fix: enforce parser limits

[devsergiy]

Summary by CodeRabbit

• New Features

  • Introduced configurable parser hard limits for GraphQL queries, including maximum query depth and total fields count.
  • Added new configuration options for parser hard limits in YAML and JSON configuration files, along with schema documentation.
  • Enforced parser hard limits and query complexity validation during request processing, including for persisted and WebSocket queries.

• Bug Fixes

  • Improved error handling for queries exceeding parser hard limits or complexity constraints.

• Tests

  • Added integration tests verifying enforcement of parser hard limits and correct error responses for violating queries.

• Chores

  • Updated several dependencies to newer versions.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

"""

Walkthrough

This change introduces parser hard limits for GraphQL queries in the router, including configuration, schema, and test updates. It adds enforcement of approximate depth and total fields limits during parsing, updates the operation processor to centrally manage these limits, and adjusts complexity validation logic and its invocation order. Related configuration files and tests are updated accordingly.

Changes

Files / File Groups	Change Summary
router-tests/go.mod, router/go.mod	Updated dependencies, including github.com/wundergraph/graphql-go-tools/v2 and other modules to newer versions.
router/pkg/config/config.go, router/pkg/config/config.schema.json	Added ParserLimits configuration struct and schema, introducing ApproximateDepthLimit and TotalFieldsLimit fields.
router/pkg/config/testdata/config_defaults.json, router/pkg/config/testdata/config_full.json	Added ParserLimits section with default and full values under SecurityConfiguration in test configuration JSONs.
router/core/operation_processor.go	Centralized and enforced parser hard limits and complexity limits in operation processing; refactored related method signatures.
router/core/graph_server.go	Passed new parser and complexity limits from configuration to the operation processor.
router/core/graphql_prehandler.go	Moved and refactored query complexity validation to occur earlier in the operation handling sequence.
router/core/cache_warmup.go	Removed query complexity validation from cache warmup planning, clarified with a comment.
router/core/websocket.go	Added query complexity validation before main validation in WebSocket operation handling.
router-tests/security_test.go	Added integration tests for parser hard limits, covering depth and total fields constraints.

Estimated code review effort

4 (~70 minutes)

Possibly related PRs

• fix: go.mod references to security merge commit #2048: Updates dependency versions in router-tests/go.mod, including modules also updated in this PR, indicating a related scope focused on dependency management for router tests.
  """

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b20bd36 and 0e61cf3.

📒 Files selected for processing (1)

• router/core/operation_processor.go (7 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• router/core/operation_processor.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: image_scan
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build-router
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/eng-7607

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-b939b6b11da84fbbc49759684ebf0b1f7bed9e0a

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ea47c38 and 1d7f32d.

⛔ Files ignored due to path filters (2)

• router-tests/go.sum is excluded by !**/*.sum
• router/go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• router-tests/go.mod (1 hunks)
• router-tests/security_test.go (1 hunks)
• router/core/cache_warmup.go (1 hunks)
• router/core/graph_server.go (1 hunks)
• router/core/graphql_prehandler.go (1 hunks)
• router/core/operation_processor.go (7 hunks)
• router/core/websocket.go (1 hunks)
• router/go.mod (1 hunks)
• router/pkg/config/config.go (1 hunks)
• router/pkg/config/config.schema.json (1 hunks)
• router/pkg/config/testdata/config_defaults.json (1 hunks)
• router/pkg/config/testdata/config_full.json (1 hunks)

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: endigma
PR: wundergraph/cosmo#2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

Learnt from: SkArchon
PR: wundergraph/cosmo#1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.833Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router-tests/go.mod (1)

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.833Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router/pkg/config/testdata/config_defaults.json (3)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.833Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

router/core/graph_server.go (1)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

router/pkg/config/config.go (2)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.833Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router-tests/security_test.go (1)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

router/pkg/config/config.schema.json (3)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

Learnt from: SkArchon
PR: #1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.833Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

router/core/operation_processor.go (1)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

router/pkg/config/testdata/config_full.json (3)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

Learnt from: SkArchon
PR: #2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.833Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: #1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: build-router
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: image_scan
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_test
• GitHub Check: Analyze (go)

🔇 Additional comments (15)

router/go.mod (1)

34-34: LGTM! Dependency update supports new parser hard limits feature.

