graphql-query-depth-limit-esm 2.0.1 → 2.0.4

package/dist/index.js

@@ -20,9 +20,10 @@ import {
 
 // src/directives.ts
 import { Kind } from "graphql";
-var depthDirectiveTypeDefs = `
-  directive @depth(max: Int!) on FIELD_DEFINITION
-`;
+var depthDirectiveTypeDefs = (
+  /* GraphQL */
+  `directive @depth(max: Int!) on FIELD_DEFINITION`
+);
 function getDepthFromDirective(field) {
   if (!field?.astNode?.directives) {
     return void 0;
@@ -42,6 +43,83 @@ function getDepthFromDirective(field) {
 }
 
 // src/ignore.ts
+var QUANTIFIER_CHARS = /* @__PURE__ */ new Set(["+", "*", "?"]);
+var BRACE_QUANTIFIER = /^\{(\d+)(?:,(\d*))?\}/;
+function isUnsafeRegExp(regex) {
+  const source = regex.source;
+  const length = source.length;
+  const groupStack = [];
+  for (let i = 0; i < length; i++) {
+    const char = source.charAt(i);
+    if (char === "\\") {
+      i++;
+      continue;
+    }
+    if (char === "[") {
+      while (i < length && source[i] !== "]") {
+        if (source[i] === "\\") i++;
+        i++;
+      }
+      continue;
+    }
+    if (char === "(") {
+      groupStack.push(false);
+      if (source[i + 1] === "?") {
+        i++;
+        if (source[i + 1] === "<" && (source[i + 2] === "=" || source[i + 2] === "!")) {
+          i += 2;
+        } else if (source[i + 1] === ":" || source[i + 1] === "=" || source[i + 1] === "!") {
+          i++;
+        }
+      }
+      continue;
+    }
+    if (char === ")") {
+      const groupHadQuantifier = groupStack.pop() ?? false;
+      if (groupHadQuantifier && isFollowedByQuantifier(source, i + 1, length)) {
+        return "nested quantifier: group with inner quantifier followed by outer quantifier";
+      }
+      if (groupStack.length > 0 && isFollowedByQuantifier(source, i + 1, length)) {
+        groupStack[groupStack.length - 1] = true;
+      }
+      continue;
+    }
+    if (QUANTIFIER_CHARS.has(char) || char === "{") {
+      if (char === "{") {
+        const match = BRACE_QUANTIFIER.exec(source.slice(i));
+        if (!match) continue;
+        const minStr = match[1] ?? "0";
+        const min = Number.parseInt(minStr, 10);
+        const fullMatch = match[0] ?? "";
+        const hasComma = fullMatch.includes(",");
+        if (!hasComma && min <= 1) continue;
+        if (hasComma && match[2] !== void 0 && match[2] !== "" && Number.parseInt(match[2], 10) <= 1)
+          continue;
+      }
+      if (groupStack.length > 0) {
+        groupStack[groupStack.length - 1] = true;
+      }
+    }
+  }
+  return null;
+}
+function isFollowedByQuantifier(source, pos, length) {
+  if (pos >= length) return false;
+  const char = source[pos];
+  if (char === "+" || char === "*") return true;
+  if (char === "{") {
+    const match = BRACE_QUANTIFIER.exec(source.slice(pos));
+    if (match) {
+      const minStr = match[1] ?? "0";
+      const min = Number.parseInt(minStr, 10);
+      const fullMatch = match[0] ?? "";
+      const hasComma = fullMatch.includes(",");
+      if (!hasComma && min <= 1) return false;
+      return true;
+    }
+  }
+  return false;
+}
 function shouldIgnoreField(fieldName, ignore, caseInsensitive = false, introspectionMode = "typename") {
   if (introspectionMode === "all" && fieldName.startsWith("__")) {
     return true;
@@ -112,8 +190,11 @@ function calculateDepth(caches, config, fragments, maxDepth, node, parentType, s
     if (!frame.node.selectionSet) {
       continue;
     }
-    const nextFrames = [];
-    for (const selection of frame.node.selectionSet.selections) {
+    for (let selectionIndex = frame.node.selectionSet.selections.length - 1; selectionIndex >= 0; selectionIndex--) {
+      const selection = frame.node.selectionSet.selections[selectionIndex];
+      if (!selection) {
+        continue;
+      }
       switch (selection.kind) {
         case Kind2.FIELD: {
           const fieldName = selection.name.value;
@@ -194,7 +275,7 @@ function calculateDepth(caches, config, fragments, maxDepth, node, parentType, s
