On-demand with DAST API is not correctly passing some variables

Summary

The on-demand security scanning feature has recently been updated to use DAST API for API scans. The feature is still behind a feature flag to allow for some manual testing before being rolled out. During manual testing it was found that adding a request header and excluding a URL did not get correctly passed to the DAST API scanning job.

Steps to reproduce

Create a test project and enable the feature flag for the project
Click on Security & Compliance -> On-demand scans
Click on New scan
Scan name: Testing DAST API
Click on Select site profile
Click on New profile
Enter the following:
1. Profile name: Testing DAST API
2. Site type: API
3. API endpoint URL: https://gitlab.com/
4. Scan method: OpenAPI
5. OpenAPI Specification file URL: https://gitlab.com/gitlab-org/secure/pocs/api-fuzzing-dogfooding/-/raw/main/openapi_v2.yaml
6. Excluded paths: https://gitlab.com/api/v4/version
7. Additional request headers: Authorization: Bearer abcdefghijklmnop
Click Save profile
Click Change scanner profile
Click New profile
Enter the following:
1. Profile name Passive Profile
2. Scan mode: Passive
Click Save profile
Click Save and run scan
Click on dast job
Wait for scan to fail or complete. Failure is okay.
Click on Browse job artifacts
Click on gl-api-security-worker-entry.log
View downloaded file in notepad or similar
Look for the following:

2022-10-18 17:57:11 [DEB] API Security: Setting 'exclude_urls' with value of 'None' on app

and

2022-10-18 17:57:11 [DEB] API Security: Setting 'request_headers' with value of 'None' on app

A value of None indicates the following variables have not been set:

DAST_API_REQUEST_HEADERS
DAST_API_EXCLUDE_URLS

Example Project

https://gitlab.com/gitlab-org/secure/dast/api-on-demand-test

What is the current bug behavior?

Values set in UX for request headers and exclude paths are not passed to scanner.

What is the expected correct behavior?

That they are passed and used by the scanner.