From cffbaf66b32a6856b26fb0cab656a2393e4cf22e Mon Sep 17 00:00:00 2001
From: Egor fureunoir Gorbunov <contact@fureunoir.com>
Date: Mon, 2 Mar 2026 00:45:42 +0300
Subject: [PATCH] feat(graphql): make max query depth configurable with
 environment variable

allow setting `GRAPHQL_MAX_QUERY_DEPTH` via environment variable to provide flexibility in limiting query depth and preventing DoS attacks. Defaults to 13 if not set.
---
 schon/graphql_validators.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/schon/graphql_validators.py b/schon/graphql_validators.py
index 6761d700..30a41ed7 100644
--- a/schon/graphql_validators.py
+++ b/schon/graphql_validators.py
@@ -1,3 +1,5 @@
+from os import getenv
+
 from graphql import GraphQLError
 from graphql.language.ast import (
     FieldNode,
@@ -8,7 +10,7 @@ from graphql.language.ast import (
 )
 from graphql.validation import ValidationRule
 
-MAX_QUERY_DEPTH = 8
+MAX_QUERY_DEPTH = getenv("GRAPHQL_MAX_QUERY_DEPTH", 13)
 
 
 def _max_field_depth(node, fragments, depth=0):
@@ -36,7 +38,7 @@ def _selection_depth(node, fragments, depth):
 
 
 class QueryDepthLimitRule(ValidationRule):
-    """Prevents DoS via deeply nested GraphQL queries (max depth: 8)."""
+    """Prevents DoS via deeply nested GraphQL queries (max depth: 13)."""
 
     def enter_document(self, node, *_args):
         fragments = {