validation: restrict maximum number of errors to 100 by default (#3283)

IvanGoncharov · web-flow · commit cb48918c6033 · 2021-10-01T12:30:34.000+03:00
diff --git a/src/validation/validate.ts b/src/validation/validate.ts
@@ -28,18 +28,24 @@ import { SDLValidationContext, ValidationContext } from './ValidationContext';
  * (see the language/visitor API). Visitor methods are expected to return
  * GraphQLErrors, or Arrays of GraphQLErrors when invalid.
  *
+ * Validate will stop validation after a `maxErrors` limit has been reached.
+ * Attackers can send pathologically invalid queries to induce a DoS attack,
+ * so by default `maxErrors` set to 100 errors.
+ *
  * Optionally a custom TypeInfo instance may be provided. If not provided, one
  * will be created from the provided schema.
  */
 export function validate(
   schema: GraphQLSchema,
   documentAST: DocumentNode,
   rules: ReadonlyArray<ValidationRule> = specifiedRules,
-  options: { maxErrors?: number } = { maxErrors: undefined },
+  options?: { maxErrors?: number },
 
   /** @deprecated will be removed in 17.0.0 */
   typeInfo: TypeInfo = new TypeInfo(schema),
 ): ReadonlyArray<GraphQLError> {
+  const maxErrors = options?.maxErrors ?? 100;
+
   devAssert(documentAST, 'Must provide document.');
   // If the schema used for validation is invalid, throw an error.
   assertValidSchema(schema);
@@ -51,7 +57,7 @@ export function validate(
     documentAST,
     typeInfo,
     (error) => {
-      if (options.maxErrors != null && errors.length >= options.maxErrors) {
+      if (errors.length >= maxErrors) {
         errors.push(
           new GraphQLError(
             'Too many validation errors, error limit reached. Validation aborted.',