               deepestViolation = violation;
             }
           }
-          nextFrames.push({
+          stack.push({
             currentDepth: newDepth,
             hasDirectiveLimit,
             ignoredFieldsOnPath,
@@ -218,7 +299,7 @@ function calculateDepth(caches, config, fragments, maxDepth, node, parentType, s
           const fragmentVisited = new Set(frame.visitedFragments);
           fragmentVisited.add(fragmentName);
           const parentType2 = fragment.typeCondition ? resolveTypeCondition(fragment.typeCondition.name.value, schema, frame.parentType) : frame.parentType;
-          nextFrames.push({
+          stack.push({
             currentDepth: frame.currentDepth,
             hasDirectiveLimit: frame.hasDirectiveLimit,
             ignoredFieldsOnPath: frame.ignoredFieldsOnPath,
@@ -232,7 +313,7 @@ function calculateDepth(caches, config, fragments, maxDepth, node, parentType, s
         }
         case Kind2.INLINE_FRAGMENT: {
           const parentType2 = selection.typeCondition ? resolveTypeCondition(selection.typeCondition.name.value, schema, frame.parentType) : frame.parentType;
-          nextFrames.push({
+          stack.push({
             currentDepth: frame.currentDepth,
             hasDirectiveLimit: frame.hasDirectiveLimit,
             ignoredFieldsOnPath: frame.ignoredFieldsOnPath,
@@ -250,12 +331,6 @@ function calculateDepth(caches, config, fragments, maxDepth, node, parentType, s
         }
       }
     }
-    for (let index = nextFrames.length - 1; index >= 0; index--) {
-      const nextFrame = nextFrames[index];
-      if (nextFrame) {
-        stack.push(nextFrame);
-      }
-    }
   }
   return { depth: globalMaxDepth, violation: deepestViolation };
 }
@@ -356,10 +431,129 @@ function resolveTypeCondition(typeConditionName, schema, currentParentType) {
   return currentParentType;
 }
 
-// src/depth-limit.ts
+// src/depth-options.ts
 var DIRECTIVE_MODES = /* @__PURE__ */ new Set(["cap", "override"]);
 var IGNORE_MODES = /* @__PURE__ */ new Set(["exclude", "skip"]);
 var INTROSPECTION_MODES = /* @__PURE__ */ new Set(["all", "none", "typename"]);
+function assertBooleanOption(name, value) {
+  if (value !== void 0 && typeof value !== "boolean") {
+    throw new TypeError(`Invalid ${name}: expected boolean, received ${typeof value}.`);
+  }
+}
+function isIgnoreRule(rule) {
+  return typeof rule === "function" || rule instanceof RegExp || typeof rule === "string";
+}
+function normalizeIgnoreRules(ignore) {
+  if (ignore == null) {
+    return void 0;
+  }
+  const rules = Array.isArray(ignore) ? ignore : [ignore];
+  for (const [index, rule] of rules.entries()) {
+    if (!isIgnoreRule(rule)) {
+      const receivedType = Array.isArray(rule) ? "array" : rule === null ? "null" : typeof rule;
+      throw new TypeError(
+        `Invalid ignore rule at index ${index}: expected string, RegExp, or function, received ${receivedType}.`
+      );
+    }
+    if (rule instanceof RegExp) {
+      const reason = isUnsafeRegExp(rule);
+      if (reason) {
+        throw new TypeError(
+          `Unsafe RegExp ignore rule at index ${index}: /${rule.source}/${rule.flags} - ${reason}. Use a simpler pattern to avoid catastrophic backtracking.`
+        );
+      }
+    }
+  }
+  return rules;
+}
+function normalizeDepthLimitOptions(options) {
+  assertBooleanOption("caseInsensitiveIgnore", options.caseInsensitiveIgnore);
+  if (options.directiveMode !== void 0 && !DIRECTIVE_MODES.has(options.directiveMode)) {
+    throw new TypeError(
+      `Invalid directiveMode: "${options.directiveMode}". Must be "cap" or "override".`
+    );
+  }
+  if (options.ignoreIntrospection !== void 0 && !INTROSPECTION_MODES.has(options.ignoreIntrospection)) {
+    throw new TypeError(
+      `Invalid ignoreIntrospection: "${options.ignoreIntrospection}". Must be "all", "none", or "typename".`
+    );
+  }
