Merge remote-tracking branch 'origin/AC-14323' into cia-2.4.9-alpha2-develop-bugfix-07022025

Author: Nishant Rana

app/code/Magento/GraphQl/etc/adminhtml/system.xml

@@ -1,10 +1,8 @@
 <?xml version="1.0"?>
 <!--
 /**
- * Representation of Webapi module in System Configuration (Magento admin panel).
- *
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
@@ -25,6 +23,19 @@
                         <field id="input_limit_enabled">1</field>
                     </depends>
                 </field>
+                <field id="alias_limit_enabled" translate="label" type="select" sortOrder="5" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                    <label>Enable Maximum Alias Limit</label>
+                    <config_path>graphql/validation/alias_limit_enabled</config_path>
+                </field>
+                <field id="maximum_alias_allowed" translate="label comment" type="text" sortOrder="15" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
+                    <label>Maximum Alias Allowed</label>
+                    <comment>Maximum number of aliases allowed in a graphql request.</comment>
+                    <config_path>graphql/validation/maximum_alias_allowed</config_path>
+                    <depends>
+                        <field id="alias_limit_enabled">1</field>
+                    </depends>
+                </field>
             </group>
             <group id="graphql_session" translate="label" type="text" sortOrder="20" showInDefault="0" showInWebsite="0" showInStore="0">
                 <label>GraphQl Session Management</label>

app/code/Magento/GraphQl/etc/config.xml

@@ -1,8 +1,8 @@
 <?xml version="1.0"?>
 <!--
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -17,6 +17,10 @@
             <session>
                 <disable>0</disable>
             </session>
+            <validation>
+                <alias_limit_enabled>1</alias_limit_enabled>
+                <maximum_alias_allowed>10</maximum_alias_allowed>
+            </validation>
         </graphql>
     </default>
 </config>

app/design/adminhtml/Magento/backend/i18n/en_US.csv

@@ -224,6 +224,7 @@ dummy,dummy
 "The ""%1"" field name is unknown. Verify the field name and try again.","The ""%1"" field name is unknown. Verify the field name and try again."
 "Enum type ""%1"" not defined","Enum type ""%1"" not defined"
 "Max query complexity should be %1 but got %2.","Max query complexity should be %1 but got %2."
+"Max Aliases in query should be %1 but got %2.","Max Aliases in query should be %1 but got %2."
 "%1 operator not supported","%1 operator not supported"
 "Can't support nested operators","Can't support nested operators"
 "Nesting ""OR"" node type not supported","Nesting ""OR"" node type not supported"

app/design/frontend/Magento/blank/i18n/en_US.csv

@@ -197,6 +197,7 @@
 "Key must not exceed %1 bytes.","Key must not exceed %1 bytes."
 "Layout must be initialized","Layout must be initialized"
 "Max query complexity should be %1 but got %2.","Max query complexity should be %1 but got %2."
+"Max Aliases in query should be %1 but got %2.","Max Aliases in query should be %1 but got %2."
 "Maximum items of type ""%type"" is %max","Maximum items of type ""%type"" is %max"
 "Maximum pageSize is %max","Maximum pageSize is %max"
 "Maximum SearchCriteria pageSize is %max","Maximum SearchCriteria pageSize is %max"

app/design/frontend/Magento/luma/i18n/en_US.csv

@@ -212,6 +212,7 @@
 "Layout must be initialized","Layout must be initialized"
 "Manage Addresses","Manage Addresses"
 "Max query complexity should be %1 but got %2.","Max query complexity should be %1 but got %2."
+"Max Aliases in query should be %1 but got %2.","Max Aliases in query should be %1 but got %2."
 "Maximum items of type ""%type"" is %max","Maximum items of type ""%type"" is %max"
 "Maximum pageSize is %max","Maximum pageSize is %max"
 "Maximum SearchCriteria pageSize is %max","Maximum SearchCriteria pageSize is %max"

dev/tests/api-functional/testsuite/Magento/GraphQl/Query/QueryComplexityLimiterTest.php

