Apollo GraphQL Playground/v3 Deprecation #7363
Assignees
Labels
dependencies
use for pull requests that update a dependency file
solved
use to identify issue that has been solved (must be linked to the solving PR)
technical improvement
Technical refactor or improvement is needed
Milestone
Comments
x86NOP
added
bug
|
We are currently migrating towards V4 for Apollo server. We will look into it. |
Kedae
added
dependencies
|
any update on this? this is also the case on the demo instance: https://demo.opencti.io/graphql |
|
This upgrade will be planned in the coming months I think. @nino-filigran ? |
|
I agree this is starting to be really painful for our technical users @nino-filigran @romain-filigran . |
|
Yes, I'll update the ticket with the according milestone as son as I can. |
labo-flg
added
the
technical improvement
Archidoit
added a commit
that referenced
this issue
Dec 23, 2024
Archidoit
added a commit
that referenced
this issue
Dec 23, 2024
Archidoit
added a commit
that referenced
this issue
Dec 23, 2024
|
It seems that apollo sandbox cannot be air gapped, since it's a strong requirement for OpenCTI to work in an air gapped environnement, we looking to replace appollo playground by graphiql instead of apollo sandbox. |
Archidoit
added a commit
that referenced
this issue
Jan 16, 2025
Co-authored-by: Angelique <[email protected]> Co-authored-by: Laurent Bonnet <[email protected]>
Archidoit
added
the
solved
labo-flg
added a commit
that referenced
this issue
Jan 16, 2025
5 tasks
labo-flg
added a commit
that referenced
this issue
Jan 16, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The Apollo GraphQL Playground is both still present and enabled in the OpenCTI images built/distributed as of v6.1.10. Playground has been EOL since 2022-12-31 (https://www.apollographql.com/docs/apollo-server/v2/testing/graphql-playground/) and its existence in current builds appears to just be an overlooked artifact from the upgrade from Apollo 2.x to 3.x here in the past.
Furthermore, it should be noted that Apollo 3.x is EOL as of 2024-10-22 requiring an upgrade to Apollo 4.x before that date (https://www.apollographql.com/docs/apollo-server/migration).
Environment
Reproducible Steps
In a browser just visit https[:]//youropencti[.]url /graphql
Expected Output
Having Playground available in production was generally considered a security misconfiguration (and risk) in Apollo 2.x, and there is no reason to have it present in any environment in Apollo 3.x. Given its history including high severity XSS, it should be removed completely from released builds/images.
Actual Output
Playground is still present in distributed builds/images, providing no benefit and introducing potential risk of exploitation.
Additional information
You can close this related 2.5 year old issue at the same time.
#1835
Screenshots (optional)
The text was updated successfully, but these errors were encountered: