Skip to content

Show better error descriptions in on-demand dast

Follows-up on #327640 (closed)

When min length requirement is not met for request headers or password fields on saving a profile.

Example:

image

GraphQL Response

[
    {
        "data": {
            "dastSiteProfileCreate": {
                "id": null,
                "errors": [
                    "Value is invalid"
                ],
                "dastSiteProfile": null,
                "__typename": "DastSiteProfileCreatePayload"
            }
        }
    }
]

This error is happening because the Maskable module included by the Dast::SiteProfileSecretVariable class validates the size of the attributes. The Password and Request Headers fields are masked attributes, and the minimum length is 8.

If we add a validation message on the Maskable module, it wouldn't be clear which attribute is invalid because all maskable attributes will have the same error message.

We are also encoding the password and the request headers before the size validation. This pre-encoding makes us accept password/request headers with less than 8 characters since the encoding value will meet the minimum length requirement as shown below:

[31] pry(main)> secret_variable.update(raw_value: "1ba")
  TRANSACTION (0.5ms)  BEGIN 
  Dast::SiteProfileSecretVariable Exists? (0.4ms)  SELECT 1 AS one FROM "dast_site_profile_secret_variables" WHERE "dast_site_profile_secret_variables"."key" = 'DAST_PASSWORD_BASE64' AND "dast_site_profile_secret_variables"."id" != 2 AND "dast_site_profile_secret_variables"."dast_site_profile_id" = 3 LIMIT 1 
  TRANSACTION (0.2ms)  ROLLBACK 
=> false

[32] pry(main)> secret_variable.update(raw_value: "1bae")
  TRANSACTION (0.2ms)  BEGIN 
  Dast::SiteProfileSecretVariable Exists? (0.4ms)  SELECT 1 AS one FROM "dast_site_profile_secret_variables" WHERE "dast_site_profile_secret_variables"."key" = 'DAST_PASSWORD_BASE64' AND "dast_site_profile_secret_variables"."id" != 2 AND "dast_site_profile_secret_variables"."dast_site_profile_id" = 3 LIMIT 1 
  Dast::SiteProfileSecretVariable Update (1.3ms)  UPDATE "dast_site_profile_secret_variables" SET "updated_at" = '2022-11-15 17:23:09.054484', "encrypted_value" = '\x912ac2f96868cc19080ce318d5362b9390ee5c0531a74747', "encrypted_value_iv" = '\x364b70383443746d6d564a613545362b0a' WHERE "dast_site_profile_secret_variables"."id" = 2 
  TRANSACTION (0.4ms)  COMMIT 
=> true

Based on the two points above, I believe we should add a minimum length size validation to the Dast::SiteProfiles::CreateService for the following reasons:

  • We could skip the transaction creation if the attributes are invalid
  • We could return a more informative error message
Edited by Marcos Rocha