Skip to content

Add support for meta tag DAST site validation

What does this MR do?

this merge request adds support for meta tag validation as part of dast site profile validation.

Related Issue(s)

Screenshots or Screencasts (strongly suggested)

image

Log

Running with gitlab-runner 14.0.0 (3b6f852e)
  on GDK local runner y_752jUc
Resolving secrets 00:00
Preparing the "docker" executor
Using Docker executor with image registry.gitlab.com/security-products/dast-runner-validation:1 ...
Pulling docker image registry.gitlab.com/security-products/dast-runner-validation:1 ...
Using docker image sha256:aeabab12f78cb2faec54c5791f4c9a7e8edc9ea647f4343c9143318862bb921a for registry.gitlab.com/security-products/dast-runner-validation:1 with digest registry.gitlab.com/security-products/dast-runner-validation@sha256:7f89b5c86ce52f2fb8ebb11499a80fdb8569cc21ccf34ef02caac92be06a2f34 ...
Preparing environment 00:00
Running on runner-y752juc-project-9-concurrent-0 via fitzroy.local...
Getting source from Git repository 00:01
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:06
Using docker image sha256:aeabab12f78cb2faec54c5791f4c9a7e8edc9ea647f4343c9143318862bb921a for registry.gitlab.com/security-products/dast-runner-validation:1 with digest registry.gitlab.com/security-products/dast-runner-validation@sha256:7f89b5c86ce52f2fb8ebb11499a80fdb8569cc21ccf34ef02caac92be06a2f34 ...
$ ~/validate.sh
+ [[ -z [MASKED] ]]
+ [[ -z http://gitlab.localdev:3000 ]]
+ [[ -z 27 ]]
+ [[ -z Gitlab-On-Demand-DAST ]]
+ [[ -z meta_tag ]]
+ [[ -z 81c5a03e-2a52-4c17-886e-ee702adde735 ]]
+ [[ -z https://972b0543a3f8.ngrok.io:443/?strategy=meta_tag ]]
+ call_gitlab start
+ local url=http://gitlab.localdev:3000/api/v4/internal/dast/site_validations/27/transition
+ curl --fail --request POST --data '{"event":"start"}' --header 'JOB-TOKEN: [MASKED]' http://gitlab.localdev:3000/api/v4/internal/dast/site_validations/27/transition --header 'Content-Type: application/json'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    39  100    22  100    17      8      6  0:00:02  0:00:02 --:--:--    15
{"state":"inprogress"}+ retry validate
+ local n=1
+ local max=5
+ local delay=15
+ true
+ validate
+ case "$DAST_SITE_VALIDATION_STRATEGY" in
+ meta_tag_validation
+ local tmp_file
+ local response
++ mktemp
+ tmp_file=/tmp/tmp.KHknJa
++ validation_curl /tmp/tmp.KHknJa 'https://972b0543a3f8.ngrok.io:443/?strategy=meta_tag'
++ curl --location --insecure --dump-header /tmp/tmp.KHknJa 'https://972b0543a3f8.ngrok.io:443/?strategy=meta_tag'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   453  100   453    0     0    367      0  0:00:01  0:00:01 --:--:--   367
+ response='<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="gitlab-dast-validation" content="81c5a03e-2a52-4c17-886e-ee702adde735">
    <meta name="description" content="This really great website contains really great content.">
    <title>
      A really great website
    </title>
  </head>
  <body>
    <p>Really great content.</p>
  </body>
</html>'
+ head -n 1
HTTP/2 200 
+ + echo + xmllint --html grep --xpath -q 'string(/html/head/meta[@name="gitlab-dast-validation"]/@content)' 81c5a03e-2a52-4c17-886e-ee702adde735
-
'<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="gitlab-dast-validation" content="81c5a03e-2a52-4c17-886e-ee702adde735">
    <meta name="description" content="This really great website contains really great content.">
    <title>
      A really great website
    </title>
  </head>
  <body>
    <p>Really great content.</p>
  </body>
</html>'
+ break
+ call_gitlab pass
+ local url=http://gitlab.localdev:3000/api/v4/internal/dast/site_validations/27/transition
+ curl --fail --request POST --data '{"event":"pass"}' --header 'JOB-TOKEN: [MASKED]' http://gitlab.localdev:3000/api/v4/internal/dast/site_validations/27/transition --header 'Content-Type: application/json'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    34  100    18  100    16     13     11  0:00:01  0:00:01 --:--:--    24
{"state":"passed"}+ echo 'Validation success'
Validation success
Job succeeded

How to setup and validate locally (strongly suggested)

Step 1

Step 2

mutation {
  dastSiteTokenCreate(input: {fullPath: "root/on-demand-dast", targetUrl: "https://972b0543a3f8.ngrok.io"}) {
    id
    token
  }
}
{
  "data": {
    "dastSiteTokenCreate": {
      "id": "gid://gitlab/DastSiteToken/27",
      "token": "81c5a03e-2a52-4c17-886e-ee702adde735"
    }
  }
}

Step 3

mutation {
  dastSiteValidationCreate(input: {fullPath: "root/on-demand-dast", dastSiteTokenId: "gid://gitlab/DastSiteToken/27", strategy: META_TAG, validationPath: "?strategy=meta_tag"}) {
    id
    status
  }
}
{
  "data": {
    "dastSiteValidationCreate": {
      "id": "gid://gitlab/DastSiteValidation/27",
      "status": "PENDING_VALIDATION"
    }
  }
}

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Philip Cunningham

Merge request reports

Loading