Set default timeout for GraphQL schema validation

[vithushar]

Problem

Currently, graphql-ruby does not enforce a timeout for schema validation by default. When validate_timeout isn't explicitly set, maliciously crafted queries can consume substantial server resources and potentially cause denial of service (DoS) conditions.

Through Shopify's bug bounty program, we've received multiple reports demonstrating that a single host can leverage this behavior to impact an entire API.

Solution

Add a reasonable default timeout (3 seconds) for schema validation that:

• protects all downstream consumers
• maintains backward compatibility and
• preserves the ability to customize or disable the timeout

Why 3 seconds?

• Data-Driven Decision: We analyzed performance metrics across many GraphQL services at Shopify, examining the 95th percentile of GraphQL execution time (not including data retrieval). Most queries execute in under 500ms, with even our most complex queries rarely exceeding 700ms.
• Configurable Override: Services with exceptional needs can still override the default value

[vithushar]

@rmosolgo Would love your thoughts on adding this secure default. Our rationale for why we want this implemented upstream is in the PR description.

[rmosolgo]

I'm open to this change, thanks for suggesting it. I'd like to address #5261 before switching on this default because otherwise, the new timeout may interrupt I/O operations in buggy ways. I'll take a look at that in the next day or two then merge this!

[vithushar]

Appreciate the quick response @rmosolgo. That sounds great. Looking forward to having this implemented and super glad that the I/O issues will be addressed prior to this. 🙂

[rmosolgo]

Hey, master is ready for this now, but unfortunately there are conflicts. I'd resolve them myself but since this branch exists in Shopify/graphql-ruby, I don't have permission to do so. Do you mind resolving them?

[vithushar]

@rmosolgo Conflict resolved! :)

[rmosolgo]

Thanks for this improvement!