feat(api): add query depth limit (#1096)

kanstantsinbuklis-sap · web-flow · commit 96fee4b132ef · 2026-02-16T18:01:28.000+01:00
diff --git a/go.mod b/go.mod
@@ -20,6 +20,7 @@ require (
 	github.com/onsi/gomega v1.39.1
 	github.com/onuryilmaz/ginprom v0.0.2
 	github.com/openfga/go-sdk v0.7.4
+	github.com/oyyblin/gqlgen-depth-limit-extension v0.1.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/prometheus/client_golang v1.23.2
 	github.com/samber/lo v1.52.0
diff --git a/go.sum b/go.sum
@@ -216,6 +216,8 @@ github.com/openfga/go-sdk v0.7.4 h1:WBZDjl5Aqy1pFsDCL9LGZ5teJsYh42giFWA7G4AHfkw=
 github.com/openfga/go-sdk v0.7.4/go.mod h1:jGyDrPZauqrGM89iSqvjVwwF80fKCTOIERGZ+X3H4pI=
 github.com/openfga/language/pkg/go v0.2.0-beta.2 h1:PH4AOYSREgkMZSHO+RLOwkCLcg/i1cTxrVJraM6/YT4=
 github.com/openfga/language/pkg/go v0.2.0-beta.2/go.mod h1:ll/hN6kS4EE6B/7J/PbZqac9Nuv7ZHpI+Jfh36JLrbs=
+github.com/oyyblin/gqlgen-depth-limit-extension v0.1.0 h1:QnLrbTxU/95PBhEPOpIw2YspwSagu4xFmNNyga5LOWA=
+github.com/oyyblin/gqlgen-depth-limit-extension v0.1.0/go.mod h1:yWijMUBy85Lo9A0p3AdoItf6LQ6PNG1xER0ouWgjrMM=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
diff --git a/internal/api/graphql/server.go b/internal/api/graphql/server.go
@@ -12,6 +12,7 @@ import (
 	"github.com/cloudoperators/heureka/internal/app"
 	"github.com/cloudoperators/heureka/internal/util"
 	"github.com/gin-gonic/gin"
+	"github.com/oyyblin/gqlgen-depth-limit-extension/depth"
 )
 
 type GraphQLAPI struct {
@@ -22,11 +23,15 @@ type GraphQLAPI struct {
 }
 
 func NewGraphQLAPI(a app.Heureka, cfg util.Config) *GraphQLAPI {
+	server := handler.NewDefaultServer(graph.NewExecutableSchema(resolver.NewResolver(a)))
+	server.Use(depth.FixedDepthLimit(cfg.GQLDepthLimit))
+
 	graphQLAPI := GraphQLAPI{
-		Server: handler.NewDefaultServer(graph.NewExecutableSchema(resolver.NewResolver(a))),
+		Server: server,
 		App:    a,
 		auth:   middleware.NewAuth(&cfg, true),
 	}
+
 	return &graphQLAPI
 }
 
diff --git a/internal/e2e/authentication_test.go b/internal/e2e/authentication_test.go
@@ -157,7 +157,7 @@ func (at *authenticationTest) teardown() {
 }
 
 func (at *authenticationTest) createIssueByUser(issue entity.Issue, user entity.User) model.Issue {
-	respData := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
+	respData, err := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
 		Issue model.Issue `json:"createIssue"`
 	}](
 		at.cfg.Port,
@@ -171,6 +171,7 @@ func (at *authenticationTest) createIssueByUser(issue entity.Issue, user entity.
 		},
 		at.getHeaders(user))
 
+	Expect(err).ToNot(HaveOccurred())
 	Expect(*respData.Issue.PrimaryName).To(Equal(issue.PrimaryName))
 	Expect(*respData.Issue.Description).To(Equal(issue.Description))
 	Expect(respData.Issue.Type.String()).To(Equal(issue.Type.String()))
@@ -179,7 +180,7 @@ func (at *authenticationTest) createIssueByUser(issue entity.Issue, user entity.
 
 func (at *authenticationTest) updateIssueByUser(issue entity.Issue, user entity.User) model.Issue {
 	issue.Description = "New Description"
-	respData := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
+	respData, err := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
 		Issue model.Issue `json:"updateIssue"`
 	}](
 		at.cfg.Port,
@@ -190,13 +191,14 @@ func (at *authenticationTest) updateIssueByUser(issue entity.Issue, user entity.
 		},
 		at.getHeaders(user))
 
