Kedae
commented
5 months ago We are currently migrating towards V4 for Apollo server. We will look into it.
Open x86NOP opened 5 months ago
Kedae
commented
5 months ago We are currently migrating towards V4 for Apollo server. We will look into it.
RegturH
commented
1 month ago any update on this? this is also the case on the demo instance: https://demo.opencti.io/graphql
Archidoit
commented
1 month ago This upgrade will be planned in the coming months I think. @nino-filigran ?
SamuelHassine
commented
1 month ago I agree this is starting to be really painful for our technical users @nino-filigran @romain-filigran .
nino-filigran
commented
1 month ago Yes, I'll update the ticket with the according milestone as son as I can.
Description
The Apollo GraphQL Playground is both still present and enabled in the OpenCTI images built/distributed as of v6.1.10. Playground has been EOL since 2022-12-31 (https://www.apollographql.com/docs/apollo-server/v2/testing/graphql-playground/) and its existence in current builds appears to just be an overlooked artifact from the upgrade from Apollo 2.x to 3.x here in the past.
Furthermore, it should be noted that Apollo 3.x is EOL as of 2024-10-22 requiring an upgrade to Apollo 4.x before that date (https://www.apollographql.com/docs/apollo-server/migration).
Environment
Reproducible Steps
In a browser just visit https[:]//youropencti[.]url /graphql
Expected Output
Having Playground available in production was generally considered a security misconfiguration (and risk) in Apollo 2.x, and there is no reason to have it present in any environment in Apollo 3.x. Given its history including high severity XSS, it should be removed completely from released builds/images.
Actual Output
Playground is still present in distributed builds/images, providing no benefit and introducing potential risk of exploitation.
Additional information
You can close this related 2.5 year old issue at the same time. https://github.com/OpenCTI-Platform/opencti/issues/1835
Screenshots (optional)