proposal:embed graphql-parser as a secure graphql parser for multiple languages

[devkral]

Currently the reference implementation and python graphql-core have a stack problem (this project most probably too, but easily fixable via the generator hack, see graphql-core issue) and the evaluation of graphql strings is slow (performance bottleneck which could be used for a ddos):

You can specify highly nested graphs and the parser crashes before any security software can evaluate the tree.

See issue:

• Support for deep input graphs graphql/graphql-js#4031
• construction fails for depth around > 200 / resource exhaustion? graphql-python/graphql-core#216

So my idea is to fix the projects properly by replacing their parsers with a high performance graphql string parser. And this could be something like this project.

Are you interested in this idea?

Given that I have no rust knowledge yet I would need some guidance should we start the project. Also it would require some coordination between the three projects (not sure how this can be handled).

[LegNeato]

I think we would take PRs to expose and test the crate via other languages (using something like Neon for JS for example) but it is not a priority for us.