+  if (options.ignoreMode !== void 0 && !IGNORE_MODES.has(options.ignoreMode)) {
+    throw new TypeError(
+      `Invalid ignoreMode: "${options.ignoreMode}". Must be "exclude" or "skip".`
+    );
+  }
+  assertBooleanOption("limitIgnoredRecursion", options.limitIgnoredRecursion);
+  assertBooleanOption("shortCircuit", options.shortCircuit);
+  assertBooleanOption("useDirective", options.useDirective);
+  const ignore = normalizeIgnoreRules(options.ignore);
+  return { ...options, ignore };
+}
+function normalizeDepthLimitArgs(options, callback) {
+  if (callback !== void 0 && typeof callback !== "function") {
+    throw new TypeError("Invalid callback: expected a function.");
+  }
+  if (typeof options === "function") {
+    if (callback) {
+      throw new TypeError("Invalid depthLimit arguments: callback provided twice.");
+    }
+    return { callback: options, options: void 0 };
+  }
+  if (options !== void 0 && (options === null || typeof options !== "object" || Array.isArray(options))) {
+    const receivedType = Array.isArray(options) ? "array" : options === null ? "null" : typeof options;
+    throw new TypeError(`Invalid options: expected an object, received ${receivedType}.`);
+  }
+  return {
+    callback,
+    options: options ? normalizeDepthLimitOptions(options) : void 0
+  };
+}
+function createDepthResultRecord() {
+  return /* @__PURE__ */ Object.create(null);
+}
+function createOperationNameAllocator(operations) {
+  const explicitNames = /* @__PURE__ */ new Set();
+  for (const operation of operations) {
+    if (operation.name?.value) {
+      explicitNames.add(operation.name.value);
+    }
+  }
+  const usedNames = /* @__PURE__ */ new Set();
+  const namedCounts = /* @__PURE__ */ new Map();
+  let anonymousCount = 0;
+  return (operation) => {
+    const explicitName = operation.name?.value;
+    if (explicitName) {
+      let suffix = namedCounts.get(explicitName) ?? 0;
+      let candidate2 = suffix === 0 ? explicitName : `${explicitName}_${suffix}`;
+      while (usedNames.has(candidate2) || suffix > 0 && explicitNames.has(candidate2)) {
+        suffix++;
+        candidate2 = `${explicitName}_${suffix}`;
+      }
+      namedCounts.set(explicitName, suffix + 1);
+      usedNames.add(candidate2);
+      return candidate2;
+    }
+    anonymousCount++;
+    let candidate = anonymousCount === 1 ? "[anonymous]" : `[anonymous:${anonymousCount}]`;
+    while (usedNames.has(candidate) || explicitNames.has(candidate)) {
+      anonymousCount++;
+      candidate = `[anonymous:${anonymousCount}]`;
+    }
+    usedNames.add(candidate);
+    return candidate;
+  };
+}
+function setDepthResult(target, key, value) {
+  Object.defineProperty(target, key, {
+    configurable: true,
+    enumerable: true,
+    value,
+    writable: true
+  });
+}
+
+// src/depth-limit.ts
 function depthLimit(maxDepth, options, callback) {
   if (!Number.isInteger(maxDepth) || maxDepth < 0) {
     throw new Error(`Invalid maxDepth: ${maxDepth}. Must be a non-negative integer.`);
@@ -367,11 +561,6 @@ function depthLimit(maxDepth, options, callback) {
   const normalized = normalizeDepthLimitArgs(options, callback);
   return createValidationRule(maxDepth, normalized.options, normalized.callback);
 }
-function assertBooleanOption(name, value) {
-  if (value !== void 0 && typeof value !== "boolean") {
-    throw new TypeError(`Invalid ${name}: expected boolean, received ${typeof value}.`);
-  }
-}
 function createValidationRule(maxDepth, options, callback) {
   const shortCircuit = options?.shortCircuit ?? callback == null;
   return function depthLimitValidationRule(context) {
@@ -453,114 +642,10 @@ function createValidationRule(maxDepth, options, callback) {
     return {};
   };
 }
-function isIgnoreRule(rule) {
-  return typeof rule === "function" || rule instanceof RegExp || typeof rule === "string";
-}
-function normalizeDepthLimitArgs(options, callback) {
-  if (callback !== void 0 && typeof callback !== "function") {
