backport: Introduce "recommended" validation rules

Replicates graphql/graphql-js@c985c27

Author: Cito

docs/modules/validation.rst

@@ -137,6 +137,10 @@ Rules
 
 .. autoclass:: VariablesInAllowedPositionRule
 
+**No spec section: "Maximum introspection depth"**
+
+.. autoclass:: MaxIntrospectionDepthRule
+
 **SDL-specific validation rules**
 
 .. autoclass:: LoneSchemaDefinitionRule

setup.cfg

@@ -13,6 +13,8 @@ addopts = --benchmark-disable
 python_classes = PyTest*
 # Handle all async fixtures and tests automatically by asyncio
 asyncio_mode = auto
+# Default event loop scope used for asynchronous fixtures
+asyncio_default_fixture_loop_scope = function
 # Set a timeout in seconds for aborting tests that run too long.
 timeout = 100
 # Ignore config options not (yet) available in older Python versions.

src/graphql/__init__.py

@@ -378,6 +378,7 @@
     SDLValidationRule,
     # All validation rules in the GraphQL Specification.
     specified_rules,
+    recommended_rules,
     # Individual validation rules.
     ExecutableDefinitionsRule,
     FieldsOnCorrectTypeRule,
@@ -417,6 +418,8 @@
     # Custom validation rules
     NoDeprecatedCustomRule,
     NoSchemaIntrospectionCustomRule,
+    # Recommended validation rules
+    MaxIntrospectionDepthRule,
 )
 
 # Execute GraphQL documents.
@@ -700,6 +703,7 @@
     "ASTValidationRule",
     "SDLValidationRule",
     "specified_rules",
+    "recommended_rules",
     "ExecutableDefinitionsRule",
     "FieldsOnCorrectTypeRule",
     "FragmentsOnCompositeTypesRule",
@@ -736,6 +740,7 @@
     "PossibleTypeExtensionsRule",
     "NoDeprecatedCustomRule",
     "NoSchemaIntrospectionCustomRule",
+    "MaxIntrospectionDepthRule",
     "GraphQLError",
     "GraphQLErrorExtensions",
     "GraphQLFormattedError",

src/graphql/validation/__init__.py

@@ -15,7 +15,7 @@
 from .rules import ValidationRule, ASTValidationRule, SDLValidationRule
 
 # All validation rules in the GraphQL Specification.
-from .specified_rules import specified_rules
+from .specified_rules import specified_rules, recommended_rules
 
 # Spec Section: "Executable Definitions"
 from .rules.executable_definitions import ExecutableDefinitionsRule
@@ -95,6 +95,9 @@
 # Spec Section: "All Variable Usages Are Allowed"
 from .rules.variables_in_allowed_position import VariablesInAllowedPositionRule
 
+# No spec section: "Maximum introspection depth"
+from .rules.max_introspection_depth_rule import MaxIntrospectionDepthRule
+
 # SDL-specific validation rules
 from .rules.lone_schema_definition import LoneSchemaDefinitionRule
 from .rules.unique_operation_types import UniqueOperationTypesRule
@@ -118,6 +121,7 @@
     "ValidationContext",
     "ValidationRule",
     "specified_rules",
+    "recommended_rules",
     "ExecutableDefinitionsRule",
     "FieldsOnCorrectTypeRule",
     "FragmentsOnCompositeTypesRule",
@@ -126,6 +130,7 @@
     "KnownFragmentNamesRule",
     "KnownTypeNamesRule",
     "LoneAnonymousOperationRule",
+    "MaxIntrospectionDepthRule",
     "NoFragmentCyclesRule",
     "NoUndefinedVariablesRule",
     "NoUnusedFragmentsRule",

