MC-36035: Prevent input based resource allocation

Author: hwyu@adobe.com

app/etc/di.xml

@@ -1927,4 +1927,36 @@
             </argument>
         </arguments>
     </type>
+    <preference for="Magento\Framework\Webapi\Validator\ServiceInputValidatorInterface" type="Magento\Framework\Webapi\Validator\CompositeServiceInputValidator"/>
+    <type name="Magento\Framework\Webapi\Validator\CompositeServiceInputValidator">
+        <arguments>
+            <argument name="validators" xsi:type="array">
+                <item name="entityArrayValidator" xsi:type="object">Magento\Framework\Webapi\Validator\EntityArrayValidator</item>
+                <item name="searchCriteriaValidator" xsi:type="object">Magento\Framework\Webapi\Validator\SearchCriteriaValidator</item>
+            </argument>
+        </arguments>
+    </type>
+    <type name="Magento\Framework\Webapi\Validator\EntityArrayValidator">
+        <arguments>
+            <argument name="complexArrayItemLimit" xsi:type="number">20</argument>
+        </arguments>
+    </type>
+    <type name="Magento\Framework\Webapi\Validator\SearchCriteriaValidator">
+        <arguments>
+            <argument name="maximumPageSize" xsi:type="number">300</argument>
+        </arguments>
+    </type>
+    <preference for="Magento\Framework\GraphQl\Query\Resolver\Argument\ValidatorInterface" type="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator"/>
+    <type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
+        <arguments>
+            <argument name="validators" xsi:type="array">
+                <item name="searchCriteriaValidator" xsi:type="object">Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator</item>
+            </argument>
+        </arguments>
+    </type>
+    <type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator">
+        <arguments>
+            <argument name="maxPageSize" xsi:type="number">300</argument>
+        </arguments>
+    </type>
 </config>

dev/tests/api-functional/testsuite/Magento/Framework/Api/Search/SearchTest.php

@@ -38,7 +38,7 @@ public function testCatalogSearch()
                         ]
                     ]
                 ],
-                'page_size' => 999,
+                'page_size' => 300,
                 'current_page' => 0,
             ],
         ];

dev/tests/api-functional/testsuite/Magento/SalesRule/Api/CouponManagementTest.php

@@ -156,7 +156,7 @@ protected function getList($ruleId)
                     ],
                 ],
                 'current_page' => 1,
-                'page_size' => 9999,
+                'page_size' => 300,
             ],
         ];
 

lib/internal/Magento/Framework/GraphQl/Query/Resolver/Argument/Validator/CompositeValidator.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Query\Resolver\Argument\Validator;
+
+use Magento\Framework\GraphQl\Config\Element\Field;
+use Magento\Framework\GraphQl\Query\Resolver\Argument\ValidatorInterface;
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+
+/**
+ * Validate with multiple validators
+ */
+class CompositeValidator implements ValidatorInterface
+{
+    /**
+     * @var array
+     */
+    private $validators;
+
+    /**
+     * @param ValidatorInterface[] $validators
+     * @throws GraphQlInputException
+     */
+    public function __construct(array $validators)
+    {
+        foreach ($validators as $validator) {
+            if (!$validator instanceof ValidatorInterface) {
+                throw new GraphQlInputException(__("Validators must implement " . ValidatorInterface::class));
+            }
+        }
+        $this->validators = $validators;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate(Field $field, $args): void
+    {
+        foreach ($this->validators as $validator) {
+            $validator->validate($field, $args);
+        }
+    }
+}

lib/internal/Magento/Framework/GraphQl/Query/Resolver/Argument/Validator/SearchCriteriaValidator.php