-    throw new TypeError("Invalid callback: expected a function.");
-  }
-  if (typeof options === "function") {
-    if (callback) {
-      throw new TypeError("Invalid depthLimit arguments: callback provided twice.");
-    }
-    return { callback: options, options: void 0 };
-  }
-  if (options !== void 0 && (options === null || typeof options !== "object" || Array.isArray(options))) {
-    const receivedType = Array.isArray(options) ? "array" : options === null ? "null" : typeof options;
-    throw new TypeError(`Invalid options: expected an object, received ${receivedType}.`);
-  }
-  return {
-    callback,
-    options: options ? normalizeDepthLimitOptions(options) : void 0
-  };
-}
-function normalizeDepthLimitOptions(options) {
-  assertBooleanOption("caseInsensitiveIgnore", options.caseInsensitiveIgnore);
-  if (options.directiveMode !== void 0 && !DIRECTIVE_MODES.has(options.directiveMode)) {
-    throw new TypeError(
-      `Invalid directiveMode: "${options.directiveMode}". Must be "cap" or "override".`
-    );
-  }
-  if (options.ignoreIntrospection !== void 0 && !INTROSPECTION_MODES.has(options.ignoreIntrospection)) {
-    throw new TypeError(
-      `Invalid ignoreIntrospection: "${options.ignoreIntrospection}". Must be "all", "none", or "typename".`
-    );
-  }
-  if (options.ignoreMode !== void 0 && !IGNORE_MODES.has(options.ignoreMode)) {
-    throw new TypeError(
-      `Invalid ignoreMode: "${options.ignoreMode}". Must be "exclude" or "skip".`
-    );
-  }
-  assertBooleanOption("limitIgnoredRecursion", options.limitIgnoredRecursion);
-  assertBooleanOption("shortCircuit", options.shortCircuit);
-  assertBooleanOption("useDirective", options.useDirective);
-  const ignore = normalizeIgnoreRules(options.ignore);
-  return { ...options, ignore };
-}
-function normalizeIgnoreRules(ignore) {
-  if (ignore == null) {
-    return void 0;
-  }
-  const rules = Array.isArray(ignore) ? ignore : [ignore];
-  for (const [index, rule] of rules.entries()) {
-    if (!isIgnoreRule(rule)) {
-      const receivedType = Array.isArray(rule) ? "array" : rule === null ? "null" : typeof rule;
-      throw new TypeError(
-        `Invalid ignore rule at index ${index}: expected string, RegExp, or function, received ${receivedType}.`
-      );
-    }
-  }
-  return rules;
-}
-function createDepthResultRecord() {
-  return /* @__PURE__ */ Object.create(null);
-}
-function createOperationNameAllocator(operations) {
-  const explicitNames = /* @__PURE__ */ new Set();
-  for (const operation of operations) {
-    if (operation.name?.value) {
-      explicitNames.add(operation.name.value);
-    }
-  }
-  const usedNames = /* @__PURE__ */ new Set();
-  const namedCounts = /* @__PURE__ */ new Map();
-  let anonymousCount = 0;
-  return (operation) => {
-    const explicitName = operation.name?.value;
-    if (explicitName) {
-      let suffix2 = namedCounts.get(explicitName) ?? 0;
-      let candidate2 = suffix2 === 0 ? explicitName : `${explicitName}_${suffix2}`;
-      while (usedNames.has(candidate2) || suffix2 > 0 && explicitNames.has(candidate2)) {
-        suffix2++;
-        candidate2 = `${explicitName}_${suffix2}`;
-      }
-      namedCounts.set(explicitName, suffix2 + 1);
-      usedNames.add(candidate2);
-      return candidate2;
-    }
-    let suffix = anonymousCount;
-    let candidate = suffix === 0 ? "anonymous" : `anonymous_${suffix}`;
-    while (usedNames.has(candidate) || explicitNames.has(candidate)) {
-      suffix++;
-      candidate = `anonymous_${suffix}`;
-    }
-    anonymousCount = suffix + 1;
-    usedNames.add(candidate);
-    return candidate;
-  };
-}
-function setDepthResult(target, key, value) {
-  Object.defineProperty(target, key, {
-    configurable: true,
-    enumerable: true,
-    value,
-    writable: true
-  });
-}
 export {
   ERROR_CODES,
   depthDirectiveTypeDefs,
-  depthLimit
+  depthLimit,
+  isUnsafeRegExp
 };
 //# sourceMappingURL=index.js.map