@@ -0,0 +1,125 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Query;
+
+use Magento\TestFramework\Fixture\Config;
+use Magento\TestFramework\TestCase\GraphQlAbstract;
+use Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException;
+
+/**
+ * Test to validate input of Graphql requests
+ */
+class QueryComplexityLimiterTest extends GraphQlAbstract
+{
+    /**
+     * Test for validating query within alias limit
+     */
+    #[
+        Config('graphql/validation/alias_limit_enabled', 1),
+        Config('graphql/validation/maximum_alias_allowed', 3)
+    ]
+    public function testQueryWithinAliasLimit()
+    {
+        $query = <<<QUERY
+        {
+            productOne: products(filter: {sku: {eq: "1"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+            productTwo: products(filter: {sku: {eq: "2"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+            productThree: products(filter: {sku: {eq: "3"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+        }
+        QUERY;
+
+        $response = $this->graphQlQuery($query);
+        $this->assertArrayHasKey('productOne', $response);
+        $this->assertArrayHasKey('productTwo', $response);
+        $this->assertArrayHasKey('productThree', $response);
+    }
+
+    /**
+     * Test for validating query exceeding complexity limit
+     */
+    #[
+        Config('graphql/validation/alias_limit_enabled', 1),
+        Config('graphql/validation/maximum_alias_allowed', 2)
+    ]
+    public function testQueryExeedingAliasLimit()
+    {
+        $query = <<<QUERY
+        {
+             productOne: products(filter: {sku: {eq: "1"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+            productTwo: products(filter: {sku: {eq: "2"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+            productThree: products(filter: {sku: {eq: "3"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+        }
+        QUERY;
+
+        $this->expectException(ResponseContainsErrorsException::class);
+        $this->expectExceptionMessage('Max Aliases in query should be 2 but got 3.');
+        $this->graphQlQuery($query);
+    }
+
+    /**
+     * Test for validating query with alias limit disabled
+     */
+    #[
+        Config('graphql/validation/alias_limit_enabled', 0),
+        Config('graphql/validation/maximum_alias_allowed', 1)
+    ]
+    public function testQueryWithinAliasLimitDisabled()
+    {
+        
+        $query = <<<QUERY
+        {
+            productOne: products(filter: {sku: {eq: "1"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+            productTwo: products(filter: {sku: {eq: "2"}}) {
+                items {
+                    id
+                    name
+                }
+            }
+        }
+        QUERY;
+
+        $response = $this->graphQlQuery($query);
+        $this->assertArrayHasKey('productOne', $response);
+        $this->assertArrayHasKey('productTwo', $response);
+    }
+}

lib/internal/Magento/Framework/GraphQl/Query/MaximumAliasConfiguration.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\GraphQl\Query;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+/**
+ * Class for fetching the maximum allowed alias count in graphql request
+ */
+class MaximumAliasConfiguration
+{
+    /**
+     * Constant for maximum alias allowed value config path
+     */
+    private const CONFIG_PATH_MAXIMUM_ALIAS_ALLOWED = 'graphql/validation/maximum_alias_allowed';
+
+    /**
+     * Constant for maximum alias enable config path
+     */
+    private const CONFIG_PATH_MAXIMUM_ALIAS_ENABLED = 'graphql/validation/alias_limit_enabled';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfigInterface;
+
+    /**
+     * @param scopeConfigInterfacee $scopeConfigInterface
+     */
+    public function __construct(
+        ScopeConfigInterface $scopeConfigInterface
+    ) {
+        $this->scopeConfigInterface = $scopeConfigInterface;
+    }
+
+    /**
+     * Check the environment config to get the maximum allowed alias in graphql request.
+     *
+     * @return int
+     */
+    public function getMaximumAliasAllowed(): int
+    {
+        return (int) $this->scopeConfigInterface->getValue(self::CONFIG_PATH_MAXIMUM_ALIAS_ALLOWED);
+    }
+
+    /**
+     * Check the environment config to check if maximum alias limit is enabled.
+     *
+     * @return bool
+     */
+    public function isMaximumAliasLimitEnabled(): bool
+    {
+        return (bool) $this->scopeConfigInterface->getValue(self::CONFIG_PATH_MAXIMUM_ALIAS_ENABLED);
+    }
+}

