Merge branch 'main' into renovate/envelop

Author: M0ngi

.changeset/bright-seals-relate.md

@@ -0,0 +1,5 @@
+---
+"@escape.tech/graphql-armor-max-depth": patch
+---
+
+fix: max-depth bypass using fragment cache

.changeset/hip-cheetahs-eat.md

@@ -0,0 +1,5 @@
+---
+"@escape.tech/graphql-armor-max-depth": patch
+---
+
+fix: max-depth ignore only Field Node named __schema

package.json

@@ -52,7 +52,7 @@
   ],
   "volta": {
     "node": "24.2.0",
-    "yarn": "1.22.22"
+    "yarn": "4.9.2"
   },
   "engines": {
     "node": ">=18.0.0"

packages/plugins/max-depth/src/index.ts

@@ -76,7 +76,12 @@ class MaxDepthVisitor {
     node: FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode,
     parentDepth = 0,
   ): number {
-    if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') {
+    if (
+      this.config.ignoreIntrospection &&
+      'name' in node &&
+      node.name?.value === '__schema' &&
+      node.kind === Kind.FIELD
+    ) {
       return 0;
     }
     let depth = parentDepth;
@@ -93,20 +98,20 @@ class MaxDepthVisitor {
         }
       }
     } else if (node.kind == Kind.FRAGMENT_SPREAD) {
+      if (!this.config.flattenFragments) {
+        parentDepth += 1;
+      }
+
       if (this.visitedFragments.has(node.name.value)) {
-        return this.visitedFragments.get(node.name.value) ?? 0;
+        return parentDepth + (this.visitedFragments.get(node.name.value) ?? 0);
       } else {
         this.visitedFragments.set(node.name.value, -1);
       }
       const fragment = this.context.getFragment(node.name.value);
       if (fragment) {
-        let fragmentDepth;
-        if (this.config.flattenFragments) {
-          fragmentDepth = this.countDepth(fragment, parentDepth);
-        } else {
-          fragmentDepth = this.countDepth(fragment, parentDepth + 1);
-        }
-        depth = Math.max(depth, fragmentDepth);
+        let fragmentDepth = this.countDepth(fragment, 0);
+
+        depth = Math.max(depth, parentDepth + fragmentDepth);
         if (this.visitedFragments.get(node.name.value) === -1) {
           this.visitedFragments.set(node.name.value, fragmentDepth);
         }

packages/plugins/max-depth/test/index.spec.ts

@@ -191,7 +191,7 @@ describe('maxDepthPlugin', () => {
     assertSingleExecutionValue(result);
     expect(result.errors).toBeDefined();
     expect(result.errors?.map((error) => error.message)).toContain(
-      'Syntax Error: Query depth limit of 3 exceeded, found 4.',
+      'Syntax Error: Query depth limit of 3 exceeded, found 5.',
     );
   });
 
@@ -239,4 +239,69 @@ describe('maxDepthPlugin', () => {
       `Syntax Error: Query depth limit of ${maxDepth} exceeded, found ${maxDepth + 1}.`,
     ]);
   });
+
+  it('rejects for fragment named `__schema` exceeding max depth', async () => {
+    const bypass_query = `
+      query {
+        books {
+          author {
+            books {
+              author {
+                ...__schema
+              }
+            }
+          }
+        }
+      }
+      fragment __schema on Author {
+        books {
+          title
+        }
+      }
+    `;
+    const maxDepth = 6;
+    const testkit = createTestkit([maxDepthPlugin({ n: maxDepth, exposeLimits: true })], schema);
+    const result = await testkit.execute(bypass_query);
+
+    assertSingleExecutionValue(result);
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.map((error) => error.message)).toEqual([
+      `Syntax Error: Query depth limit of ${maxDepth} exceeded, found ${maxDepth + 2}.`,
+    ]);
+  });
+
+  it('rejects for exceeding max depth by reusing a cached Fragment', async () => {
+    const bypass_query = `
+      query {
+        books {
+          author {
+            ...Test
+          }
+        }
+        books {
+          author {
+            books {
+              author {
+                ...Test
+              }
+            }
+          }
+        }
+      }
+      fragment Test on Author {
+        books {
+          title
+        }
+      }
+    `;
+    const maxDepth = 6;
+    const testkit = createTestkit([maxDepthPlugin({ n: maxDepth, exposeLimits: true })], schema);
+    const result = await testkit.execute(bypass_query);
+
+    assertSingleExecutionValue(result);
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.map((error) => error.message)).toEqual([
+      `Syntax Error: Query depth limit of ${maxDepth} exceeded, found ${maxDepth + 2}.`,
+    ]);
+  });
 });