Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(router): refactor complexity limits #1364

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(router): refactor complexity limits #1364

wants to merge 4 commits into from

Conversation

df-wg
Copy link
Contributor

@df-wg df-wg commented Nov 12, 2024

Motivation and Context

Previous work (#1153) added in the opportunity to limit allowed query depth, rejecting a query if it passes the acceptable limit. This PR moves that configuration into a newly created security.complexity_limitssection, while still maintaining the now deprecatedsecurity. depth_limit` section for the next 60 days

It will now be configured using:

security:
    block_mutations: false
    block_subscriptions: false
    block_non_persisted_operations: false
    complexity_calculation_cache: # This is for a local in-memory cache, to persist the calculation results
      enabled: true
      size: 1024
    complexity_limits:
        depth: # the equivalent of `security.depth_limit` prevoiusly
          enabled: false
          limit: 7
          ignore_persisted_operations: true
        total_fields:
          enabled: false
          limit: 128
          ignore_persisted_operations: true
        root_fields:
          enabled: false
          limit: 3
          ignore_persisted_operations: true
        root_field_aliases:
          enabled: false
          limit: 3
          ignore_persisted_operations: true

Checklist

  • I have discussed my proposed changes in an issue and have received approval to proceed.
  • I have followed the coding standards of the project.
  • Tests or benchmarks have been added or updated.
  • Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
  • I have read the Contributors Guide.

@df-wg df-wg force-pushed the dave/eng-5663-refactor-improve-security-complexity-limits branch from dcf43fa to 8f70c7a Compare November 12, 2024 14:21
@df-wg df-wg force-pushed the dave/eng-5663-refactor-improve-security-complexity-limits branch from 1fa616d to ee032c8 Compare November 12, 2024 14:41
jensneuse
jensneuse requested changes Nov 14, 2024
View reviewed changes
router/pkg/config/config.schema.json
},
"size": {
"type": "integer",
"default": 1024,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you make this 101024=10240?
Also, can you make planner cache, validation cache, and normalization cache the same default amount?
We've seen with some customers that 1024 is too low and 101024 doesn't increase memory usage dramatically.

router/pkg/config/config.schema.json
"depth_limit": {
"type": "object",
"description": "The configuration for adding a max depth limit for query (how many nested levels you can have in a query). This limit prevents infinite querying, and also limits the size of the data returned. If the limit is 0, this limit isn't applied.",
"description": "DEPRECATED (move to complexity_limits.depth): The configuration for adding a max depth limit for query (how many nested levels you can have in a query).",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered following this spec?
https://www.learnjsonschema.com/2020-12/meta-data/deprecated/

router/pkg/otel/attributes.go
@@ -36,7 +36,10 @@ const (
WgValidationCacheHit = attribute.Key("wg.engine.validation_cache_hit")
WgVariablesValidationSkipped = attribute.Key("wg.engine.variables_validation_skipped")
WgQueryDepth = attribute.Key("wg.operation.query_depth")
WgQueryDepthCacheHit = attribute.Key("wg.operation.query_depth_cache_hit")
WgQueryTotalFields = attribute.Key("wg.operation.total_fields")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@StarpTech is this fine?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should scope it further e.g. wg.operation.complexity.total_fields because it is not a common attribute and only set when complexity limits are enabled.

router/pkg/config/config.go
@@ -334,6 +336,28 @@ type QueryDepthConfiguration struct {
IgnorePersistedOperations bool `yaml:"ignore_persisted_operations,omitempty" envDefault:"false" env:"SECURITY_QUERY_DEPTH_IGNORE_PERSISTED_OPERATIONS"`
}

type ComplexityCalculationCache struct {
Enabled bool `yaml:"enabled" envDefault:"false" env:"SECURITY_COMPLEXITY_CACHE_ENABLED"`
CacheSize int64 `yaml:"size,omitempty" envDefault:"1024" env:"SECURITY_COMPLEXITY_CACHE_SIZE"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update defaults here accordingly as discussed in the other thread.

router/core/operation_processor.go
}
if complexityLimitConfig.RootFieldAliases != nil && complexityLimitConfig.RootFieldAliases.ApplyLimit(isPersisted) {
testComparisons = append(testComparisons,
comp{complexityLimitConfig.RootFieldAliases.Limit, cachedComplexity.RootFieldAliases, fmt.Sprintf("The number of root fields aliases %d exceeds the root field aliases limit allowed (%d)", cachedComplexity.RootFieldAliases, complexityLimitConfig.RootFieldAliases.Limit)})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The number of root field aliases %d exceeds the root field aliases limit allowed (%d)

router/core/operation_processor.go
}
if complexityLimitConfig.TotalFields != nil && complexityLimitConfig.TotalFields.ApplyLimit(isPersisted) {
testComparisons = append(testComparisons,
comp{complexityLimitConfig.TotalFields.Limit, cachedComplexity.TotalFields, fmt.Sprintf("The query total fields %d exceeds the max total fields allowed (%d)", cachedComplexity.TotalFields, complexityLimitConfig.TotalFields.Limit)})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The total number of fields %d exceeds the limit allowed (%d)

StarpTech
StarpTech requested changes Nov 14, 2024
View reviewed changes
router/core/operation_processor.go
}

func (o *OperationKit) runComplexityComparisons(complexityLimitConfig *config.ComplexityLimits, cachedComplexity ComplexityCacheEntry, isPersisted bool) error {
type comp struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should discourage inline structs. Please place them at the top of the file.

router-tests/complexity_limits_test.go
failedRes, _ := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
Query: `{ employee(id:1) { id details { forename surname } } }`,
})
require.Equal(t, 400, failedRes.Response.StatusCode)
Copy link
Contributor

@StarpTech StarpTech Nov 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the tests to the telemetry tests.

router/pkg/otel/attributes.go
@@ -36,7 +36,10 @@ const (
WgValidationCacheHit = attribute.Key("wg.engine.validation_cache_hit")
WgVariablesValidationSkipped = attribute.Key("wg.engine.variables_validation_skipped")
WgQueryDepth = attribute.Key("wg.operation.query_depth")
WgQueryDepthCacheHit = attribute.Key("wg.operation.query_depth_cache_hit")
WgQueryTotalFields = attribute.Key("wg.operation.total_fields")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should scope it further e.g. wg.operation.complexity.total_fields because it is not a common attribute and only set when complexity limits are enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devsergiy devsergiy devsergiy left review comments

@jensneuse jensneuse jensneuse requested changes

@StarpTech StarpTech StarpTech requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
router
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@df-wg @devsergiy @StarpTech @jensneuse