Ignore Password in URL vulnerabilities if credentials are Env vars
What does this MR do?
This MR introduces a change that would reduce false positives on the Password in URL
vulnerability. The change checks if a Password in URL
vulnerability is present. If it is, then check if the password being used is prefixed by a common way to load environment variables in scripts, the $
character.
Note: this does not handle cases where you load env vars in from language with different syntax. example using golang:
u := fmt.Sprintf("https://%s:%s@www.example.com", os.Getenv("MY_USERNAME"), os.Getenv("MY_PASSWORD"))
What are the relevant issue numbers?
gitlab-org/gitlab#33285 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Daniel Paul Searles