Dogfooding Web API Fuzz Testing on GitLab
Feature to Dogfood
Web API Fuzz Testing security scanner
Goals
One of GitLab's key principles is to dogfood everything. Since &3178 (closed), #216151 was created to dogfood the Web API Fuzz Testing feature but was blocked due to the need to manually create the OpenAPI json file.
- Update the incomplete OpenAPI V3 documentation of the GitLab REST API to cover more test cases. There has been some discussion in #211512 on automatically generating this using
grape-swagger
but the team faced difficulties asgrape-swagger
does not support OpenApi V3. Fortunately, Web API Fuzz Testing supports V2. - Set up a nightly fuzzing job based on @cmaxim's example with the new auto- or manually-generated spec.
- Analyze and resolve fuzzing results.
Progress Tracker
Task | Subtasks | Link |
---|---|---|
Create fuzzing target |
|
!97363 |
Annotate endpoints | Moved to &8926 | Moved to &8926 |
Generate OpenAPI V2 documentation | Moved to &8926 | Moved to &8926 |
Fuzz endpoint |
gitlab-org/secure/pocs/api-fuzzing-dogfooding> job 3018550743 job 3018550743 job 3047989026 |
Why Dogfooding is Important
Edited by Eugene Lim