Add non-local and recursive selection limits (#3238)

Certain query patterns may cause resource exhaustion.

Corrects a set of denial-of-service (DOS) vulnerabilities that made it
possible for an attacker to render gateway inoperable with certain
simple query patterns due to uncontrolled resource consumption. All
prior-released versions and configurations are vulnerable.

See the associated GitHub Advisories
[GHSA-q2f9-x4p4-7xmh](GHSA-q2f9-x4p4-7xmh)
and
[GHSA-p2q6-pwh5-m6jr](GHSA-p2q6-pwh5-m6jr)
for more information.

---------

Co-authored-by: Chris Lenfest <[email protected]>

Author: sachindshinde

.changeset/five-suits-drum.md

@@ -0,0 +1,10 @@
+---
+"@apollo/query-planner": patch
+"@apollo/query-graphs": patch
+"@apollo/federation-internals": patch
+"@apollo/gateway": patch
+---
+
+Corrects a set of denial-of-service (DOS) vulnerabilities that made it possible for an attacker to render gateway inoperable with certain simple query patterns due to uncontrolled resource consumption. All prior-released versions and configurations are vulnerable.
+
+See the associated GitHub Advisories [GHSA-q2f9-x4p4-7xmh](https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh) and [GHSA-p2q6-pwh5-m6jr](https://github.com/apollographql/federation/security/advisories/GHSA-p2q6-pwh5-m6jr) for more information.

.cspell/cspell-dict.txt

@@ -178,6 +178,7 @@ quer
 Queryf
 reacheable
 reasonse
+rebaseable
 recusive
 redeclaration
 refered

gateway-js/src/index.ts

@@ -155,6 +155,16 @@ export class ApolloGateway implements GatewayInterface {
   private experimental_didResolveQueryPlan?: Experimental_DidResolveQueryPlanCallback;
   // Used to communicate supergraph updates
   private experimental_didUpdateSupergraph?: Experimental_DidUpdateSupergraphCallback;
+  // Used to disable the recursive selections limit in query planner. Setting
+  // this to `true` is not advised if gateway is being used to serve queries
+  // outside your control, as doing so will leave query planner susceptible to
+  // denial-of-service attacks.
+  private recursiveSelectionsLimitDisabled: boolean;
+  // Used to disable the non-local selections limit in query planner. Setting
+  // this to `true` is not advised if gateway is being used to serve queries
+  // outside your control, as doing so will leave query planner susceptible to
+  // denial-of-service attacks.
+  private nonLocalSelectionsLimitDisabled: boolean;
   // how often service defs should be loaded/updated
   private pollIntervalInMs?: number;
   // Functions to call during gateway cleanup (when stop() is called)
@@ -180,6 +190,22 @@ export class ApolloGateway implements GatewayInterface {
     this.experimental_didUpdateSupergraph =
       config?.experimental_didUpdateSupergraph;
 
+    // Check environment variables to see whether the query planner's recursive
+    // selections limit should be disabled. Setting this variable to `true` is
+    // not advised if gateway is being used to serve queries outside your
+    // control, as doing so will leave query planner susceptible to
+    // denial-of-service attacks.
+    this.recursiveSelectionsLimitDisabled =
+      process.env.APOLLO_DISABLE_SECURITY_RECURSIVE_SELECTIONS_CHECK === 'true';
+
+    // Check environment variables to see whether the query planner's non-local
+    // selections limit should be disabled. Setting this variable to `true` is
+    // not advised if gateway is being used to serve queries outside your
+    // control, as doing so will leave query planner susceptible to
+    // denial-of-service attacks.
+    this.nonLocalSelectionsLimitDisabled =
+      process.env.APOLLO_DISABLE_SECURITY_NON_LOCAL_SELECTIONS_CHECK === 'true';
+
     if (isManagedConfig(this.config)) {
       this.pollIntervalInMs =
         this.config.fallbackPollIntervalInMs ?? this.config.pollIntervalInMs;
@@ -806,7 +832,12 @@ export class ApolloGateway implements GatewayInterface {
                     { operationName: request.operationName },
                   );
                   // TODO(#631): Can we be sure the query planner has been initialized here?
-                  return this.queryPlanner!.buildQueryPlan(operation);
+                  return this.queryPlanner!.buildQueryPlan(operation, {
+                    recursiveSelectionsLimitDisabled:
+                      this.recursiveSelectionsLimitDisabled,
+                    nonLocalSelectionsLimitDisabled:
+                      this.nonLocalSelectionsLimitDisabled,
+                  });
                 } catch (err) {
                   recordExceptions(span, [err], this.config.telemetry);
                   span.setStatus({ code: SpanStatusCode.ERROR });

internals-js/src/operations.ts

@@ -3650,7 +3650,7 @@ class InlineFragmentSelection extends FragmentSelection {
   }
 }
 
-class FragmentSpreadSelection extends FragmentSelection {
+export class FragmentSpreadSelection extends FragmentSelection {
   private computedKey: string | undefined;
 
   constructor(

query-graphs-js/src/index.ts

@@ -7,3 +7,4 @@ export * from './pathContext';
 export * from './conditionsCaching';
 export * from './conditionsValidation';
 export * from './mermaid';
+export * from './nonLocalSelectionsEstimation';