[Bug] GraphQL SearchCriteriaValidator not loaded — removed by module-graph-ql di.xml array override

[mtytula]

Preconditions

• Magento 2.4.7-p9 (magento/module-graph-ql 100.4.7-p9)
• Any GraphQL query with pageSize or currentPage arguments

---

Steps to reproduce

1. Execute any GraphQL query with pageSize exceeding the configured limit, e.g.:

{
    products(search: "test", pageSize: 999) {
        items {
            sku
        }
    }
}

---

Expected result

GraphQL returns a validation error:

{
    "data": {
        "products": null
    },
    "errors": [
        {
            "message": "Maximum pageSize is 10",
            "path": [
                "products"
            ],
            "locations": [
                {
                    "line": 2,
                    "column": 5
                }
            ],
            "extensions": {
                "category": "graphql-input"
            }
        }
    ]
}

(Maximum pageSize is X — where X is the configured maxPageSize value, default 300)

---

Actual result

Query executes without validation. pageSize: 999 is accepted silently. No error is returned.

---

Root cause

SearchCriteriaValidator (which enforces maxPageSize: 300) is registered
in magento2-base/app/etc/di.xml (primary config):

<!-- magento2-base/app/etc/di.xml -->
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
    <arguments>
        <argument name="validators" xsi:type="array">
            <item name="searchCriteriaValidator" xsi:type="object">
                Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator
            </item>
        </argument>
    </arguments>
</type>

module-graph-ql/etc/di.xml (module config) also defines validators for the
same type, but only with backpressureValidator:

<!-- module-graph-ql/etc/di.xml -->
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
    <arguments>
        <argument name="validators" xsi:type="array">
            <item name="backpressureValidator" xsi:type="object">
                Magento\GraphQl\Model\Backpressure\BackpressureFieldValidator
            </item>
        </argument>
    </arguments>
</type>

Module-level DI configuration has higher priority than primary config.
When module config defines the same xsi:type="array" argument, it replaces
the primary config's array — it does not merge items. As a result,
searchCriteriaValidator is silently dropped.

Verification at runtime:

$validator = $objectManager->get(
    \Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator::class
);
$ref = new ReflectionClass($validator);
$prop = $ref->getProperty('validators');
$prop->setAccessible(true);
var_dump(array_keys($prop->getValue($validator)));
// Output: ['backpressureValidator']
// Expected: ['searchCriteriaValidator', 'backpressureValidator']

Proposed fix

Move searchCriteriaValidator registration from magento2-base/app/etc/di.xml
to module-graph-ql/etc/di.xml. Both validators should live at module level
so that future validators added by third-party modules can safely merge via
xsi:type="array".

module-graph-ql/etc/di.xml — after fix

<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
    <arguments>
        <argument name="validators" xsi:type="array">
            <item name="searchCriteriaValidator" xsi:type="object">
                Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator
            </item>
            <item name="backpressureValidator" xsi:type="object">
                Magento\GraphQl\Model\Backpressure\BackpressureFieldValidator
            </item>
        </argument>
    </arguments>
</type>

magento2-base/app/etc/di.xml — remove this block

<!-- REMOVE: -->
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
    <arguments>
        <argument name="validators" xsi:type="array">
            <item name="searchCriteriaValidator" xsi:type="object">
                Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator
            </item>
        </argument>
    </arguments>
</type>

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any predefined sections require an update
• All automated tests passed successfully (all builds are green)

---

Temporary workaround (composer patch)

Until the upstream fix is merged — apply a patch via cweagans/composer-patches.

1. composer.json

"extra": {
    "composer-exit-on-patch-failure": true,
    "patches": {
        "magento/module-graph-ql": {
            "Fix search criteria composite validator": "patches/magento/module-graph-ql/fix-search-validator.diff"
        }
    }
}

2. patches/magento/module-graph-ql/fix-search-validator.diff

Index: etc/di.xml
===================================================================
--- a/etc/di.xml
+++ b/etc/di.xml
@@ -107,6 +107,7 @@
     <type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\CompositeValidator">
         <arguments>
             <argument name="validators" xsi:type="array">
+                <item name="searchCriteriaValidator" xsi:type="object">Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator</item>
                 <item name="backpressureValidator" xsi:type="object">
                     Magento\GraphQl\Model\Backpressure\BackpressureFieldValidator
                 </item>

3. Apply

composer require cweagans/composer-patches --no-update
composer update magento/module-graph-ql
# or simply:
composer install 

---

Affected repositories

• magento/magento2 — app/etc/di.xml (magento2-base)
• magento/module-graph-ql — etc/di.xml

Affected versions

All versions of magento/module-graph-ql that introduced backpressureValidator
(i.e. all versions that define CompositeValidator type in their etc/di.xml).

Resolved issues:

1. resolves [Issue] [Bug] GraphQL SearchCriteriaValidator not loaded — removed by module-graph-ql di.xml array override #40762: [Bug] GraphQL SearchCriteriaValidator not loaded — removed by module-graph-ql di.xml array override

[m2-assistant]

Hi @mtytula. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[mtytula]

@magento run all tests

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[engcom-Dash]

@magento create issue

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[mtytula]

@magento add to contributors team

[m2-assistant]

Hi @mtytula! 👋
Thank you for joining. Please accept team invitation 👉 here 👈 and add your comment one more time.

[engcom-Hotel]

@magento run all tests

[engcom-Hotel]

Hello @mtytula,

Thank you for the contribution!

The code changes looks good to us and the failed tests seems either flaky or known issues.

But can you please add some automated test in accordance to the DOD.

Thank you

[mtytula]

@magento run all tests

[mtytula]

Hello @mtytula,

Thank you for the contribution!

The code changes looks good to us and the failed tests seems either flaky or known issues.

But can you please add some automated test in accordance to the DOD.

Thank you

Done :)

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[mtytula]

@magento run all tests

[mtytula]

@magento run all tests

[mtytula]

@engcom-Hotel @engcom-Dash

My tests passed 🚀

[engcom-Hotel]

Thank you @mtytula for making the changes, approving this PR for further process