Add depth limit to GraphQL parser

[michaelstaib]

No description provided.

[Copilot]

Pull request overview

This PR adds a configurable recursion depth limit to the HotChocolate UTF-8 GraphQL parser to prevent stack overflows from deeply nested documents.

Changes:

• Introduces MaxAllowedRecursionDepth (default: 200) on ParserOptions and threads it through core + fusion request parsing options.
• Enforces recursion depth tracking in the UTF-8 parser for selection sets, value literals, and type references, throwing a SyntaxException when exceeded.
• Adds test coverage for default/custom depth limits and several nesting “vectors” (selection sets, object/list values, list types).

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/HotChocolate/Language/test/Language.Tests/Parser/QueryParserTests.cs	Adds unit tests for default/custom recursion depth behavior and error messages.
src/HotChocolate/Language/src/Language.Utf8/Utf8GraphQLParser.Values.cs	Tracks recursion depth when parsing value literals (object/list nesting, etc.).
src/HotChocolate/Language/src/Language.Utf8/Utf8GraphQLParser.Utilities.cs	Adds IncreaseDepth / DecreaseDepth helpers and throws when limit is exceeded.
src/HotChocolate/Language/src/Language.Utf8/Utf8GraphQLParser.Types.cs	Tracks recursion depth when parsing type references (nested list / non-null types).
src/HotChocolate/Language/src/Language.Utf8/Utf8GraphQLParser.Operations.cs	Tracks recursion depth when parsing selection sets (nested field selections).
src/HotChocolate/Language/src/Language.Utf8/Utf8GraphQLParser.cs	Stores max depth from options and resets recursion depth per Parse() call.
src/HotChocolate/Language/src/Language.Utf8/Properties/LangUtf8Resources.resx	Adds localized resource text for the max recursion depth error message.
src/HotChocolate/Language/src/Language.Utf8/Properties/LangUtf8Resources.Designer.cs	Adds the strongly-typed resource accessor for the new message.
src/HotChocolate/Language/src/Language.Utf8/ParserOptions.cs	Adds MaxAllowedRecursionDepth to parser options (default 200).
src/HotChocolate/Fusion/src/Fusion.Execution/Execution/FusionRequestExecutorManager.cs	Passes fusion max recursion depth through to ParserOptions.
src/HotChocolate/Fusion/src/Fusion.Execution/Execution/FusionParserOptions.cs	Exposes MaxAllowedRecursionDepth on fusion parser options.
src/HotChocolate/Core/src/Types/Execution/Options/RequestParserOptions.cs	Exposes MaxAllowedRecursionDepth on core request parser options + doc updates.
src/HotChocolate/Core/src/Types/Execution/DependencyInjection/RequestExecutorServiceCollectionExtensions.cs	Passes core max recursion depth through to ParserOptions.

Files not reviewed (1)

• src/HotChocolate/Language/src/Language.Utf8/Properties/LangUtf8Resources.Designer.cs: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ michaelstaib
❌ Copilot
_{You have signed the CLA already but the status is still pending? Let us recheck it.}