The version bump from rc.207 to rc.208 of github.com/wundergraph/graphql-go-tools/v2 is consistent with the PR objective to introduce parser hard limits and complexity validation features.

router/core/websocket.go (1)

897-901: LGTM! Complexity validation correctly added to WebSocket flow.

The addition of operationKit.ValidateQueryComplexity() before the main validation step ensures WebSocket operations are subject to the same parser hard limits as HTTP operations. The error handling and early return pattern is consistent with the existing validation flow.

router-tests/go.mod (1)

26-29: LGTM! Test dependencies properly synchronized with router changes.

The dependency updates maintain consistency between the router and test suite:

• graphql-go-tools/v2 updated to rc.208 (matches router/go.mod)
• Cosmo modules updated to latest commits from July 21st

These updates ensure the test suite supports the new parser hard limits functionality.

router/pkg/config/testdata/config_defaults.json (1)

313-316: LGTM! Parser hard limits defaults are well-configured.

The new ParserHardLimits configuration provides sensible default values:

• ApproximateDepthLimit: 100 - reasonable depth protection
• ParserTotalFieldsLimit: 500 - appropriate field count limit

The placement within SecurityConfiguration is logical and consistent with the security-focused nature of these limits.

router/pkg/config/testdata/config_full.json (1)

660-663: LGTM! Full configuration correctly includes parser hard limits.

The ParserHardLimits configuration in the full config example is consistent with the defaults:

• ApproximateDepthLimit: 100
• ParserTotalFieldsLimit: 500

This provides a complete configuration reference for users while maintaining consistency with the default values.

router/core/graph_server.go (1)

1205-1209: LGTM! Proper integration of parser hard limits and complexity limits.

The addition of ParserHardLimits and ComplexityLimits fields to the OperationProcessor configuration correctly integrates the new security limits into the operation processing pipeline. The fields are appropriately sourced from the security configuration, maintaining proper separation of concerns.

router/core/cache_warmup.go (1)

308-309: Sound design decision to skip complexity validation for cache warmup.

The explanatory comment clearly justifies why query complexity validation is omitted for cache warmup operations. Since these queries originate from analytics data (previously executed and validated queries), re-validating them would be redundant and could slow down the warmup process. This aligns well with the centralized complexity validation approach implemented elsewhere in the router.

router/pkg/config/config.go (2)

411-414: LGTM! Well-structured parser limits configuration.

The new ParserHardLimitsConfiguration struct follows the established patterns in the codebase with appropriate YAML tags and reasonable default values. The field names clearly convey their purpose and the defaults (100 for depth, 500 for total fields) provide sensible starting points for GraphQL query parsing limits.

---

401-409: LGTM! Clean integration into security configuration.

The addition of ParserHardLimits to the SecurityConfiguration struct is well-placed alongside other security-related configurations like complexity limits and depth limits. The field follows the established naming conventions and integrates seamlessly with the existing security configuration structure.

router-tests/security_test.go (1)

13-112: LGTM! Well-structured integration tests for parser hard limits.

The test coverage is comprehensive, testing both approximate depth and total fields limits with appropriate assertions for error cases and success cases.

router/core/graphql_prehandler.go (1)

901-921: Well-structured refactoring of complexity validation placement.

The complexity validation has been appropriately moved earlier in the validation sequence and simplified to use internal state. The telemetry attributes and error handling remain intact.

router/core/operation_processor.go (4)

117-118: Configuration fields properly integrated.

The new parser hard limits and complexity limits configuration fields are correctly added to both the options and processor structs, with proper initialization in the constructor.

Also applies to: 132-133, 1248-1249

---

529-538: Parser limits properly enforced.

The parsing methods now correctly enforce the configured hard limits for approximate depth and total fields, with appropriate HTTP 400 error responses when limits are exceeded.

Also applies to: 766-775

---

1101-1130: Complexity validation refactored effectively.

The method signature has been simplified to use internal state, with a performance optimization that short-circuits when no limits are configured. The complexity calculation logic remains unchanged.

---

1101-1104: Verify the intended validation order.

The complexity validation now runs earlier in the validation pipeline. While this provides a fail-fast mechanism for resource-intensive operations, please confirm this order change aligns with the intended behavior, as it means complexity limits are checked before other operation validations.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

router/core/operation_processor.go (1)

1240-1241: Address past review feedback: Consider initializing parser limits once during parseKit creation.

Based on the past review comment about initializing "this just once when we create the parse kits," consider whether parserTokenizerLimits should be stored in parseKitOptions and initialized once per parseKit rather than accessing it from the processor each time during parsing.

