feat: Add configurable validation security rules

config/schema/graphql.schema.yml

@@ -23,6 +23,15 @@ graphql.graphql_servers.*:
     batching:
       type: boolean
       label: 'Batching'
+    disable_introspection:
+      type: boolean
+      label: 'Disable Introspection'
+    query_depth:
+      type: integer
+      label: 'Max query depth'
+    query_complexity:
+      type: number
+      label: 'Max query complexity'
     schema_configuration:
       type: 'graphql.schema.[%parent.schema]'
     persisted_queries_settings:

src/Entity/Server.php

@@ -25,6 +25,9 @@
 use GraphQL\Server\Helper;
 use GraphQL\Type\Definition\ResolveInfo;
 use GraphQL\Validator\DocumentValidator;
+use GraphQL\Validator\Rules\DisableIntrospection;
+use GraphQL\Validator\Rules\QueryComplexity;
+use GraphQL\Validator\Rules\QueryDepth;
 
 /**
  * The main GraphQL configuration and request entry point.
@@ -59,7 +62,10 @@
  *     "endpoint",
  *     "debug_flag",
  *     "caching",
- *     "batching"
+ *     "batching",
+ *     "disable_introspection",
+ *     "query_depth",
+ *     "query_complexity"
  *   },
  *   links = {
  *     "collection" = "/admin/config/graphql/servers",
@@ -498,10 +504,69 @@ protected function getValidationRules() {
         return [];
       }
 
-      return array_values(DocumentValidator::defaultRules());
+      $rules = array_values(DocumentValidator::defaultRules());
+      if ($this->getDisableIntrospection()) {
+        $rules[DisableIntrospection::class] = new DisableIntrospection();
+      }
+      if ($this->getQueryDepth()) {
+        $rules[QueryDepth::class] = new QueryDepth($this->query_depth);
+      }
+      if ($this->getQueryComplexity()) {
+        $rules[QueryComplexity::class] = new QueryComplexity($this->query_complexity);
+      }
+
+      return $rules;
     };
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function getDisableIntrospection() {
+    return (bool) $this->get('disable_introspection');
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function setDisableIntrospection($introspection) {
+    $this->set('disable_introspection', $introspection);
+    return $this;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getQueryDepth() {
+    return $this->get('query_depth');
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function setQueryDepth($depth) {
+    $this->set('query_depth', $depth);
+    return $this;
+  }
+
+  /**
+   * Gets query complexity config.
+   *
+   * @return int|null
+   *   The query complexity, NULL otherwise.
+   */
+  public function getQueryComplexity() {
+    return $this->get('query_complexity');
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function setQueryComplexity($complexity) {
+    $this->set('query_complexity', $complexity);
+    return $this;
+  }
+
   /**
    * {@inheritDoc}
    */

src/Entity/ServerInterface.php

@@ -71,4 +71,58 @@ public function getPersistedQueryInstances();
    */
   public function getSortedPersistedQueryInstances();
 
+  /**
+   * Gets disable introspection config.
+   *
+   * @return bool
+   *   The disable introspection config, FALSE otherwise.
+   */
+  public function getDisableIntrospection();
+
+  /**
+   * Sets disable introspection config.
+   *
+   * @param bool $introspection
+   *   The value for the disable introspection config.
+   *
+   * @return $this
+   */
+  public function setDisableIntrospection($introspection);
+
+  /**
+   * Gets query depth config.
+   *
+   * @return int|null
+   *   The query depth, NULL otherwise.
+   */
+  public function getQueryDepth();
+
+  /**
+   * Sets query depth config.
+   *
+   * @param int $depth
+   *   The value for the query depth config.
+   *
+   * @return $this
+   */
+  public function setQueryDepth($depth);
+
+  /**
+   * Gets query complexity config.
+   *
+   * @return int|null
+   *   The query complexity, NULL otherwise.
+   */
+  public function getQueryComplexity();
+
+  /**
+   * Sets query complexity config.
+   *
+   * @param int $complexity
+   *   The value for the query complexity config.
+   *
+   * @return $this
+   */
+  public function setQueryComplexity($complexity);
+
 }

src/Form/ServerForm.php

@@ -186,6 +186,32 @@ public function form(array $form, FormStateInterface $formState): array {
       '#description' => $this->t('Whether caching of queries and partial results is enabled.'),
     ];
 
+    $form['validation'] = [
+      '#title' => $this->t('Validation rules'),
+      '#type' => 'fieldset',
+    ];
+
+    $form['validation']['disable_introspection'] = [
+      '#title' => $this->t('Disable introspection'),
+      '#type' => 'checkbox',
+      '#default_value' => $server->getDisableIntrospection(),
+      '#description' => $this->t('Security rule: Whether introspection should be disabled.'),
+    ];
+
+    $form['validation']['query_depth'] = [
+      '#title' => $this->t('Max query depth'),
+      '#type' => 'number',
+      '#default_value' => $server->getQueryDepth(),
+      '#description' => $this->t('Security rule: The maximum allowed depth of nested queries. Leave empty to set unlimited.'),
+    ];
+
+    $form['validation']['query_complexity'] = [
+      '#title' => $this->t('Max query complexity'),
+      '#default_value' => $server->getQueryComplexity(),
+      '#type' => 'number',
+      '#description' => $this->t('Security rule: The maximum allowed complexity of a query. Leave empty to set unlimited.'),
+    ];
+
     $debug_flags = $server->get('debug_flag') ?? 0;
     $form['debug_flag'] = [
       '#title' => $this->t('Debug settings'),