This issue is automatically created based on existing pull request: #40742: [Bug] GraphQL SearchCriteriaValidator not loaded — removed by module-graph-ql di.xml array override
Preconditions
- Magento 2.4.7-p9 (
magento/module-graph-ql 100.4.7-p9)
- Any GraphQL query with
pageSize or currentPage arguments
Steps to reproduce
- Execute any GraphQL query with
pageSize exceeding the configured limit, e.g.:
{
products(search: "test", pageSize: 999) {
items {
sku
}
}
}
Expected result
GraphQL returns a validation error:
{
"data": {
"products": null
},
"errors": [
{
"message": "Maximum pageSize is 10",
"path": [
"products"
],
"locations": [
{
"line": 2,
"column": 5
}
],
"extensions": {
"category": "graphql-input"
}
}
]
}(Maximum pageSize is X — where X is the configured maxPageSize value, default 300)
Actual result
Query executes without validation. pageSize: 999 is accepted silently. No error is returned.
Root cause
SearchCriteriaValidator (which enforces maxPageSize: 300) is registered
in magento2-base/app/etc/di.xml (primary config):
<!-- magento2-base/app/etc/di.xml -->
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
<arguments>
<argument name="validators" xsi:type="array">
<item name="searchCriteriaValidator" xsi:type="object">
Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator
</item>
</argument>
</arguments>
</type>module-graph-ql/etc/di.xml (module config) also defines validators for the
same type, but only with backpressureValidator:
<!-- module-graph-ql/etc/di.xml -->
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
<arguments>
<argument name="validators" xsi:type="array">
<item name="backpressureValidator" xsi:type="object">
Magento\GraphQl\Model\Backpressure\BackpressureFieldValidator
</item>
</argument>
</arguments>
</type>Module-level DI configuration has higher priority than primary config.
When module config defines the same xsi:type="array" argument, it replaces
the primary config's array — it does not merge items. As a result,
searchCriteriaValidator is silently dropped.
Verification at runtime:
$validator = $objectManager->get(
\Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator::class
);
$ref = new ReflectionClass($validator);
$prop = $ref->getProperty('validators');
$prop->setAccessible(true);
var_dump(array_keys($prop->getValue($validator)));
// Output: ['backpressureValidator']
// Expected: ['searchCriteriaValidator', 'backpressureValidator']Proposed fix
Move searchCriteriaValidator registration from magento2-base/app/etc/di.xml
to module-graph-ql/etc/di.xml. Both validators should live at module level
so that future validators added by third-party modules can safely merge via
xsi:type="array".
module-graph-ql/etc/di.xml — after fix
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
<arguments>
<argument name="validators" xsi:type="array">
<item name="searchCriteriaValidator" xsi:type="object">
Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator
</item>
<item name="backpressureValidator" xsi:type="object">
Magento\GraphQl\Model\Backpressure\BackpressureFieldValidator
</item>
</argument>
</arguments>
</type>magento2-base/app/etc/di.xml — remove this block
<!-- REMOVE: -->
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
<arguments>
<argument name="validators" xsi:type="array">
<item name="searchCriteriaValidator" xsi:type="object">
Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator
</item>
</argument>
</arguments>
</type>Contribution checklist (*)
Temporary workaround (composer patch)
Until the upstream fix is merged — apply a patch via cweagans/composer-patches.
1. composer.json
"extra": {
"composer-exit-on-patch-failure": true,
"patches": {
"magento/module-graph-ql": {
"Fix search criteria composite validator": "patches/magento/module-graph-ql/fix-search-validator.diff"
}
}
}2. patches/magento/module-graph-ql/fix-search-validator.diff
Index: etc/di.xml
===================================================================
--- a/etc/di.xml
+++ b/etc/di.xml
@@ -107,6 +107,7 @@
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
<arguments>
<argument name="validators" xsi:type="array">
+ <item name="searchCriteriaValidator" xsi:type="object">Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator</item>
<item name="backpressureValidator" xsi:type="object">
Magento\GraphQl\Model\Backpressure\BackpressureFieldValidator
</item>3. Apply
composer require cweagans/composer-patches --no-update
composer update magento/module-graph-ql
# or simply:
composer install
Affected repositories
magento/magento2 — app/etc/di.xml (magento2-base)magento/module-graph-ql — etc/di.xml
Affected versions
All versions of magento/module-graph-ql that introduced backpressureValidator
(i.e. all versions that define CompositeValidator type in their etc/di.xml).
This issue is automatically created based on existing pull request: #40742: [Bug] GraphQL SearchCriteriaValidator not loaded — removed by module-graph-ql di.xml array override
Preconditions
magento/module-graph-ql100.4.7-p9)pageSizeorcurrentPageargumentsSteps to reproduce
pageSizeexceeding the configured limit, e.g.:{ products(search: "test", pageSize: 999) { items { sku } } }Expected result
GraphQL returns a validation error:
{ "data": { "products": null }, "errors": [ { "message": "Maximum pageSize is 10", "path": [ "products" ], "locations": [ { "line": 2, "column": 5 } ], "extensions": { "category": "graphql-input" } } ] }(
Maximum pageSize is X— where X is the configuredmaxPageSizevalue, default 300)Actual result
Query executes without validation.
pageSize: 999is accepted silently. No error is returned.Root cause
SearchCriteriaValidator(which enforcesmaxPageSize: 300) is registeredin
magento2-base/app/etc/di.xml(primary config):module-graph-ql/etc/di.xml(module config) also definesvalidatorsfor thesame type, but only with
backpressureValidator:Module-level DI configuration has higher priority than primary config.
When module config defines the same
xsi:type="array"argument, it replacesthe primary config's array — it does not merge items. As a result,
searchCriteriaValidatoris silently dropped.Verification at runtime:
Proposed fix
Move
searchCriteriaValidatorregistration frommagento2-base/app/etc/di.xmlto
module-graph-ql/etc/di.xml. Both validators should live at module levelso that future validators added by third-party modules can safely merge via
xsi:type="array".module-graph-ql/etc/di.xml— after fixmagento2-base/app/etc/di.xml— remove this blockContribution checklist (*)
Temporary workaround (composer patch)
Until the upstream fix is merged — apply a patch via
cweagans/composer-patches.1.
composer.json2.
patches/magento/module-graph-ql/fix-search-validator.diff3. Apply
composer require cweagans/composer-patches --no-update composer update magento/module-graph-ql # or simply: composer installAffected repositories
magento/magento2—app/etc/di.xml(magento2-base)magento/module-graph-ql—etc/di.xmlAffected versions
All versions of
magento/module-graph-qlthat introducedbackpressureValidator(i.e. all versions that define
CompositeValidatortype in theiretc/di.xml).