Resource exhaustion when handling of crafted queries

[mrtc0]

What happened?

When a crafted query is received, it significantly exhausts computing resources like the CPU, which negatively impacts response time.

What did you expect?

I expected return an error immediately.

Minimal graphql.schema and models to reproduce

$ go run github.com/99designs/gqlgen init
$ go run server.go

$ PAYLOAD=$(python3 -c "print('%s' % ('id ' * 5000))")
$ time curl \
--data-raw "{\"query\":\"query Todo {  todos { $PAYLOAD } }\"}" \
--header 'Content-Type: application/json' \
--include \
--request POST \
http://localhost:8080/query

This query takes approximately 2.5 seconds to process. If the number of id is increased to 10000, the processing time increases to about 8 seconds.
The attached frame graph illustrates the system's response when the id is increased to 100000.
The validator.Validate function takes so long, that it appears unlikely to be mitigated by either the Complexity Extension or our custom Extension.

Any ideas or suggestions on how to mitigate this would be helpful.

versions

• go run github.com/99designs/gqlgen version? ... v0.17.43
• go version? ... go version go1.21.3 darwin/arm64