Prevent infinite loop in OverlappingFieldsCanBeMergedRule

Cito · Cito · commit c7b310f66b4b · 2022-01-05T16:48:28.000+01:00
Preponed to avoid possible denial of service attacks Replicates graphql/graphql-js@4175b26
diff --git a/src/graphql/validation/rules/overlapping_fields_can_be_merged.py b/src/graphql/validation/rules/overlapping_fields_can_be_merged.py
@@ -254,6 +254,15 @@ def collect_conflicts_between_fields_and_fragment(
     # (E) Then collect any conflicts between the provided collection of fields and any
     # fragment names found in the given fragment.
     for referenced_fragment_name in referenced_fragment_names:
+        # Memoize so two fragments are not compared for conflicts more than once.
+        if compared_fragment_pairs.has(
+            referenced_fragment_name, fragment_name, are_mutually_exclusive
+        ):
+            continue
+        compared_fragment_pairs.add(
+            referenced_fragment_name, fragment_name, are_mutually_exclusive
+        )
+
         collect_conflicts_between_fields_and_fragment(
             context,
             conflicts,
diff --git a/tests/validation/test_overlapping_fields_can_be_merged.py b/tests/validation/test_overlapping_fields_can_be_merged.py
@@ -1042,20 +1042,68 @@ def works_for_field_names_that_are_python_keywords():
     def does_not_infinite_loop_on_recursive_fragments():
         assert_valid(
             """
+            {
+              ...fragA
+            }
+
             fragment fragA on Human { name, relatives { name, ...fragA } }
             """
         )
 
     def does_not_infinite_loop_on_immediately_recursive_fragments():
         assert_valid(
             """
+            {
+              ...fragA
+            }
+
             fragment fragA on Human { name, ...fragA }
             """
         )
 
+    def does_not_infinite_loop_on_recursive_fragment_with_field_named_after_fragment():
+        assert_valid(
+            """
+            {
+              ...fragA
+              fragA
+            }
+
+            fragment fragA on Query { ...fragA }
+            """
+        )
+
+    def finds_invalid_cases_even_with_field_named_after_fragment():
+        assert_errors(
+            """
+            {
+              fragA
+              ...fragA
+            }
+
+            fragment fragA on Type {
+              fragA: b
+            }
+            """,
+            [
+                {
+                    "message": "Fields 'fragA' conflict"
+                    " because 'fragA' and 'b' are different fields."
+                    " Use different aliases on the fields"
+                    " to fetch both if this was intentional.",
+                    "locations": [(3, 15), (8, 15)],
+                }
+            ],
+        )
+
     def does_not_infinite_loop_on_transitively_recursive_fragments():
         assert_valid(
             """
+            {
+              ...fragA
+              fragB
+            }
+
             fragment fragA on Human { name, ...fragB }
             fragment fragB on Human { name, ...fragC }
             fragment fragC on Human { name, ...fragA }
