[backend] Adapt graphql armor options and default values

opencti-platform/opencti-graphql/config/default.json

@@ -42,7 +42,14 @@
       "max_time": 1000
     },
     "graphql": {
-      "armor_enabled": false,
+      "armor_protection": {
+        "disabled": true,
+        "max_depth": 20,
+        "max_directives": 20,
+        "max_tokens": 100000,
+        "cost_limit": 3000000,
+        "block_field_suggestion": true
+      },
       "batching_protection": {
         "mutation_default": 1,
         "query_default": 2,

opencti-platform/opencti-graphql/src/config/conf.js

@@ -416,7 +416,7 @@ export const ENABLED_UI = booleanConf('app:enabled_ui', true);
 export const ENABLED_DEMO_MODE = booleanConf('demo_mode', false);
 export const PLAYGROUND_INTROSPECTION_DISABLED = DEV_MODE ? false : (!ENABLED_UI || booleanConf('app:graphql:playground:force_disabled_introspection', true));
 export const PLAYGROUND_ENABLED = ENABLED_UI && booleanConf('app:graphql:playground:enabled', true);
-export const GRAPHQL_ARMOR_ENABLED = booleanConf('app:graphql:armor_enabled', true);
+export const GRAPHQL_ARMOR_DISABLED = booleanConf('app:graphql:armor_protection:disabled', true);
 
 // Default activated managers
 export const ENABLED_TRACING = booleanConf('app:telemetry:tracing:enabled', false);

opencti-platform/opencti-graphql/src/graphql/graphql.js

@@ -9,7 +9,7 @@ import { constraintDirectiveDocumentation } from 'graphql-constraint-directive';
 import { GraphQLError } from 'graphql/error';
 import { createApollo4QueryValidationPlugin } from 'graphql-constraint-directive/apollo4';
 import createSchema from './schema';
-import conf, { basePath, DEV_MODE, ENABLED_TRACING, GRAPHQL_ARMOR_ENABLED, logApp, PLAYGROUND_ENABLED, PLAYGROUND_INTROSPECTION_DISABLED } from '../config/conf';
+import conf, { basePath, DEV_MODE, ENABLED_TRACING, GRAPHQL_ARMOR_DISABLED, logApp, PLAYGROUND_ENABLED, PLAYGROUND_INTROSPECTION_DISABLED } from '../config/conf';
 import { authenticateUserFromRequest, userWithOrigin } from '../domain/user';
 import { ForbiddenAccess, ValidationError } from '../config/errors';
 import loggerPlugin from './loggerPlugin';
@@ -46,26 +46,26 @@ const createApolloServer = () => {
   const apolloValidationRules = [batchValidationRule];
   // optional graphql-armor plugin configuration
   // Still disable by default for now as required more testing
-  if (GRAPHQL_ARMOR_ENABLED) {
+  if (!GRAPHQL_ARMOR_DISABLED) {
     const armor = new ApolloArmor({
       blockFieldSuggestion: { // It will prevent suggesting fields in case of an erroneous request.
-        enabled: true,
+        enabled: conf.get('app:graphql:armor_protection:block_field_suggestion') ?? true,
       },
-      costLimit: { // Blocking too expensive requests (DoS attack attempts).
-        maxCost: 10000
-      },
-      maxAliases: { // Limit the number of aliases in a document.
-        enabled: false, // Handled by graphql-no-alias
+      costLimit: { // Limit the complexity of a GraphQL document.
+        maxCost: conf.get('app:graphql:armor_protection:cost_limit') ?? 3000000,
       },
       maxDepth: { // maxDepth: Limit the depth of a document.
-        n: 20,
+        n: conf.get('app:graphql:armor_protection:max_depth') ?? 20,
       },
       maxDirectives: { // Limit the number of directives in a document.
-        n: 50,
+        n: conf.get('app:graphql:armor_protection:max_directives') ?? 20,
       },
       maxTokens: { // Limit the number of GraphQL tokens in a document.
-        n: 2000,
-      }
+        n: conf.get('app:graphql:armor_protection:max_tokens') ?? 100000,
+      },
+      maxAliases: { // Limit the number of aliases in a document.
+        enabled: false, // Handled by graphql-no-alias
+      },
     });
     const protection = armor.protect();
     apolloPlugins.push(...protection.plugins);