opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Apollo GraphQL Playground/v3 Deprecation

Open x86NOP opened this issue 1 year ago • 5 comments

Description

The Apollo GraphQL Playground is both still present and enabled in the OpenCTI images built/distributed as of v6.1.10. Playground has been EOL since 2022-12-31 (https://www.apollographql.com/docs/apollo-server/v2/testing/graphql-playground/) and its existence in current builds appears to just be an overlooked artifact from the upgrade from Apollo 2.x to 3.x here in the past.

Furthermore, it should be noted that Apollo 3.x is EOL as of 2024-10-22 requiring an upgrade to Apollo 4.x before that date (https://www.apollographql.com/docs/apollo-server/migration).

Environment

  1. Ubuntu 22.04.4 LTS
  2. OpenCTI 6.1.10
  3. Frontend
  4. Other environment details:

Reproducible Steps

In a browser just visit https[:]//youropencti[.]url /graphql

Expected Output

Having Playground available in production was generally considered a security misconfiguration (and risk) in Apollo 2.x, and there is no reason to have it present in any environment in Apollo 3.x. Given its history including high severity XSS, it should be removed completely from released builds/images.

Actual Output

Playground is still present in distributed builds/images, providing no benefit and introducing potential risk of exploitation.

Additional information

You can close this related 2.5 year old issue at the same time. https://github.com/OpenCTI-Platform/opencti/issues/1835

Screenshots (optional)

image

x86NOP avatar Jun 12 '24 19:06 x86NOP

We are currently migrating towards V4 for Apollo server. We will look into it.

Kedae avatar Jun 13 '24 08:06 Kedae

any update on this? this is also the case on the demo instance: https://demo.opencti.io/graphql

RegturH avatar Oct 16 '24 06:10 RegturH

This upgrade will be planned in the coming months I think. @nino-filigran ?

Archidoit avatar Oct 16 '24 07:10 Archidoit

I agree this is starting to be really painful for our technical users @nino-filigran @romain-filigran .

SamuelHassine avatar Oct 17 '24 07:10 SamuelHassine

Yes, I'll update the ticket with the according milestone as son as I can.

nino-filigran avatar Oct 17 '24 08:10 nino-filigran

It seems that apollo sandbox cannot be air gapped, since it's a strong requirement for OpenCTI to work in an air gapped environnement, we looking to replace appollo playground by graphiql instead of apollo sandbox.

aHenryJard avatar Dec 30 '24 10:12 aHenryJard