Mitigate DoS risk from quadratic query validation complexity.

Luigisa · Luigisa · commit 78626703d98f · 2026-04-15T13:40:19.000+02:00
Upgrades webonyx/graphql-php to ^15.31.5 and adapts the module to graphql-php v15 (QueryValidationContext, ValidationRule::getVisitor, persisted query loader naming, OperationParams property access).

Updates PHPUnit tests for current PHPUnit APIs (onlyMethods/addMethods, static data providers).

Addresses the security concern: Potential Denial of Service via quadratic complexity in drupal/graphql query validation.

Credit: David Gallego (gallegodavid) for the fix.
diff --git a/composer.json b/composer.json
@@ -5,7 +5,7 @@
   "homepage": "http://drupal.org/project/graphql",
   "license": "GPL-2.0+",
   "require": {
-    "webonyx/graphql-php": "^14.11.8"
+    "webonyx/graphql-php": "^15.31.5"
   },
   "minimum-stability": "dev"
 }
diff --git a/src/Access/QueryAccessCheck.php b/src/Access/QueryAccessCheck.php
@@ -52,7 +52,7 @@ public function access(AccountInterface $account) {
       // If a query was provided by the user, this is an arbitrary query (it's
       // not a persisted query). Hence, we only grant access if the user has the
       // permission to execute any query.
-      if ($operation->getOriginalInput('query')) {
+      if (isset($operation->originalInput['query'])) {
         return AccessResult::allowedIfHasPermission($account, 'execute graphql requests');
       }
     }
diff --git a/src/GraphQL/Execution/QueryProcessor.php b/src/GraphQL/Execution/QueryProcessor.php
@@ -24,9 +24,9 @@
 use GraphQL\Utils\AST;
 use GraphQL\Utils\TypeInfo;
 use GraphQL\Utils\Utils;
-use GraphQL\Validator\Rules\AbstractValidationRule;
+use GraphQL\Validator\Rules\ValidationRule;
 use GraphQL\Validator\Rules\QueryComplexity;
-use GraphQL\Validator\ValidationContext;
+use GraphQL\Validator\QueryValidationContext;
 use Symfony\Component\HttpFoundation\RequestStack;
 
 /**
@@ -197,7 +197,7 @@ protected function executeOperation(PromiseAdapter $adapter, ServerConfig $confi
       // in the same document, hence this check is sufficient.
       $operation = $params->operation;
       $type = AST::getOperationAST($document, $operation);
-      if ($params->isReadOnly() && $type->operation !== 'query') {
+      if ($params->readOnly && $type->operation !== 'query') {
         throw new RequestError('GET requests are only supported for query operations.');
       }
 
@@ -352,14 +352,14 @@ protected function validateOperation(ServerConfig $config, OperationParams $para
 
     $schema = $config->getSchema();
     $info = new TypeInfo($schema);
-    $validation = new ValidationContext($schema, $document, $info);
-    $visitors = array_values(array_map(function (AbstractValidationRule $rule) use ($validation, $params) {
+    $validation = new QueryValidationContext($schema, $document, $info);
+    $visitors = array_values(array_map(function (ValidationRule $rule) use ($validation, $params) {
       // Set current variable values for QueryComplexity validation rule case.
       // @see \GraphQL\GraphQL::promiseToExecute for equivalent
       if ($rule instanceof QueryComplexity && !empty($params->variables)) {
         $rule->setRawVariableValues($params->variables);
       }
-      return $rule($validation);
+      return $rule->getVisitor($validation);
     }, $rules));
 
     // Run the query visitor with the prepared validation rules and the cache
@@ -434,7 +434,7 @@ protected function resolveValidationRules(ServerConfig $config, OperationParams
    * @throws \GraphQL\Server\RequestError
    */
   protected function loadPersistedQuery(ServerConfig $config, OperationParams $params) {
-    if (!$loader = $config->getPersistentQueryLoader()) {
+    if (!$loader = $config->getPersistedQueryLoader()) {
       throw new RequestError('Persisted queries are not supported by this server.');
     }
 
diff --git a/src/Plugin/GraphQL/Schemas/SchemaPluginBase.php b/src/Plugin/GraphQL/Schemas/SchemaPluginBase.php
@@ -277,7 +277,7 @@ public function getServer() {
     });
 
     $config->setValidationRules(function (OperationParams $params, DocumentNode $document, $operation) {
-      if (isset($params->queryId) && empty($params->getOriginalInput('query'))) {
+      if (isset($params->queryId) && empty($params->originalInput['query'])) {
         // Assume that pre-parsed documents are already validated. This allows
         // us to store pre-validated query documents e.g. for persisted queries
         // effectively improving performance by skipping run-time validation.
@@ -287,7 +287,7 @@ public function getServer() {
       return array_values(DocumentValidator::defaultRules());
     });
 
