Mask http header values

Review changes
Download
Patches
Plain diff

Cameron Swords requested to merge mask-http-header-values into master Jun 01, 2020

Overview 14
Commits 7
Pipelines 3
Changes 14

What does this MR do?

Masks HTTP Headers in the DAST report so that sensitive information isn't displayed. Masking will replace the real header value with a series of *.

When the DAST_MASK_HTTP_HEADERS environment variable is not supplied, the headers Authorization, Proxy-Authorization, Set-Cookie and Cookie will have their values masked.

Cookie and Set-Cookie are treated like special cases as only the values in the value will be masked, e.g. 'Set-Cookie', 'sessionId=********; Domain=site.com; Secure; HttpOnly'.

This MR has no changelog, as the feature has not been turned on.

What are the relevant issue numbers?

gitlab-org/gitlab#215679 (closed)

Does this MR meet the acceptance criteria?

Changelog entry added
Documentation created/updated for GitLab EE, if necessary
Documentation created/updated for this project, if necessary
Documentation reviewed by technical writer or follow-up review issue created
Tests added for this feature/bug
Job definition updated, if necessary
- Job definition example
- Vendored CI Templates (also in CE)
Conforms to the code review guidelines
Conforms to the Go guidelines
Security reports checked/validated by reviewer

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking