feat(execution): add max coercion errors option to execution context (#4366)

This PR add `executionOptions` property to the `ExecutionArgs`.
Currently only one option can be configured, as is the one I need, but I
have built an object so it can easily be extended in the future.

The property allows the configuration of the maximum number of errors
(`maxErrors`) for coercion. This allows the current hardcoded limit
(`50`) to be reduced to a small number to avoid possible DoS attacks.

> Also, it updates the execution docs to reflect this new change. I
think the documentation was outdated since functions were using
positional arguments and now they only accept an object.

No longer updates the docs.

Author: cristunaranjo

src/execution/__tests__/executor-test.ts

@@ -10,6 +10,7 @@ import { Kind } from '../../language/kinds.js';
 import { parse } from '../../language/parser.js';
 
 import {
+  GraphQLInputObjectType,
   GraphQLInterfaceType,
   GraphQLList,
   GraphQLNonNull,
@@ -1380,4 +1381,74 @@ describe('Execute: Handles basic execution tasks', () => {
     expect(result).to.deep.equal({ data: { foo: { bar: 'bar' } } });
     expect(possibleTypes).to.deep.equal([fooObject]);
   });
+
+  it('uses a different number of max coercion errors', () => {
+    const schema = new GraphQLSchema({
+      query: new GraphQLObjectType({
+        name: 'Query',
+        fields: {
+          dummy: { type: GraphQLString },
+        },
+      }),
+      mutation: new GraphQLObjectType({
+        name: 'Mutation',
+        fields: {
+          updateUser: {
+            type: GraphQLString,
+            args: {
+              data: {
+                type: new GraphQLInputObjectType({
+                  name: 'User',
+                  fields: {
+                    email: { type: new GraphQLNonNull(GraphQLString) },
+                  },
+                }),
+              },
+            },
+          },
+        },
+      }),
+    });
+
+    const document = parse(`
+      mutation ($data: User) {
+        updateUser(data: $data)
+      }
+    `);
+
+    const options = {
+      maxCoercionErrors: 1,
+    };
+
+    const result = executeSync({
+      schema,
+      document,
+      variableValues: {
+        data: {
+          email: '',
+          wrongArg: 'wrong',
+          wrongArg2: 'wrong',
+          wrongArg3: 'wrong',
+        },
+      },
+      options,
+    });
+
+    // Returns at least 2 errors, one for the first 'wrongArg', and one for coercion limit
+    expect(result.errors).to.have.lengthOf(options.maxCoercionErrors + 1);
+
+    expectJSON(result).toDeepEqual({
+      errors: [
+        {
+          message:
+            'Variable "$data" has invalid value: Expected value of type "User" not to include unknown field "wrongArg", found: { email: "", wrongArg: "wrong", wrongArg2: "wrong", wrongArg3: "wrong" }.',
+          locations: [{ line: 2, column: 17 }],
+        },
+        {
+          message:
+            'Too many errors processing variables, error limit reached. Execution aborted.',
+        },
+      ],
+    });
+  });
 });

src/execution/execute.ts

@@ -199,6 +199,11 @@ export interface ExecutionArgs {
   enableEarlyExecution?: Maybe<boolean>;
   hideSuggestions?: Maybe<boolean>;
   abortSignal?: Maybe<AbortSignal>;
+  /** Additional execution options. */
+  options?: {
+    /** Set the maximum number of errors allowed for coercing (defaults to 50). */
+    maxCoercionErrors?: number;
+  };
 }
 
 export interface StreamUsage {
@@ -472,6 +477,7 @@ export function validateExecutionArgs(
     perEventExecutor,
     enableEarlyExecution,
     abortSignal,
+    options,
   } = args;
 
   if (abortSignal?.aborted) {
@@ -534,7 +540,7 @@ export function validateExecutionArgs(
     variableDefinitions,
     rawVariableValues ?? {},
     {
-      maxErrors: 50,
+      maxErrors: options?.maxCoercionErrors ?? 50,
       hideSuggestions,
     },
   );