_leave_field(node, _parent, visitor)`
			`return if skip_node?(node, visitor)`

			`node_name = node.name`
			`node_visits[node_name] \|\|= 0`
			`node_visits[node_name] -= 1`
			`end`

			`def result`
			`@recurring_fields = @recurring_fields.select { \|k, v\| recursion_too_deep?(k, v) }`

			`if @recurring_fields.any?`
			`GraphQL::AnalysisError.new(<<~MSG)`
			`Recursive query - too many of fields '#{@recurring_fields}' detected`
			`in single branch of the query")`
			`MSG`
			`end`
			`end`

			`private`

			`attr_reader :node_visits, :recurring_fields`

			`def recursion_too_deep?(node_name, times_encountered)`
			`return if IGNORED_FIELDS.include?(node_name)`

			`times_encountered > recursion_threshold`
			`end`

			`def skip_node?(node, visitor)`
			`# We don't want to count skipped fields or fields`
			`# inside fragment definitions`
			`return false if visitor.skipping? \|\| visitor.visiting_fragment_definition?`

			`!node.is_a?(GraphQL::Language::Nodes::Field) \|\| node.selections.empty?`
			`end`

			`# separated into a method for use in allow_high_graphql_recursion`
			`def recursion_threshold`
			`RECURSION_THRESHOLD`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`