DAST Site Profiles cannot be added for private URLs ("Url is blocked")
Summary
When trying to add a new DAST site profile at https://gitlab.com/path/to/repo/-/security/configuration/dast_profiles/dast_site_profiles/new, the form submission will fail if the Target URL
is not directly reachable from the GitLab instance. It gives the error message: "Url is blocked: Requests to the local network are not allowed".
Since DAST runs on GitLab runners and not the GitLab instance, it should be possible to add private URLs using this form, since the GitLab runner may be able to reach the site even if the GitLab instance cannot. In my organization, every non-production application resides on a private network, so this really hampers the usability of on-demand DAST.
Steps to reproduce
- Deploy a web app onto a private network
- On any repo, go to Security & Compliance -> Configuration -> DAST Profiles -> Manage -> New Profile -> Site Profile
- Put the URL of your private app as the target URL and submit the form.
- Receive the error: "Url is blocked: Requests to the local network are not allowed"
Example Project
Not included - Cannot be easily mocked.
What is the current bug behavior?
Private sites cannot be scanned using on-demand DAST because they fail the validation rules.
What is the expected correct behavior?
Being able to directly reach the Target URL from the GitLab instance should not be a requirement for creating the site profile, since it may still be possible to scan the site using a GitLab runner located in a different network.
Relevant logs and/or screenshots
Output of checks
This bug happens on gitlab.com
Solution
This issue outlines the resolution: #324990 (closed)