+	Expect(err).ToNot(HaveOccurred())
 	Expect(*respData.Issue.Description).To(Equal(issue.Description))
 	Expect(*respData.Issue.Metadata.CreatedBy).To(Equal(strconv.FormatInt(util.SystemUserId, 10)))
 	return respData.Issue
 }
 
 func (at *authenticationTest) deleteIssueByUser(issue entity.Issue, user entity.User) string {
-	respData := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
+	respData, err := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
 		Id string `json:"deleteIssue"`
 	}](
 		at.cfg.Port,
@@ -206,12 +208,13 @@ func (at *authenticationTest) deleteIssueByUser(issue entity.Issue, user entity.
 		},
 		at.getHeaders(user))
 
+	Expect(err).ToNot(HaveOccurred())
 	Expect(respData.Id).To(Equal(strconv.FormatInt(issue.Id, 10)))
 	return respData.Id
 }
 
 func (at *authenticationTest) getDeletedIssue(issueId string, user entity.User) model.Issue {
-	respData := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
+	respData, err := e2e_common.ExecuteGqlQueryFromFileWithHeaders[struct {
 		Issues model.IssueConnection `json:"Issues"`
 	}](
 		at.cfg.Port,
@@ -225,6 +228,7 @@ func (at *authenticationTest) getDeletedIssue(issueId string, user entity.User)
 
 	item, ok := lo.Find(respData.Issues.Edges, func(e *model.IssueEdge) bool { return e.Node.ID == issueId })
 	Expect(ok).To(BeTrue(), "issue id '%s' not found in deleted items")
+	Expect(err).ToNot(HaveOccurred())
 	return *item.Node
 }
 
diff --git a/internal/e2e/common/gql.go b/internal/e2e/common/gql.go
@@ -11,38 +11,52 @@ import (
 	util2 "github.com/cloudoperators/heureka/pkg/util"
 	"github.com/machinebox/graphql"
 	. "github.com/onsi/gomega"
-	"github.com/sirupsen/logrus"
 )
 
 var GqlStandardHeaders map[string]string = map[string]string{
 	"Cache-Control": "no-cache",
 }
 
-func ExecuteGqlQueryFromFile[T any](port string, queryFilePath string, vars map[string]interface{}) T {
+func ExecuteGqlQuery[T any](client *graphql.Client, req *graphql.Request) (T, error) {
+	var result T
+
+	err := util2.RequestWithBackoff(func() error {
+		return client.Run(context.Background(), req, &result)
+	})
+
+	return result, err
+}
+
+func ExecuteGqlQueryFromFile[T any](port string, queryFilePath string, vars map[string]any) (T, error) {
 	return ExecuteGqlQueryFromFileWithHeaders[T](port, queryFilePath, vars, GqlStandardHeaders)
 }
 
-func ExecuteGqlQueryFromFileWithHeaders[T any](port string, queryFilePath string, vars map[string]interface{}, headers map[string]string) T {
+func ExecuteGqlQueryFromFileWithHeaders[T any](port string, queryFilePath string, vars map[string]any,
+	headers map[string]string,
+) (T, error) {
 	client, req := newClientAndRequestForGqlFileQuery(port, queryFilePath, vars, headers)
 
-	var result T
-	if err := util2.RequestWithBackoff(func() error { return client.Run(context.Background(), req, &result) }); err != nil {
-		logrus.WithError(err).WithField("request", req).Fatalln("Error while unmarshaling")
-	}
-	return result
+	return ExecuteGqlQuery[T](client, req)
 }
 
-func newClientAndRequestForGqlFileQuery(port string, queryFilePath string, vars map[string]interface{}, headers map[string]string) (*graphql.Client, *graphql.Request) {
+func newClientAndRequestForGqlFileQuery(port string, queryFilePath string, vars map[string]any,
+	headers map[string]string,
+) (*graphql.Client, *graphql.Request) {
 	client := graphql.NewClient(fmt.Sprintf("http://localhost:%s/query", port))
+
 	b, err := os.ReadFile(queryFilePath)
 	Expect(err).To(BeNil())
+
 	str := string(b)
 	req := graphql.NewRequest(str)
+
 	for k, v := range vars {
 		req.Var(k, v)
 	}
+
 	for k, v := range headers {
 		req.Header.Set(k, v)
 	}
+
 	return client, req
 }
diff --git a/internal/e2e/image_query_test.go b/internal/e2e/image_query_test.go
@@ -39,7 +39,7 @@ var _ = Describe("Getting Images via API", Label("e2e", "Images"), func() {
 			imgTest.seed10Entries()
 		})
 		It("returns the expected content and the expected PageInfo when filtered using service", func() {
-			respData := e2e_common.ExecuteGqlQueryFromFile[struct {
+			respData, err := e2e_common.ExecuteGqlQueryFromFile[struct {
 				Images model.ImageConnection `json:"Images"`
 			}](
 				imgTest.port,
@@ -55,6 +55,7 @@ var _ = Describe("Getting Images via API", Label("e2e", "Images"), func() {
 			expectRespDataCounts(respData.Images, 5, 3)
 			expectRespImagesFilledAndInOrder(&respData.Images)
 			expectPageInfoTwoPagesBeingOnFirst(respData.Images.PageInfo)
+			Expect(err).ToNot(HaveOccurred())
 			Expect(*respData.Images.Counts).To(Equal(imgTest.counts))
 		})
 		It("returns the expected content and the expected PageInfo when filtered using repository", func() {
@@ -74,7 +75,7 @@ var _ = Describe("Getting Images via API", Label("e2e", "Images"), func() {
 			// belong to first service and first component
 			counts := model.SeverityCounts{Critical: 2, Total: 2}
 
-			respData := e2e_common.ExecuteGqlQueryFromFile[struct {
+			respData, err := e2e_common.ExecuteGqlQueryFromFile[struct {
 				Images model.ImageConnection `json:"Images"`
 			}](
 				imgTest.port,
@@ -91,6 +92,7 @@ var _ = Describe("Getting Images via API", Label("e2e", "Images"), func() {
 			expectRespDataCounts(respData.Images, 1, 1)
 			expectRespImagesFilledAndInOrder(&respData.Images)
 			Expect(*respData.Images.Counts).To(Equal(counts))
+			Expect(err).ToNot(HaveOccurred())
 		})
 	})
 })
diff --git a/internal/e2e/image_version_query_test.go b/internal/e2e/image_version_query_test.go
@@ -101,13 +101,14 @@ var _ = Describe("Getting ImageVersions via API", Label("e2e", "ImageVersions"),
 		It("can query image versions", func() {
 			idsBySeverity := []string{"3", "8", "2", "7", "1", "6", "5", "4", "10", "9"}
 
-			respData := e2e_common.ExecuteGqlQueryFromFile[struct {
+			respData, err := e2e_common.ExecuteGqlQueryFromFile[struct {
 				ImageVersions model.ImageVersionConnection `json:"ImageVersions"`
 			}](
 				cfg.Port,
 				"../api/graphql/graph/queryCollection/imageVersion/query.graphql",
 				map[string]interface{}{"first": 10, "after": ""},
 			)
+			Expect(err).ToNot(HaveOccurred())
 			Expect(respData.ImageVersions.TotalCount).To(Equal(10))
 			Expect(len(respData.ImageVersions.Edges)).To(Equal(10))
 
diff --git a/internal/e2e/patch_query_test.go b/internal/e2e/patch_query_test.go
@@ -44,7 +44,7 @@ var _ = Describe("Getting Patches via API", Label("e2e", "Patches"), func() {
 
 	When("the database is empty", func() {
 		It("returns empty result set", func() {
-			respData := e2e_common.ExecuteGqlQueryFromFile[struct {
+			respData, err := e2e_common.ExecuteGqlQueryFromFile[struct {
 				Patches model.PatchConnection `json:"Patches"`
 			}](
 				cfg.Port,
@@ -54,6 +54,7 @@ var _ = Describe("Getting Patches via API", Label("e2e", "Patches"), func() {
 					"first":  10,
 					"after":  "",
 				})
+			Expect(err).NotTo(HaveOccurred())
 			Expect(respData.Patches.TotalCount).To(Equal(0))
 		})
 	})
@@ -63,20 +64,22 @@ var _ = Describe("Getting Patches via API", Label("e2e", "Patches"), func() {
 		type patchRespDataType struct {
 			Patches model.PatchConnection `json:"Patches"`
 		}
-		var respData patchRespDataType
+
 		BeforeEach(func() {
 			seedCollection = seeder.SeedDbWithNFakeData(10)
 		})
 		Context("and no additional filters are present", func() {
 			It("returns correct result count", func() {
-				respData = e2e_common.ExecuteGqlQueryFromFile[patchRespDataType](
+				respData, err := e2e_common.ExecuteGqlQueryFromFile[patchRespDataType](
 					cfg.Port,
 					"../api/graphql/graph/queryCollection/patch/query.graphql",
 					map[string]interface{}{
 						"filter": map[string]string{},
 						"first":  5,
 						"after":  "",
 					})
+
+				Expect(err).ToNot(HaveOccurred())
 				Expect(respData.Patches.TotalCount).To(Equal(len(seedCollection.PatchRows)))
 				Expect(len(respData.Patches.Edges)).To(Equal(5))
 				//- returns the expected PageInfo
diff --git a/internal/e2e/query_depth_limit_test.go b/internal/e2e/query_depth_limit_test.go
@@ -0,0 +1,137 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package e2e_test
+
+import (
+	"fmt"
+
+	e2e_common "github.com/cloudoperators/heureka/internal/e2e/common"
+	"github.com/cloudoperators/heureka/internal/util"
+	util2 "github.com/cloudoperators/heureka/pkg/util"
+
+	"github.com/cloudoperators/heureka/internal/api/graphql/graph/model"
+	"github.com/cloudoperators/heureka/internal/database/mariadb"
+	"github.com/cloudoperators/heureka/internal/server"
+	"github.com/machinebox/graphql"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	queryWithDepthExceeded = `{
+  Services {
+    edges {
+      node {
+        supportGroups {
+          edges {
+            node {
+              services {
+                edges {
+                  node {
+                    id
+                  }
+                }
+              }
+              users {
+                edges {
+                  node {
+                    id
+                    supportGroups {
+                      edges {
+                        node {
+                          id
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}`
+	queryWithNormalDepth = `{
+  Services {
+    edges {
+      node {
+        supportGroups {
+          edges {
+            node {
+              services {
+                edges {
+                  node {
+                    id
+                  }
+                }
+              }
+              users {
+                edges {
+                  node {
+                    id
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}`
+)
+
+var _ = Describe("Getting data via API", Label("e2e", "Depth Limiting"), func() {
+	var s *server.Server
+	var cfg util.Config
+	var db *mariadb.SqlDatabase
+
+	BeforeEach(func() {
+		var err error
+		db = dbm.NewTestSchemaWithoutMigration()
+		Expect(err).To(BeNil(), "Database Seeder Setup should work")
+
+		cfg = dbm.DbConfig()
+		cfg.Port = util2.GetRandomFreePort()
+		// Set depth limit as 10 for testing pourpose
+		cfg.GQLDepthLimit = 10
+		s = e2e_common.NewRunningServer(cfg)
+	})
+
+	AfterEach(func() {
+		e2e_common.ServerTeardown(s)
+		dbm.TestTearDown(db)
+	})
+
+	When("Request with depth exceeding limit", func() {
+		It("returns an error", func() {
+			client := graphql.NewClient(fmt.Sprintf("http://localhost:%s/query", cfg.Port))
+			req := graphql.NewRequest(queryWithDepthExceeded)
+			req.Header.Set("Cache-Control", "no-cache")
+			_, err := e2e_common.ExecuteGqlQuery[struct {
+				Services model.ServiceConnection `json:"Services"`
+			}](client, req)
+
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("operation exceeds the depth limit"))
+		})
+	})
+
+	When("Request with allowed depth", func() {
+		It("returns an error", func() {
+			client := graphql.NewClient(fmt.Sprintf("http://localhost:%s/query", cfg.Port))
+			req := graphql.NewRequest(queryWithNormalDepth)
+
+			req.Header.Set("Cache-Control", "no-cache")
+
+			_, err := e2e_common.ExecuteGqlQuery[struct {
+				Services model.ServiceConnection `json:"Services"`
+			}](client, req)
+
+			Expect(err).ToNot(HaveOccurred())
+		})
+	})
+})
diff --git a/internal/e2e/remediation_query_test.go b/internal/e2e/remediation_query_test.go
diff --git a/internal/server/server.go b/internal/server/server.go
diff --git a/internal/util/config.go b/internal/util/config.go

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`"github.com/cloudoperators/heureka/internal/app"`
`13`	`13`	`"github.com/cloudoperators/heureka/internal/util"`
`14`	`14`	`"github.com/gin-gonic/gin"`
	`15`	`+ "github.com/oyyblin/gqlgen-depth-limit-extension/depth"`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`type GraphQLAPI struct {`
`@@ -22,11 +23,15 @@ type GraphQLAPI struct {`
`22`	`23`	`}`
`23`	`24`
`24`	`25`	`func NewGraphQLAPI(a app.Heureka, cfg util.Config) *GraphQLAPI {`
	`26`	`+ server := handler.NewDefaultServer(graph.NewExecutableSchema(resolver.NewResolver(a)))`
	`27`	`+ server.Use(depth.FixedDepthLimit(cfg.GQLDepthLimit))`
	`28`	`+`
`25`	`29`	`graphQLAPI := GraphQLAPI{`
`26`		`- Server: handler.NewDefaultServer(graph.NewExecutableSchema(resolver.NewResolver(a))),`
	`30`	`+ Server: server,`
`27`	`31`	`App: a,`
`28`	`32`	`auth: middleware.NewAuth(&cfg, true),`
`29`	`33`	`}`
	`34`	`+`
`30`	`35`	`return &graphQLAPI`
`31`	`36`	`}`
`32`	`37`