feat(execution): add max coercion errors option to execution context (#4366)

This PR add `executionOptions` property to the `ExecutionArgs`.
Currently only one option can be configured, as is the one I need, but I
have built an object so it can easily be extended in the future.

The property allows the configuration of the maximum number of errors
(`maxErrors`) for coercion. This allows the current hardcoded limit
(`50`) to be reduced to a small number to avoid possible DoS attacks.

> Also, it updates the execution docs to reflect this new change. I
think the documentation was outdated since functions were using
positional arguments and now they only accept an object.

No longer updates the docs.

Author: cristunaranjo

src/execution/__tests__/executor-test.ts

@@ -11,6 +11,7 @@ import { Kind } from '../../language/kinds';
 import { parse } from '../../language/parser';
 
 import {
+  GraphQLInputObjectType,
   GraphQLInterfaceType,
   GraphQLList,
   GraphQLNonNull,
@@ -1320,4 +1321,74 @@ describe('Execute: Handles basic execution tasks', () => {
     expect(result).to.deep.equal({ data: { foo: { bar: 'bar' } } });
     expect(possibleTypes).to.deep.equal([fooObject]);
   });
+
+  it('uses a different number of max coercion errors', () => {
+    const schema = new GraphQLSchema({
+      query: new GraphQLObjectType({
+        name: 'Query',
+        fields: {
+          dummy: { type: GraphQLString },
+        },
+      }),
+      mutation: new GraphQLObjectType({
+        name: 'Mutation',
+        fields: {
+          updateUser: {
+            type: GraphQLString,
+            args: {
+              data: {
+                type: new GraphQLInputObjectType({
+                  name: 'User',
+                  fields: {
+                    email: { type: new GraphQLNonNull(GraphQLString) },
+                  },
+                }),
+              },
+            },
+          },
+        },
+      }),
+    });
+
+    const document = parse(`
+      mutation ($data: User) {
+        updateUser(data: $data)
+      }
+    `);
+
+    const options = {
+      maxCoercionErrors: 1,
+    };
+
+    const result = executeSync({
+      schema,
+      document,
+      variableValues: {
+        data: {
+          email: '',
+          wrongArg: 'wrong',
+          wrongArg2: 'wrong',
+          wrongArg3: 'wrong',
+        },
+      },
+      options,
+    });
+
+    // Returns at least 2 errors, one for the first 'wrongArg', and one for coercion limit
+    expect(result.errors).to.have.lengthOf(options.maxCoercionErrors + 1);
+
+    expectJSON(result).toDeepEqual({
+      errors: [
+        {
+          message:
+            'Variable "$data" got invalid value { email: "", wrongArg: "wrong", wrongArg2: "wrong", wrongArg3: "wrong" }; Field "wrongArg" is not defined by type "User".',
+          locations: [{ line: 2, column: 17 }],
+        },
+        {
+          message:
+            'Too many errors processing variables, error limit reached. Execution aborted.',
+        },
+      ],
+    });
+  });
 });

src/execution/execute.ts

@@ -152,6 +152,11 @@ export interface ExecutionArgs {
   fieldResolver?: Maybe<GraphQLFieldResolver<any, any>>;
   typeResolver?: Maybe<GraphQLTypeResolver<any, any>>;
   subscribeFieldResolver?: Maybe<GraphQLFieldResolver<any, any>>;
+  /** Additional execution options. */
+  options?: {
+    /** Set the maximum number of errors allowed for coercing (defaults to 50). */
+    maxCoercionErrors?: number;
+  };
 }
 
 /**
@@ -286,6 +291,7 @@ export function buildExecutionContext(
     fieldResolver,
     typeResolver,
     subscribeFieldResolver,
+    options,
   } = args;
 
   let operation: OperationDefinitionNode | undefined;
@@ -329,7 +335,7 @@ export function buildExecutionContext(
     schema,
     variableDefinitions,
     rawVariableValues ?? {},
-    { maxErrors: 50 },
+    { maxErrors: options?.maxCoercionErrors ?? 50 },
   );
 
   if (coercedVariableValues.errors) {