lib/internal/Magento/Framework/GraphQl/Query/QueryComplexityLimiter.php

@@ -1,14 +1,16 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2018 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
 namespace Magento\Framework\GraphQl\Query;
 
 use GraphQL\Language\AST\DocumentNode;
+use GraphQL\Language\AST\FieldNode;
 use GraphQL\Language\AST\NodeKind;
+use GraphQL\Language\AST\SelectionSetNode;
 use GraphQL\Language\Visitor;
 use GraphQL\Validator\DocumentValidator;
 use GraphQL\Validator\Rules\DisableIntrospection;
@@ -49,6 +51,11 @@ class QueryComplexityLimiter
      */
     private $queryParser;
 
+    /**
+     * @var MaximumAliasConfiguration
+     */
+    private $maximumAliasConfiguration;
+
     /**
      * @var array
      */
@@ -61,17 +68,21 @@ class QueryComplexityLimiter
      * @param int $queryComplexity
      * @param IntrospectionConfiguration $introspectionConfig
      * @param QueryParser|null $queryParser
+     * @param MaximumAliasConfiguration|null $maximumAliasConfiguration
      */
     public function __construct(
         int $queryDepth,
         int $queryComplexity,
         IntrospectionConfiguration $introspectionConfig,
-        ?QueryParser $queryParser = null
+        ?QueryParser $queryParser = null,
+        ?MaximumAliasConfiguration $maximumAliasConfiguration = null
     ) {
         $this->queryDepth = $queryDepth;
         $this->queryComplexity = $queryComplexity;
         $this->introspectionConfig = $introspectionConfig;
         $this->queryParser = $queryParser ?: ObjectManager::getInstance()->get(QueryParser::class);
+        $this->maximumAliasConfiguration = $maximumAliasConfiguration ?:
+            ObjectManager::getInstance()->get(MaximumAliasConfiguration::class);
     }
 
     /**
@@ -138,4 +149,64 @@ public function validateFieldCount(DocumentNode|string $query): void
             }
         }
     }
+
+    /**
+     * Performs a preliminary Alias count check before performing more extensive query validation.
+     *
+     * This is necessary for performance optimization, as extremely large number of alias in a request
+     * require a substantial amount of resource can affect server performance.
+     *
+     * @param DocumentNode $query
+     * @return void
+     * @throws GraphQlInputException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function validateAliasCount(DocumentNode $query): void
+    {
+        if ($this->maximumAliasConfiguration->isMaximumAliasLimitEnabled()) {
+            $aliasCount = 0;
+            foreach ($query->definitions as $definition) {
+                if (property_exists($definition, 'selectionSet')) {
+                    $aliasCount += $this->countAliasesInSelectionSet($definition->selectionSet);
+                }
+            }
+            $allowedAliasCount = $this->maximumAliasConfiguration->getMaximumAliasAllowed();
+            if ($aliasCount > $allowedAliasCount) {
+                throw new GraphQlInputException(__(
+                    'Max Aliases in query should be %1 but got %2.',
+                    $allowedAliasCount,
+                    $aliasCount
+                ));
+            }
+        }
+    }
+
+    /**
+     * Performs counting of aliases in a graphql request
+     *
+     * @param ?SelectionSetNode $selectionSet
+     * @return int
+     */
+    private function countAliasesInSelectionSet(?SelectionSetNode $selectionSet): int
+    {
+        if ($selectionSet === null) {
+            return 0;
+        }
+
+        $aliasCount = 0;
+
+        foreach ($selectionSet->selections as $selection) {
+            if ($selection instanceof FieldNode) {
+                if ($selection->alias !== null) {
+                    $aliasCount++;
+                }
+
+                if ($selection->selectionSet !== null) {
+                    $aliasCount += $this->countAliasesInSelectionSet($selection->selectionSet);
+                }
+            }
+        }
+
+        return $aliasCount;
+    }
 }