Support validation "maxErrors" option

[mo4islona]

We faced an DoS attack which simply was exploiting invalid requests like

query AAA ($a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a }
query AAB ($b:b, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a }
query AAC ($c:c, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, $a:a, ..... 1000 elems..., $a:a, ) { a }

It it produces huge latency and blocks other concurrent queries (NodeJS loop is blocked by validating and/or errors generating) which is the most crucial point.

Graphql validate function has an option to configure maxErrors and aborts the validation if it hits the limit.

Before (unlimited, maxErrors: undefined)

After (maxErrors: 10)

[glasser]

I'm surprised to see you're saying the default is unlimited — isn't the default in graphql-js (or versions with the maxErrors flag) 100?

[mo4islona]

Yep, you are right. Sorry for the confusion.

We haven't migrated yet and I tested a quick patch to outdated apollo-server-core@3.x and graphql@15.x

https://github.com/graphql/graphql-js/blob/15.x.x/src/validation/validate.js#L38

The latest graphql@16.x changed the default value to 100.

[mo4islona]

It is much better with 100, but anyway I'd like to be able to configure this.
The difference is very noticeable on not very performant cores.

[phryneas]

The newly added config option for this has been released in @apollo/server@5.3.0

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
For general questions, we recommend using our Community Forum or Stack Overflow.