This could improve performance by avoiding repeated field access during parsing operations. However, the current approach maintains flexibility if limits need to be changed dynamically.

 type parseKitOptions struct {
 	apolloCompatibilityFlags                         config.ApolloCompatibilityFlags
 	apolloRouterCompatibilityFlags                   config.ApolloRouterCompatibilityFlags
 	disableExposingVariablesContentOnValidationError bool
+	parserTokenizerLimits                            astparser.TokenizerLimits
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d7f32d and 8283537.

📒 Files selected for processing (7)

• router-tests/security_test.go (1 hunks)
• router/core/graph_server.go (3 hunks)
• router/core/operation_processor.go (7 hunks)
• router/pkg/config/config.go (1 hunks)
• router/pkg/config/config.schema.json (1 hunks)
• router/pkg/config/testdata/config_defaults.json (1 hunks)
• router/pkg/config/testdata/config_full.json (1 hunks)

🧠 Learnings (2)

📓 Common learnings

Learnt from: endigma
PR: wundergraph/cosmo#2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

Learnt from: SkArchon
PR: wundergraph/cosmo#1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/core/operation_processor.go (1)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

🚧 Files skipped from review as they are similar to previous changes (6)

• router/pkg/config/testdata/config_defaults.json
• router/pkg/config/config.go
• router/pkg/config/testdata/config_full.json
• router/core/graph_server.go
• router-tests/security_test.go
• router/pkg/config/config.schema.json

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: endigma
PR: wundergraph/cosmo#2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

Learnt from: SkArchon
PR: wundergraph/cosmo#1929
File: router/internal/circuit/manager.go:16-25
Timestamp: 2025-06-30T20:39:02.387Z
Learning: In the Cosmo router project, parameter validation for circuit breaker configuration is handled at the JSON schema level rather than through runtime validation methods on structs. The config.schema.json file contains comprehensive validation constraints for circuit breaker parameters.

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/config/config.schema.json:1637-1644
Timestamp: 2025-07-21T15:06:36.664Z
Learning: In the Cosmo router project, when extending JSON schema validation for security-sensitive fields like JWKS secrets, backwards compatibility is maintained by implementing warnings in the Go code rather than hard validation constraints in the schema. This allows existing configurations to continue working while alerting users to potential security issues.

router/core/operation_processor.go (1)

Learnt from: endigma
PR: #2009
File: router/pkg/config/config.go:0-0
Timestamp: 2025-07-03T10:33:25.778Z
Learning: The CardinalityLimit field in the Metrics struct (router/pkg/config/config.go) is validated at the JSON schema level in config.schema.json with a minimum value constraint of 1, preventing zero or negative values without requiring runtime validation.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: build-router
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: build_push_image (nonroot)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (7)

router/core/operation_processor.go (7)

117-118: LGTM: New configuration fields properly added.

The addition of ComplexityLimits and ParserTokenizerLimits fields to OperationProcessorOptions enables centralized configuration of parser limits, which aligns with the PR objective of enforcing parser hard limits.

---

132-133: LGTM: Processor fields correctly added for limit enforcement.

The new fields in OperationProcessor provide centralized storage for the parser limits, enabling consistent enforcement across all operations processed by this instance.

---

529-534: Proper error handling for parser limits enforcement.

The switch to ParseWithLimits correctly enforces the tokenizer limits and returns HTTP 400 Bad Request for parsing errors, which is appropriate for malformed or oversized queries that exceed the configured limits.

---

762-767: Consistent parser limits application in operation document parsing.

The setAndParseOperationDoc method correctly applies the same parser limits and error handling as the main Parse method, ensuring consistent enforcement across all parsing paths.

---

1093-1096: Excellent refactoring: Simplified method signature with early return optimization.

The refactored ValidateQueryComplexity method signature removes external parameters and uses the stored complexityLimits from the processor. The early return when no limits are configured (line 1094-1096) is an efficient optimization that avoids unnecessary complexity calculations.

---

1105-1105: LGTM: Complexity calculation using processor's client schema.

The complexity calculation correctly uses o.operationProcessor.executor.ClientSchema, maintaining consistency with other validation operations in the codebase.

---

1122-1122: LGTM: Consistent complexity validation for cache misses.

The complexity validation call correctly uses the processor's stored limits and maintains the same logic flow as the cached path.