fix(graphql): add query complexity limit [H10] by lakhansamani · Pull Request #558 · authorizerdev/authorizer

lakhansamani · 2026-04-03T16:16:35Z

Summary

H10 (High): No query depth/complexity/batch limits existed
Adds FixedComplexityLimit(300) using gqlgen built-in extension
Prevents resource exhaustion via complex/nested queries

Test plan

Package compiles
Verify normal queries work within complexity budget
Verify overly complex queries are rejected

No query complexity or depth limiting existed, enabling resource exhaustion and batch brute-force attacks via deeply nested or complex queries. Adds FixedComplexityLimit(300) using gqlgen's built-in extension. Fixes: H10 (High)

fix(graphql): add query complexity limit

e2a20d3

No query complexity or depth limiting existed, enabling resource exhaustion and batch brute-force attacks via deeply nested or complex queries. Adds FixedComplexityLimit(300) using gqlgen's built-in extension. Fixes: H10 (High)

lakhansamani merged commit 79bf7d5 into main Apr 4, 2026

lakhansamani deleted the fix/h10-graphql-limits branch April 4, 2026 11:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(graphql): add query complexity limit [H10]#558

fix(graphql): add query complexity limit [H10]#558
lakhansamani merged 1 commit intomainfrom
fix/h10-graphql-limits

lakhansamani commented Apr 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

lakhansamani commented Apr 3, 2026

Summary

Test plan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant