roostorg · TomHawk123 · Mar 7, 2026 · Mar 10, 2026 · Mar 12, 2026 · Mar 14, 2026
@@ -47,6 +47,7 @@ SCYLLA_REPLICATION_FACTOR='1'
 SCYLLA_COMPACTION_STRATEGY='SizeTieredCompactionStrategy'
 SCYLLA_HAS_ENTERPRISE_FEATURES='false'
 
+GRAPHQL_MAX_DEPTH=10
 EXPOSE_SENSITIVE_IMPLEMENTATION_DETAILS_IN_ERRORS=true
 ALLOW_USER_INPUT_LOCALHOST_URIS=true
 SEQUELIZE_PRINT_LOGS=true

@@ -114,3 +114,4 @@ GROQ_SECRET_KEY=
 
 ITEM_QUEUE_TRAFFIC_PERCENTAGE='0.05'
 UI_URL=http://localhost:3000
+GRAPHQL_MAX_DEPTH=10
@@ -25,6 +25,7 @@ import cors from 'cors';
 import express, { type ErrorRequestHandler } from 'express';
 import session from 'express-session';
 import { buildContext, GraphQLLocalStrategy } from 'graphql-passport';
+import depthLimit from 'graphql-depth-limit';
 import helmet from 'helmet';
 import passport from 'passport';
 import { MultiSamlStrategy } from '@node-saml/passport-saml';
@@ -38,6 +39,7 @@ import resolvers from './graphql/resolvers.js';
 import typeDefs from './graphql/schema.js';
 import { authSchemaWrapper } from './graphql/utils/authorization.js';
 import { type Dependencies } from './iocContainer/index.js';
+import { safeGetEnvInt } from './iocContainer/utils.js';
 import controllers from './routes/index.js';
 import { jsonStringify } from './utils/encoding.js';
 import {
@@ -356,6 +358,7 @@ export default async function makeApiServer(deps: Dependencies) {
           : ApolloServerPluginLandingPageGraphQLPlayground()),
       },
     ],
+    validationRules: [depthLimit(safeGetEnvInt('GRAPHQL_MAX_DEPTH', 10))],
     introspection: process.env.NODE_ENV !== 'production',
     formatError(e) {
       // `e` can be an ApolloError instance, but will only be one if such an

@@ -661,3 +661,20 @@ export function safeGetEnvVar(varName: string): string {
     process.env[varName] ?? __throw(new Error(`Missing env var ${varName}`))
   );
 }
+
+/**
+ * Gets an env var and parses it as a positive integer. Returns `defaultValue`
+ * if the variable is unset or invalid, logging an error on misconfiguration.
+ */
+export function safeGetEnvInt(varName: string, defaultValue: number): number {
+  const raw = process.env[varName];
+  if (raw === undefined) return defaultValue;
+  const parsed = parseInt(raw, 10);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    console.error(
+      `Invalid env var ${varName}: expected a positive integer, got ${JSON.stringify(raw)}. Using default value ${defaultValue}.`,
+    );
+    return defaultValue;
+  }
+  return parsed;
+}
@@ -83,6 +83,7 @@
     "fuzzball": "^2.1.2",
     "generic-pool": "^3.8.2",
     "graphql": "^16.0.1",
+    "graphql-depth-limit": "^1.1.0",
     "graphql-passport": "^0.6.4",
     "graphql-scalars": "^1.19.0",
     "helmet": "^4.6.0",
@@ -122,6 +123,7 @@
   "devDependencies": {
     "@faker-js/faker": "^7.5.0",
     "@types/cls-hooked": "^4.3.3",
+    "@types/graphql-depth-limit": "^1.1.6",
     "@types/jest": "^29.2.4",
     "@types/js-yaml": "^4.0.5",
     "@types/stream-json": "^1.7.7",
Original file line number	Diff line number	Diff line change
Expand Up		@@ -114,3 +114,4 @@ GROQ_SECRET_KEY=

		ITEM_QUEUE_TRAFFIC_PERCENTAGE='0.05'
		UI_URL=http://localhost:3000
		GRAPHQL_MAX_DEPTH=10