Reduce false positives for check 352.1
Proposal
The 352.1
check implemented for https://gitlab.com/gitlab-org/gitlab/-/issues/331219 will likely produce many false positives for a website.
This issue is a follow up designed to reduce these with the following strategy:
- A finding should only be produced when the navigation that triggered the HTTP request has an action type of form fill.
- The check should not be aggregated. This means that users can dismiss findings for some URLs while not dismissing others.
- The uniqueness template should be changed to use the
request_path
excluding the query string.- (this may not be necessary given the new action/form fill requirement)
This check should be turned on by default in DAST when these enhancements have been made.
Implementation plan
-
Create a conditional navigation result matcher -
Create a navigation result predicate interface -
Create a navigation result NavigationResultIsFormFill
predicate -
Check 352.1
should only run check the messages when the predicate is true -
Write an end to end test for 352.1
-
Enable 352.1
in DAST -
Update DAST documentation describing 352.1
Edited by Cameron Swords