Add comparison budget to OverlappingFieldsCanBeMerged

Inline fragments bypass the named-fragment PairSet cache because they
have no name — they are flattened directly into the parent field map.
This allows O(n^2 × m^2) pairwise comparisons, consuming minutes of
CPU for a sub-megabyte query.

Add a configurable comparison counter in findConflict() that caps
worst-case CPU. Defaults to 100,000 comparisons, well above any
realistic query.

🤖 Generated with Claude Code

Author: spawnia

src/Validator/Rules/OverlappingFieldsCanBeMerged.php

@@ -33,6 +33,8 @@
  */
 class OverlappingFieldsCanBeMerged extends ValidationRule
 {
+    public const DEFAULT_MAX_COMPARISON_COUNT = 100_000;
+
     /**
      * A memoization for when two fragments are compared "between" each other for
      * conflicts. Two fragments may be compared many times, so memoizing this can
@@ -49,10 +51,20 @@ class OverlappingFieldsCanBeMerged extends ValidationRule
      */
     protected \SplObjectStorage $cachedFieldsAndFragmentNames;
 
+    protected int $comparisonCount;
+
+    protected int $comparisonLimit;
+
+    public function __construct(int $comparisonLimit = self::DEFAULT_MAX_COMPARISON_COUNT)
+    {
+        $this->comparisonLimit = $comparisonLimit;
+    }
+
     public function getVisitor(QueryValidationContext $context): array
     {
         $this->comparedFragmentPairs = new PairSet();
         $this->cachedFieldsAndFragmentNames = new \SplObjectStorage();
+        $this->comparisonCount = 0;
 
         return [
             NodeKind::SELECTION_SET => function (SelectionSetNode $selectionSet) use ($context): void {
@@ -399,6 +411,14 @@ protected function findConflict(
         array $field1,
         array $field2
     ): ?array {
+        if (++$this->comparisonCount > $this->comparisonLimit) {
+            return [
+                [$responseName, 'Too many field comparisons, query is too complex to validate'],
+                [$field1[1]],
+                [$field2[1]],
+            ];
+        }
+
         [$parentType1, $ast1, $def1] = $field1;
         [$parentType2, $ast2, $def2] = $field2;
 

tests/Validator/OverlappingFieldsCanBeMergedTest.php

@@ -10,6 +10,7 @@
 use GraphQL\Type\Definition\ObjectType;
 use GraphQL\Type\Definition\Type;
 use GraphQL\Type\Schema;
+use GraphQL\Utils\BuildSchema;
 use GraphQL\Validator\DocumentValidator;
 use GraphQL\Validator\Rules\OverlappingFieldsCanBeMerged;
 
@@ -1274,6 +1275,24 @@ public function testManyRepeatedFieldsWithConflictStillDetected(): void
         );
     }
 
+    public function testInlineFragmentsDontCauseQuadraticBlowup(): void
+    {
+        $schema = BuildSchema::build('type Query { field: Node }  type Node { f: Node, g: Node, x: String }');
+
+        $innerFragments = implode(' ', array_fill(0, 100, '... on Node { x }'));
+        $outerFragments = implode(' ', array_fill(0, 100, "... on Node { f { {$innerFragments} } }"));
+        $query = "{ field { {$outerFragments} } }";
+
+        $rule = new OverlappingFieldsCanBeMerged();
+        $errors = DocumentValidator::validate($schema, Parser::parse($query), [$rule]);
+
+        self::assertNotEmpty($errors);
+        self::assertStringContainsString(
+            'Too many field comparisons',
+            $errors[0]->getMessage(),
+        );
+    }
+
     /** @see it('find invalid case even with immediately recursive fragment') */
     public function testFindInvalidCaseEvenWithImmediatelyRecursiveFragment(): void
     {