Add tests for tooBigOperation good faith introspection path

andimarek · claude · andimarek · commit deb35beccc66 · 2026-03-23T08:51:33.000+10:00
The refactored GoodFaithIntrospection validation had uncovered code paths
for queries that exceed complexity limits (field count or depth) without
triggering the tooManyFields cycle check. These tests exercise:
- Wide introspection query exceeding field count limit (&gt;500 fields)
- Deep introspection query exceeding depth limit (&gt;20 levels via ofType)
- Custom user limits combined with good faith limits

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/test/groovy/graphql/introspection/GoodFaithIntrospectionTest.groovy b/src/test/groovy/graphql/introspection/GoodFaithIntrospectionTest.groovy
@@ -6,6 +6,7 @@ import graphql.TestUtil
 import graphql.execution.CoercedVariables
 import graphql.language.Document
 import graphql.normalized.ExecutableNormalizedOperationFactory
+import graphql.validation.QueryComplexityLimits
 import spock.lang.Specification
 
 class GoodFaithIntrospectionTest extends Specification {
@@ -188,6 +189,77 @@ class GoodFaithIntrospectionTest extends Specification {
         100 | GoodFaithIntrospection.BadFaithIntrospectionError.class
     }
 
+    def "good faith limits are applied on top of custom user limits"() {
+        given:
+        def limits = QueryComplexityLimits.newLimits().maxFieldsCount(200).maxDepth(15).build()
+        def executionInput = ExecutionInput.newExecutionInput(IntrospectionQuery.INTROSPECTION_QUERY)
+                .graphQLContext([(QueryComplexityLimits.KEY): limits])
+                .build()
+
+        when:
+        ExecutionResult er = graphql.execute(executionInput)
+
+        then:
+        er.errors.isEmpty()
+    }
+
+    def "containsIntrospectionFields handles operation with no selection set"() {
+        given:
+        def op = graphql.language.OperationDefinition.newOperationDefinition()
+                .name("empty")
+                .operation(graphql.language.OperationDefinition.Operation.QUERY)
+                .build()
+        def doc = Document.newDocument().definition(op).build()
+
+        expect:
+        !GoodFaithIntrospection.containsIntrospectionFields(doc)
+    }
+
+    def "introspection query exceeding field count limit is detected as bad faith"() {
+        given:
+        // Build a wide introspection query that exceeds GOOD_FAITH_MAX_FIELDS_COUNT (500)
+        // using non-cycle-forming fields (aliases of 'name') so the tooManyFields check
+        // does not fire first, exercising the tooBigOperation code path instead
+        def sb = new StringBuilder()
+        sb.append("query { __schema { types { ")
+        for (int i = 0; i < 510; i++) {
+            sb.append("a${i}: name ")
+        }
+        sb.append("} } }")
+
+        when:
+        ExecutionResult er = graphql.execute(sb.toString())
+
+        then:
+        !er.errors.isEmpty()
+        er.errors[0] instanceof GoodFaithIntrospection.BadFaithIntrospectionError
+        er.errors[0].message.contains("too big")
+    }
+
+    def "introspection query exceeding depth limit is detected as bad faith"() {
+        given:
+        // Build a deep introspection query using ofType (not a cycle-forming field)
+        // that exceeds GOOD_FAITH_MAX_DEPTH_COUNT (20)
+        def sb = new StringBuilder()
+        sb.append("query { __schema { types { ")
+        for (int i = 0; i < 20; i++) {
+            sb.append("ofType { ")
+        }
+        sb.append("name ")
+        for (int i = 0; i < 20; i++) {
+            sb.append("} ")
+        }
+        sb.append("} } }")
+
+        when:
+        ExecutionResult er = graphql.execute(sb.toString())
+
+        then:
+        !er.errors.isEmpty()
+        er.errors[0] instanceof GoodFaithIntrospection.BadFaithIntrospectionError
+        er.errors[0].message.contains("too big")
+    }
+
     String createDeepQuery(int depth = 25) {
         def result = """
 query test {
