AC-1120: Turn off the input limit for RESTful endpoints by default and create a CLI command to turn them on

Author: nathanjosiah

app/code/Magento/GraphQl/etc/adminhtml/system.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Representation of Webapi module in System Configuration (Magento admin panel).
+ *
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
+    <system>
+        <section id="graphql" translate="label" type="text" sortOrder="103" showInDefault="1" showInWebsite="1" showInStore="1">
+            <label>Magento GraphQl</label>
+            <tab>service</tab>
+            <resource>Magento_GraphQl::config_graphql</resource>
+            <group id="validation" translate="label" type="text" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="1">
+                <label>Input Limits</label>
+                <field id="input_limit_enabled" translate="label" type="select" sortOrder="5" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                    <label>Enable Input Limits</label>
+                </field>
+                <field id="maximum_page_size" translate="label comment" type="text" sortOrder="15" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <label>Maximum Page Size</label>
+                    <comment>Maximum number of items allowed in a paginated search result.</comment>
+                    <depends>
+                        <field id="input_limit_enabled">1</field>
+                    </depends>
+                </field>
+            </group>
+        </section>
+    </system>
+</config>
+

app/code/Magento/Webapi/etc/adminhtml/system.xml

@@ -20,6 +20,31 @@
                     <comment>If empty, UTF-8 will be used.</comment>
                 </field>
             </group>
+            <group id="validation" translate="label" type="text" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="1">
+                <label>Input Limits</label>
+                <field id="input_limit_enabled" translate="label" type="select" sortOrder="5" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                    <label>Enable Input Limits</label>
+                </field>
+                <field id="complex_array_limit" translate="label comment" type="text" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <label>Complex Array Limit</label>
+                    <comment>Maximum number of items allowed in an entity's array property.</comment>
+                    <depends>
+                        <field id="input_limit_enabled">1</field>
+                    </depends>
+                </field>
+                <field id="maximum_page_size" translate="label comment" type="text" sortOrder="15" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <label>Maximum Page Size</label>
+                    <comment>Maximum number of items allowed in a paginated search result.</comment>
+                    <depends>
+                        <field id="input_limit_enabled">1</field>
+                    </depends>
+                </field>
+                <field id="default_page_size" translate="label comment" type="text" sortOrder="20" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <label>Default Page Size</label>
+                    <comment>Default number of items a paginated search result.</comment>
+                </field>
+            </group>
         </section>
     </system>
 </config>

lib/internal/Magento/Framework/GraphQl/Query/Resolver/Argument/Validator/ConfigProvider.php

@@ -0,0 +1,64 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Query\Resolver\Argument\Validator;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Store\Model\ScopeInterface;
+
+/**
+ * Provides configuration related to the GraphQL input limit validation
+ */
+class ConfigProvider
+{
+    /**
+     * Path to the configuration setting for if the input limiting is enabled
+     */
+    public const CONFIG_PATH_INPUT_LIMIT_ENABLED = 'graphql/validation/input_limit_enabled';
+
+    /**
+     * Path to the configuration setting for maximum page size allowed
+     */
+    public const CONFIG_PATH_MAXIMUM_PAGE_SIZE = 'graphql/validation/maximum_page_size';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfig;
+
+    /**
+     * @param ScopeConfigInterface $scopeConfig
+     */
+    public function __construct(ScopeConfigInterface $scopeConfig)
+    {
+        $this->scopeConfig = $scopeConfig;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function isInputLimitingEnabled(): bool
+    {
+        return $this->scopeConfig->isSetFlag(
+            self::CONFIG_PATH_INPUT_LIMIT_ENABLED,
+            ScopeInterface::SCOPE_STORE
+        );
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getMaximumPageSize(): ?int
+    {
+        $value = $this->scopeConfig->getValue(
+            self::CONFIG_PATH_MAXIMUM_PAGE_SIZE,
+            ScopeInterface::SCOPE_STORE
+        );
+        return isset($value) ? (int)$value : null;
+    }
+}

lib/internal/Magento/Framework/GraphQl/Query/Resolver/Argument/Validator/SearchCriteriaValidator.php

@@ -8,6 +8,7 @@
 
 namespace Magento\Framework\GraphQl\Query\Resolver\Argument\Validator;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\GraphQl\Config\Element\Field;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\Resolver\Argument\ValidatorInterface;
@@ -22,22 +23,36 @@ class SearchCriteriaValidator implements ValidatorInterface
      */
     private $maxPageSize;
 
+    /**
+     * @var ConfigProvider|null
+     */
+    private $configProvider;
+
     /**
      * @param int $maxPageSize
+     * @param ConfigProvider|null $configProvider
      */
-    public function __construct(int $maxPageSize)
+    public function __construct(int $maxPageSize, ?ConfigProvider $configProvider = null)
     {
         $this->maxPageSize = $maxPageSize;
+        $this->configProvider = $configProvider ?? ObjectManager::getInstance()
+            ->get(ConfigProvider::class);
     }
 
     /**
      * @inheritDoc
      */
     public function validate(Field $field, $args): void
     {
-        if (isset($args['pageSize']) && $args['pageSize'] > $this->maxPageSize) {
+        if (!$this->configProvider->isInputLimitingEnabled()) {
+            return;
+        }
+
+        $max = $this->configProvider->getMaximumPageSize() ?? $this->maxPageSize;
+
+        if (isset($args['pageSize']) && $args['pageSize'] > $max) {
             throw new GraphQlInputException(
-                __("Maximum pageSize is %max", ['max' => $this->maxPageSize])
+                __("Maximum pageSize is %max", ['max' => $max])
             );
         }
     }

lib/internal/Magento/Framework/GraphQl/Test/Unit/Query/Resolver/Argument/Validator/SearchCriteriaValidatorTest.php

@@ -10,34 +10,102 @@
 
 use Magento\Framework\GraphQl\Config\Element\Field;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\ConfigProvider;
 use Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator;
+use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
 /**
  * Verify behavior of graphql search criteria validator
  */
 class SearchCriteriaValidatorTest extends TestCase
 {
+    /**
+     * @var ConfigProvider|MockObject
+     */
+    private $configProvider;
+
+    /**
+     * @var SearchCriteriaValidator
+     */
+    private $validator;
+
+    protected function setUp(): void
+    {
+        $this->configProvider = self::getMockBuilder(ConfigProvider::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->validator = new SearchCriteriaValidator(3, $this->configProvider);
+    }
+
+    /**
+     * @doesNotPerformAssertions
+     */
+    public function testValidValueWithDisabledDefaultConfig()
+    {
+        $this->configProvider->method('isInputLimitingEnabled')
+            ->willReturn(false);
+        $field = self::getMockBuilder(Field::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->validator->validate($field, ['pageSize' => 50]);
+    }
+
     /**
      * @doesNotPerformAssertions
      */
     public function testValidValue()
     {
-        $validator = new SearchCriteriaValidator(3);
+        $this->configProvider->method('isInputLimitingEnabled')
+            ->willReturn(false);
         $field = self::getMockBuilder(Field::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $validator->validate($field, ['pageSize' => 3]);
+        $this->validator->validate($field, ['pageSize' => 3]);
     }
 
-    public function testValidInvalidMaxValue()
+    /**
+     * @doesNotPerformAssertions
+     */
+    public function testValidValueWithConfig()
+    {
+        $this->configProvider->method('isInputLimitingEnabled')
+            ->willReturn(true);
+        $this->configProvider->method('getMaximumPageSize')
+            ->willReturn(10);
+
+        $field = self::getMockBuilder(Field::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->validator->validate($field, ['pageSize' => 10]);
+    }
+
+    public function testInvalidMaxValue()
     {
         $this->expectException(GraphQlInputException::class);
         $this->expectExceptionMessage("Maximum pageSize is 3");
-        $validator = new SearchCriteriaValidator(3);
+
+        $this->configProvider->method('isInputLimitingEnabled')
+            ->willReturn(true);
+        $field = self::getMockBuilder(Field::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->validator->validate($field, ['pageSize' => 4]);
+    }
+
+    public function testInvalidValueWithConfig()
+    {
+        $this->expectException(GraphQlInputException::class);
+        $this->expectExceptionMessage("Maximum pageSize is 10");
+
+        $this->configProvider->method('isInputLimitingEnabled')
+            ->willReturn(true);
+        $this->configProvider->method('getMaximumPageSize')
+            ->willReturn(10);
+
         $field = self::getMockBuilder(Field::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $validator->validate($field, ['pageSize' => 4]);
+        $this->validator->validate($field, ['pageSize' => 11]);
     }
 }

lib/internal/Magento/Framework/Webapi/InputLimit/DefaultPageSizeSetter.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Webapi\InputLimit;
+
+use Magento\Framework\Api\SearchCriteriaInterface;
+use Magento\Framework\Webapi\Validator\ConfigProvider;
+
+/**
+ * Sets the default page size with the configured input limits
+ */
+class DefaultPageSizeSetter
+{
+    /**
+     * @var ConfigProvider
+     */
+    private $validationConfigProvider;
+
+    /**
+     * @param ConfigProvider $validationConfigProvider
+     */
+    public function __construct(ConfigProvider $validationConfigProvider)
+    {
+        $this->validationConfigProvider = $validationConfigProvider;
+    }
+
+    /**
+     * Set the default page size if needed using the optional parameter as a fallback value
+     *
+     * @param SearchCriteriaInterface $searchCriteria The search criteria to manipulate
+     * @param int|null $defaultPageSizeFallback The fallback value if limiting is enabled but a limit has not been set
+     */
+    public function processSearchCriteria(
+        SearchCriteriaInterface $searchCriteria,
+        int $defaultPageSizeFallback = null
+    ): void {
+        if ($searchCriteria->getPageSize() === null
+            && $this->validationConfigProvider->isInputLimitingEnabled()
+        ) {
+            $searchCriteria->setPageSize(
+                $this->validationConfigProvider->getDefaultPageSize() ?? $defaultPageSizeFallback
+            );
+        }
+    }
+}

lib/internal/Magento/Framework/Webapi/ServiceInputProcessor.php

@@ -24,6 +24,7 @@
 use Magento\Framework\Webapi\Exception as WebapiException;
 use Magento\Framework\Webapi\CustomAttribute\PreprocessorInterface;
 use Laminas\Code\Reflection\ClassReflection;
+use Magento\Framework\Webapi\InputLimit\DefaultPageSizeSetter;
 use Magento\Framework\Webapi\Validator\ServiceInputValidatorInterface;
 
 /**
@@ -97,6 +98,11 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface
      */
     private $defaultPageSize;
 
+    /**
+     * @var DefaultPageSizeSetter|null
+     */
+    private $defaultPageSizeSetter;
+
     /**
      * Initialize dependencies.
      *
@@ -110,6 +116,8 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface
      * @param array $customAttributePreprocessors
      * @param ServiceInputValidatorInterface|null $serviceInputValidator
      * @param int $defaultPageSize
+     * @param DefaultPageSizeSetter|null $defaultPageSizeSetter
+     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
         TypeProcessor $typeProcessor,
@@ -121,7 +129,8 @@ public function __construct(
         ConfigInterface $config = null,
         array $customAttributePreprocessors = [],
         ServiceInputValidatorInterface $serviceInputValidator = null,
-        int $defaultPageSize = 20
+        int $defaultPageSize = 20,
+        ?DefaultPageSizeSetter $defaultPageSizeSetter = null
     ) {
         $this->typeProcessor = $typeProcessor;
         $this->objectManager = $objectManager;
@@ -136,6 +145,8 @@ public function __construct(
         $this->serviceInputValidator = $serviceInputValidator
             ?: ObjectManager::getInstance()->get(ServiceInputValidatorInterface::class);
         $this->defaultPageSize = $defaultPageSize >= 10 ? $defaultPageSize : 10;
+        $this->defaultPageSizeSetter = $defaultPageSizeSetter ?? ObjectManager::getInstance()
+            ->get(DefaultPageSizeSetter::class);
     }
 
     /**
@@ -309,10 +320,8 @@ protected function _createFromArray($className, $data)
             }
         }
 
-        if ($object instanceof SearchCriteriaInterface
-            && $object->getPageSize() === null
-        ) {
-            $object->setPageSize($this->defaultPageSize);
+        if ($object instanceof SearchCriteriaInterface) {
+            $this->defaultPageSizeSetter->processSearchCriteria($object, $this->defaultPageSize);
         }
 
         return $object;