-    $config->setPersistentQueryLoader([$this->queryProvider, 'getQuery']);
+    $config->setPersistedQueryLoader([$this->queryProvider, 'getQuery']);
     $config->setQueryBatching(TRUE);
     $config->setDebugFlag($this->parameters['development'] ? DebugFlag::INCLUDE_DEBUG_MESSAGE : DebugFlag::NONE);
     $config->setSchema($this->getSchema());
diff --git a/tests/src/Kernel/Framework/BufferedFieldTest.php b/tests/src/Kernel/Framework/BufferedFieldTest.php
@@ -17,7 +17,7 @@ class BufferedFieldTest extends GraphQLTestBase {
    */
   public function testBatchedFields() {
     $buffer = $this->getMockBuilder(BufferBase::class)
-      ->setMethods(['resolveBufferArray'])
+      ->onlyMethods(['resolveBufferArray'])
       ->getMock();
 
     $users = [
diff --git a/tests/src/Traits/MockGraphQLPluginTrait.php b/tests/src/Traits/MockGraphQLPluginTrait.php
@@ -124,14 +124,14 @@ protected function injectTypeSystemPluginManagers(ContainerBuilder $container) {
 
       $mockFactory = $this
         ->getMockBuilder(FactoryInterface::class)
-        ->setMethods([
+        ->onlyMethods([
           'createInstance',
         ])
         ->getMock();
 
       $mockDiscovery = $this
         ->getMockBuilder(DiscoveryInterface::class)
-        ->setMethods([
+        ->onlyMethods([
           'hasDefinition',
           'getDefinitions',
           'getDefinition',
@@ -343,7 +343,7 @@ protected function mockField($id, $definition, $result = NULL, $builder = NULL)
   protected function mockFieldFactory($definition, $result = NULL, $builder = NULL) {
     $field = $this->getMockBuilder(FieldPluginBase::class)
       ->setConstructorArgs([[], $definition['id'], $definition])
-      ->setMethods([
+      ->onlyMethods([
         'resolveValues',
       ])->getMock();
 
@@ -396,7 +396,7 @@ protected function mockType($id, array $definition, $applies = TRUE, $builder =
   protected function mockTypeFactory($definition, $applies = TRUE, $builder = NULL) {
     $type = $this->getMockBuilder(TypePluginBase::class)
       ->setConstructorArgs([[], $definition['id'], $definition])
-      ->setMethods([
+      ->onlyMethods([
         'applies',
       ])->getMock();
 
@@ -486,7 +486,7 @@ protected function mockMutation($id, array $definition, $result = NULL, $builder
   protected function mockMutationFactory($definition, $result = NULL, $builder = NULL) {
     $mutation = $this->getMockBuilder(MutationPluginBase::class)
       ->setConstructorArgs([[], $definition['id'], $definition])
-      ->setMethods([
+      ->addMethods([
         'resolve',
       ])->getMock();
 
@@ -618,7 +618,7 @@ protected function mockEnum($id, array $definition, $values = [], $builder = NUL
   protected function mockEnumFactory($definition, $values = [], $builder = NULL) {
     $enum = $this->getMockBuilder(EnumPluginBase::class)
       ->setConstructorArgs([[], $definition['id'], $definition])
-      ->setMethods([
+      ->onlyMethods([
         'buildEnumValues',
       ])->getMock();
 
diff --git a/tests/src/Unit/StringFormattingTest.php b/tests/src/Unit/StringFormattingTest.php
@@ -44,7 +44,7 @@ public function testPropCaseFormatting($input, $expected) {
   /**
    *
    */
-  public function providerTestStringFormatting() {
+  public static function providerTestStringFormatting() {
     return [
       [['simple-name'], 'SimpleName'],
       [['123-name-with*^&!@some-SPECIAL-chars'], '_123NameWithSomeSPECIALChars'],

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`"homepage": "http://drupal.org/project/graphql",`
`6`	`6`	`"license": "GPL-2.0+",`
`7`	`7`	`"require": {`
`8`		`- "webonyx/graphql-php": "^14.11.8"`
	`8`	`+ "webonyx/graphql-php": "^15.31.5"`
`9`	`9`	`},`
`10`	`10`	`"minimum-stability": "dev"`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ public function access(AccountInterface $account) {`
`52`	`52`	`// If a query was provided by the user, this is an arbitrary query (it's`
`53`	`53`	`// not a persisted query). Hence, we only grant access if the user has the`
`54`	`54`	`// permission to execute any query.`
`55`		`- if ($operation->getOriginalInput('query')) {`
	`55`	`+ if (isset($operation->originalInput['query'])) {`
`56`	`56`	`return AccessResult::allowedIfHasPermission($account, 'execute graphql requests');`
`57`	`57`	`}`
`58`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ public function testPropCaseFormatting($input, $expected) {`
`44`	`44`	`/**`
`45`	`45`	`*`
`46`	`46`	`*/`
`47`		`- public function providerTestStringFormatting() {`
	`47`	`+ public static function providerTestStringFormatting() {`
`48`	`48`	`return [`
`49`	`49`	`[['simple-name'], 'SimpleName'],`
`50`	`50`	`[['123-name-with*^&!@some-SPECIAL-chars'], '_123NameWithSomeSPECIALChars'],`