Query complexity limiter introduced

Author: rogyar

app/code/Magento/GraphQl/etc/di.xml

@@ -97,4 +97,10 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\GraphQl\Query\QueryComplexityLimiter">
+        <arguments>
+            <argument name="queryDepth" xsi:type="number">50</argument>
+            <argument name="queryComplexity" xsi:type="number">150</argument>
+        </arguments>
+    </type>
 </config>

lib/internal/Magento/Framework/GraphQl/Query/QueryComplexityLimiter.php

@@ -0,0 +1,53 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Query;
+
+use GraphQL\Validator\DocumentValidator;
+use GraphQL\Validator\Rules\DisableIntrospection;
+use GraphQL\Validator\Rules\QueryDepth;
+use GraphQL\Validator\Rules\QueryComplexity;
+
+/**
+ * Sets limits for query complexity. A single GraphQL query can potentially
+ * generate thousands of database operations so, the very complex queries
+ * should be filtered and rejected.
+ */
+class QueryComplexityLimiter
+{
+    /**
+     * @var int
+     */
+    private $queryDepth;
+
+    /**
+     * @var int
+     */
+    private $queryComplexity;
+
+    /**
+     * @param int $queryDepth
+     * @param int $queryComplexity
+     */
+    public function __construct(
+        int $queryDepth = 50,
+        int $queryComplexity = 150
+    ) {
+        $this->queryDepth = $queryDepth;
+        $this->queryComplexity = $queryComplexity;
+    }
+
+    public function execute(bool $disableIntrospection = false): void
+    {
+        DocumentValidator::addRule(new QueryDepth($this->queryDepth));
+        DocumentValidator::addRule(new QueryComplexity($this->queryComplexity));
+
+        if ($disableIntrospection) {
+            DocumentValidator::addRule(new DisableIntrospection());
+        }
+    }
+}

lib/internal/Magento/Framework/GraphQl/Query/QueryProcessor.php

@@ -7,9 +7,6 @@
 
 namespace Magento\Framework\GraphQl\Query;
 
-use GraphQL\Validator\DocumentValidator;
-use GraphQL\Validator\Rules\DisableIntrospection;
-use GraphQL\Validator\Rules\QueryDepth;
 use Magento\Framework\GraphQl\Exception\ExceptionFormatter;
 use Magento\Framework\GraphQl\Schema;
 use Magento\Framework\GraphQl\Query\Resolver\ContextInterface;
@@ -24,12 +21,21 @@ class QueryProcessor
      */
     private $exceptionFormatter;
 
+    /**
+     * @var QueryComplexityLimiter
+     */
+    protected $queryComplexityLimiter;
+
     /**
      * @param ExceptionFormatter $exceptionFormatter
+     * @param QueryComplexityLimiter $queryComplexityChecker
      */
-    public function __construct(ExceptionFormatter $exceptionFormatter)
-    {
+    public function __construct(
+        ExceptionFormatter $exceptionFormatter,
+        QueryComplexityLimiter $queryComplexityChecker
+    ) {
         $this->exceptionFormatter = $exceptionFormatter;
+        $this->queryComplexityLimiter = $queryComplexityChecker;
     }
 
     /**
@@ -49,10 +55,9 @@ public function process(
         array $variableValues = null,
         string $operationName = null
     ) : array {
-        if (!$this->exceptionFormatter->shouldShowDetail()) {
-            DocumentValidator::addRule(new QueryDepth(10));
-            DocumentValidator::addRule(new DisableIntrospection());
-        }
+        $disableIntrospection = $this->exceptionFormatter->shouldShowDetail();
+        $this->queryComplexityLimiter->execute($disableIntrospection);
+
         $rootValue = null;
         return \GraphQL\GraphQL::executeQuery(
             $schema,