src/graphql/validation/rules/max_introspection_depth_rule.py

@@ -0,0 +1,81 @@
+"""Max introspection depth rule"""
+
+from typing import Dict, Any
+
+from ...error import GraphQLError
+from ...language import SKIP, FieldNode, FragmentSpreadNode, Node, VisitorAction
+from . import ASTValidationRule, ValidationContext
+
+__all__ = ["MaxIntrospectionDepthRule"]
+
+MAX_LIST_DEPTH = 3
+
+
+class MaxIntrospectionDepthRule(ASTValidationRule):
+    """Checks maximum introspection depth"""
+
+    def __init__(self, context: ValidationContext) -> None:
+        super().__init__(context)
+        self._visited_fragments: Dict[str, None] = {}
+        self._get_fragment = context.get_fragment
+
+    def _check_depth(self, node: Node, depth: int = 0) -> bool:
+        """Check whether the maximum introspection depth has been reached.
+
+        Counts the depth of list fields in "__Type" recursively
+        and returns `True` if the limit has been reached.
+        """
+        if isinstance(node, FragmentSpreadNode):
+            visited_fragments = self._visited_fragments
+            fragment_name = node.name.value
+            if fragment_name in visited_fragments:
+                # Fragment cycles are handled by `NoFragmentCyclesRule`.
+                return False
+            fragment = self._get_fragment(fragment_name)
+            if not fragment:
+                # Missing fragments checks are handled by the `KnownFragmentNamesRule`.
+                return False
+
+            # Rather than following an immutable programming pattern which has
+            # significant memory and garbage collection overhead, we've opted to take
+            # a mutable approach for efficiency's sake. Importantly visiting a fragment
+            # twice is fine, so long as you don't do one visit inside the other.
+            visited_fragments[fragment_name] = None
+            try:
+                return self._check_depth(fragment, depth)
+            finally:
+                del visited_fragments[fragment_name]
+
+        if isinstance(node, FieldNode) and node.name.value in (
+            # check all introspection lists
+            "fields",
+            "interfaces",
+            "possibleTypes",
+            "inputFields",
+        ):
+            depth += 1
+            if depth >= MAX_LIST_DEPTH:
+                return True
+
+        # hendle fields and inline fragments
+        try:
+            selection_set = node.selection_set  # type: ignore[attr-defined]
+        except AttributeError:  # pragma: no cover
+            selection_set = None
+        if selection_set:
+            for child in selection_set.selections:
+                if self._check_depth(child, depth):
+                    return True
+
+        return False
+
+    def enter_field(self, node: FieldNode, *_args: Any) -> VisitorAction:
+        if node.name.value in ("__schema", "__type") and self._check_depth(node):
+            self.report_error(
+                GraphQLError(
+                    "Maximum introspection depth exceeded",
+                    [node],
+                )
+            )
+            return SKIP
+        return None

src/graphql/validation/specified_rules.py

@@ -82,6 +82,9 @@
 # Spec Section: "Input Object Field Uniqueness"
 from .rules.unique_input_field_names import UniqueInputFieldNamesRule
 
+# No spec section: "Maximum introspection depth"
+from .rules.max_introspection_depth_rule import MaxIntrospectionDepthRule
+
 # Schema definition language:
 from .rules.lone_schema_definition import LoneSchemaDefinitionRule
 from .rules.unique_operation_types import UniqueOperationTypesRule
@@ -92,7 +95,13 @@
 from .rules.unique_directive_names import UniqueDirectiveNamesRule
 from .rules.possible_type_extensions import PossibleTypeExtensionsRule
 
-__all__ = ["specified_rules", "specified_sdl_rules"]
+__all__ = ["specified_rules", "specified_sdl_rules", "recommended_rules"]
+
+# Technically these aren't part of the spec but they are strongly encouraged
+# validation rules.
+
+recommended_rules: Tuple[Type[ASTValidationRule], ...] = (MaxIntrospectionDepthRule,)
+"""A tuple with all recommended validation rules."""
 
 
 # This list includes all validation rules defined by the GraphQL spec.
@@ -127,6 +136,7 @@
     VariablesInAllowedPositionRule,
     OverlappingFieldsCanBeMergedRule,
     UniqueInputFieldNamesRule,
+    *recommended_rules,
 )
 """A tuple with all validation rules defined by the GraphQL specification.
 

tests/execution/test_executor.py

@@ -883,6 +883,7 @@ def resolves_to_an_error_if_schema_does_not_support_operation():
         )
 
     @mark.asyncio
+    @mark.filterwarnings("ignore:.* was never awaited:RuntimeWarning")
     async def correct_field_ordering_despite_execution_order():
         schema = GraphQLSchema(
             GraphQLObjectType(