Validate Domains when performing DAST full scans
Problem to solve
The DAST job can be run anywhere, including GitLab.com. Since we will allow active scans soon, it means users can accidentally hit live webservers and potentially damage them.
Many customers have asked for this feature because they are afraid of accidentally taking down their production environment.
Proposal
If the user has set DAST_FULL_SCAN_ENABLED="true"
, the URL specified by DAST_WEBSITE
must respond to a GET
request that has a Gitlab-DAST-Request
header with the header Gitlab-DAST-Confirmation
. The headers do not need a value.
In this issue, we have to implement that GET
request.
Don't forget to add instructions to our DAST docs! We should have a few sample configurations for how to add headers to an app.
Acceptance Criteria
Given I am a customer setting up DAST
When I look at the setup instructions
Then I am informed that I need to configure my app to respond to the full scan permissions request before I can run a full scan.
And I am warned to make sure that the configuration only exists in my test environments (NOT production).
Given I am a customer with DAST full scan enabled
When I launch a DAST scan through CI or another means
And my application responds to the DAST full scan permissions request
Then I see my DAST scan run successfully.
Given I am a customer with DAST full scan enabled
When I launch a DAST scan through CI or another means
And my application does not respond to the DAST full scan permissions request
Then I see a message that I must configure my application to respond to the permissions request
And I see a link to the docs on how to do so.
Rollout
This is a breaking change, so it must have a feature flag.
In %12.2 we want the feature to be enabled if a customer:
- sets up DAST full scan after the release (determined by the
created_at
for theDAST_FULL_SCAN_ENABLED
variable in theci_variables
table) - if administrators explicitly flip the feature flag
We will make a future decision on when to make this behavior the default for all users, based on what we learn from and feedback we receive on this issue.