@@ -0,0 +1,45 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Query\Resolver\Argument\Validator;
+
+use Magento\Framework\GraphQl\Config\Element\Field;
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\Framework\GraphQl\Query\Resolver\Argument\ValidatorInterface;
+
+/**
+ * Enforces limits on SearchCriteria arguments
+ */
+class SearchCriteriaValidator implements ValidatorInterface
+{
+    /**
+     * @var int
+     */
+    private $maxPageSize;
+
+    /**
+     * @param int $maxPageSize
+     */
+    public function __construct(int $maxPageSize)
+    {
+        $this->maxPageSize = $maxPageSize;
+    }
+
+    /**
+     * @inheritDoc
+     * @throws GraphQlInputException
+     */
+    public function validate(Field $field, $args): void
+    {
+        if (isset($args['pageSize']) && $args['pageSize'] > $this->maxPageSize) {
+            throw new GraphQlInputException(
+                __("Maximum pageSize is %max", ['max' => $this->maxPageSize])
+            );
+        }
+    }
+}

lib/internal/Magento/Framework/GraphQl/Query/Resolver/Argument/ValidatorInterface.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Query\Resolver\Argument;
+
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\Framework\GraphQl\Config\Element\Field;
+
+/**
+ * Validation support for resolver arguments
+ */
+interface ValidatorInterface
+{
+    /**
+     * Validate resolver args
+     *
+     * @param Field $field
+     * @param mixed $args
+     * @throws GraphQlInputException
+     */
+    public function validate(Field $field, $args): void;
+}

lib/internal/Magento/Framework/GraphQl/Query/Resolver/PromiseFactory.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Query\Resolver;
+
+use Magento\Framework\GraphQl\Config\Element\Field;
+use Magento\Framework\GraphQl\Query\Resolver\Argument\ValidatorInterface;
+use Magento\Framework\GraphQl\Query\Resolver\Factory as ResolverFactory;
+use Magento\Framework\GraphQl\Schema\Type\ResolveInfoFactory;
+
+/**
+ * Create promises that return resolver results
+ */
+class PromiseFactory
+{
+    /**
+     * @var Factory
+     */
+    private $resolverFactory;
+
+    /**
+     * @var ResolveInfoFactory
+     */
+    private $resolveInfoFactory;
+
+    /**
+     * @var ValidatorInterface
+     */
+    private $argumentValidator;
+
+    /**
+     * @param Factory $resolverFactory
+     * @param ResolveInfoFactory $resolveInfoFactory
+     * @param ValidatorInterface $argumentValidator
+     */
+    public function __construct(
+        ResolverFactory $resolverFactory,
+        ResolveInfoFactory $resolveInfoFactory,
+        ValidatorInterface $argumentValidator
+    ) {
+        $this->resolverFactory = $resolverFactory;
+        $this->resolveInfoFactory = $resolveInfoFactory;
+        $this->argumentValidator = $argumentValidator;
+    }
+
+    /**
+     * Create a resolver promise
+     *
+     * @param Field $field
+     * @return callable
+     */
+    public function create(Field $field): callable
+    {
+        $resolver = $this->resolverFactory->createByClass($field->getResolver());
+        return function ($value, $args, $context, $info) use ($resolver, $field) {
+            $wrapperInfo = $this->resolveInfoFactory->create($info);
+            $this->argumentValidator->validate($field, $args);
+            return $resolver->resolve($field, $context, $wrapperInfo, $value, $args);
+        };
+    }
+}

lib/internal/Magento/Framework/GraphQl/Schema/Type/Output/ElementMapper/Formatter/Fields.php

@@ -11,14 +11,13 @@
 use Magento\Framework\GraphQl\Config\Element\Field;
 use Magento\Framework\GraphQl\Config\Element\TypeInterface;
 use Magento\Framework\GraphQl\Config\ConfigElementInterface;
+use Magento\Framework\GraphQl\Query\Resolver\PromiseFactory;
 use Magento\Framework\GraphQl\Schema\Type\Input\InputMapper;
 use Magento\Framework\GraphQl\Schema\Type\Output\ElementMapper\FormatterInterface;
 use Magento\Framework\GraphQl\Schema\Type\Output\OutputMapper;
 use Magento\Framework\GraphQl\Schema\Type\OutputTypeInterface;
 use Magento\Framework\GraphQl\Schema\Type\ScalarTypes;
 use Magento\Framework\ObjectManagerInterface;
-use Magento\Framework\GraphQl\Schema\Type\ResolveInfoFactory;
-use Magento\Framework\GraphQl\Query\Resolver\Factory as ResolverFactory;
 
 /**
  * Convert fields of the given 'type' config element to the objects compatible with GraphQL schema generator.
@@ -51,40 +50,37 @@ class Fields implements FormatterInterface
     private $wrappedTypeProcessor;
 
     /**
-     * @var ResolveInfoFactory
+     * @var PromiseFactory
      */
-    private $resolveInfoFactory;
-
-    /**
-     * @var ResolverFactory
-     */
-    private $resolverFactory;
+    private $promiseFactory;
 
     /**
      * @param ObjectManagerInterface $objectManager
      * @param OutputMapper $outputMapper
      * @param InputMapper $inputMapper
      * @param ScalarTypes $scalarTypes
      * @param WrappedTypeProcessor $wrappedTypeProcessor
-     * @param ResolveInfoFactory $resolveInfoFactory
-     * @param ResolverFactory $resolverFactory
+     * @param mixed $resolveInfoFactory
+     * @param mixed $resolverFactory
+     * @param PromiseFactory|null $promiseFactory
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function __construct(
         ObjectManagerInterface $objectManager,
         OutputMapper $outputMapper,
         InputMapper $inputMapper,
         ScalarTypes $scalarTypes,
         WrappedTypeProcessor $wrappedTypeProcessor,
-        ResolveInfoFactory $resolveInfoFactory,
-        ?ResolverFactory $resolverFactory = null
+        $resolveInfoFactory = null,
+        $resolverFactory = null,
+        ?PromiseFactory $promiseFactory = null
     ) {
         $this->objectManager = $objectManager;
         $this->outputMapper = $outputMapper;
         $this->inputMapper = $inputMapper;
         $this->scalarTypes = $scalarTypes;
         $this->wrappedTypeProcessor = $wrappedTypeProcessor;
-        $this->resolveInfoFactory = $resolveInfoFactory;
-        $this->resolverFactory = $resolverFactory ?? $this->objectManager->get(ResolverFactory::class);
+        $this->promiseFactory = $promiseFactory ?? $this->objectManager->get(PromiseFactory::class);
     }
 
     /**
@@ -161,14 +157,9 @@ private function getFieldConfig(
         }
 
         if ($field->getResolver() != null) {
-            $resolver = $this->resolverFactory->createByClass($field->getResolver());
-
-            $fieldConfig['resolve'] =
-                function ($value, $args, $context, $info) use ($resolver, $field) {
-                    $wrapperInfo = $this->resolveInfoFactory->create($info);
-                    return $resolver->resolve($field, $context, $wrapperInfo, $value, $args);
-                };
+            $fieldConfig['resolve'] = $this->promiseFactory->create($field);
         }
+
         return $this->formatArguments($field, $fieldConfig);
     }
 

lib/internal/Magento/Framework/GraphQl/Test/Unit/Query/Resolver/Argument/Validator/CompositeValidatorTest.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Test\Unit\Query\Resolver\Argument\Validator;
+
+use Magento\Framework\GraphQl\Config\Element\Field;
+use Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator;
+use Magento\Framework\GraphQl\Query\Resolver\Argument\ValidatorInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Verify behavior of composite validator
+ */
+class CompositeValidatorTest extends TestCase
+{
+    public function testValidate()
+    {
+        $field = self::getMockBuilder(Field::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $args = ['a' => 123];
+        $validatorA = self::getMockBuilder(ValidatorInterface::class)->getMock();
+        $validatorA->expects(self::once())
+            ->method('validate')
+            ->with($field, $args);
+        $validatorB = self::getMockBuilder(ValidatorInterface::class)->getMock();
+        $validatorB->expects(self::once())
+            ->method('validate')
+            ->with($field, $args);
+
+        $composite = new CompositeValidator([$validatorA, $validatorB]);
+        $composite->validate($field, $args);
+    }
+}