search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
5.94k stars 876 forks source link

Apollo GraphQL Playground/v3 Deprecation #7363

Open x86NOP opened 2 months ago

x86NOP commented 2 months ago

Description

The Apollo GraphQL Playground is both still present and enabled in the OpenCTI images built/distributed as of v6.1.10. Playground has been EOL since 2022-12-31 (https://www.apollographql.com/docs/apollo-server/v2/testing/graphql-playground/) and its existence in current builds appears to just be an overlooked artifact from the upgrade from Apollo 2.x to 3.x here in the past.

Furthermore, it should be noted that Apollo 3.x is EOL as of 2024-10-22 requiring an upgrade to Apollo 4.x before that date (https://www.apollographql.com/docs/apollo-server/migration).

Environment

  1. Ubuntu 22.04.4 LTS
  2. OpenCTI 6.1.10
  3. Frontend
  4. Other environment details:

Reproducible Steps

In a browser just visit https[:]//youropencti[.]url /graphql

Expected Output

Having Playground available in production was generally considered a security misconfiguration (and risk) in Apollo 2.x, and there is no reason to have it present in any environment in Apollo 3.x. Given its history including high severity XSS, it should be removed completely from released builds/images.

Actual Output

Playground is still present in distributed builds/images, providing no benefit and introducing potential risk of exploitation.

Additional information

You can close this related 2.5 year old issue at the same time. https://github.com/OpenCTI-Platform/opencti/issues/1835

Screenshots (optional)

image

Kedae commented 2 months ago

We are currently migrating towards V4 for Apollo server. We will look into it.