Turn on fast regular expressions for passive checks
Problem
The feature flag FF_DAST_OPTIMIZE_REGEXPS
is turned off by default in DAST, causing passive checks to take longer to run on large response bodies.
Proposal
Test and turn on the feature flag by default.
Implementation plan
-
Find or write a webserver that contains vulnerabilities. Run DAST with the feature flag turned off against the server - https://gitlab.com/gitlab-org/security-products/tests/secrets might be an option (convert to server, add endpoints for each secret, make some large response bodies)
- Mass-auto might be an option
-
Run DAST with the feature flag turned on. Verify that the same number of findings are found, and that the scan took less time -
Communicate results with other DAST engineers, and if there is consensus, turn the feature flag on by default.
Edited by Philip Cunningham