Add optional maxDepth and maxAliases execution options#4666
Open
eddieran wants to merge 1 commit intographql:16.x.xfrom
Open
Add optional maxDepth and maxAliases execution options#4666eddieran wants to merge 1 commit intographql:16.x.xfrom
eddieran wants to merge 1 commit intographql:16.x.xfrom
Conversation
Add opt-in depth and alias limits to the execution engine to mitigate denial-of-service attacks via deeply nested queries and alias bombing. - maxDepth: limits the field nesting depth during execution. When a field exceeds the configured depth, a GraphQLError is raised and the parent field resolves to null (standard error handling). - maxAliases: limits the number of response keys (including aliases) per selection set. When exceeded, a GraphQLError is raised before the selection set is executed. Both options are undefined by default, preserving full backwards compatibility. They are passed via ExecutionArgs.options alongside the existing maxCoercionErrors option. Fixes graphql#4662
|
|
@eddieran is attempting to deploy a commit to the The GraphQL Foundation Team on Vercel. A member of the Team first needs to authorize it. |
yaacovCR
requested changes
Apr 15, 2026
Contributor
yaacovCR
left a comment
yaacovCR
left a comment
There was a problem hiding this comment.
Maybe we could consider adding a fieldDepth property to FieldDetails of type number? Then we wouldn't have to keep recalculating the path length?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #4662 — the execution engine has no built-in depth or complexity limits, allowing deep recursive queries and alias-bombing to cause denial-of-service via resolver amplification.
This PR adds two opt-in execution options:
maxDepth— limits the field nesting depth during execution. When a field at depth >maxDepthis encountered, aGraphQLErroris raised and the parent field resolves tonull(standard nullable error handling). List indices do not count toward depth.maxAliases— limits the number of response keys (including aliases) per selection set. This prevents alias-bombing attacks where thousands of aliases for the same field bypass depth-based defenses. When exceeded, aGraphQLErroris raised before the selection set executes.Both options are
undefinedby default — no limits are applied and existing behavior is fully preserved. They are passed viaExecutionArgs.optionsalongside the existingmaxCoercionErrors:Implementation details
executeFieldby walking thePathlinked list (only counting string keys, not list indices)executeOperation(root fields) andcompleteObjectValue(sub-selections) after field collectionTest plan