Skip to content

Redact password from Selenium logs in DEBUG mode

Philip Cunningham requested to merge philipcunningham-redact-password-from-debug-log-327072 into master

What does this MR do?

this merge request ensures DAST_PASSWORD is not present in the selenium logs.

Notes

we do not treat usernames as secrets for on-demand scans, which is why i've restricted scope to passwords. i'm more than happy to address this to in a follow-up merge request if we think this is important.

Related Issue(s)

Before

2021-04-14 03:53:17,371 POST http://127.0.0.1:34389/session/cc32de31-60f0-4697-8f56-0728ac08f87e/element/0087f345-8233-4a96-9ae4-9c37ddf71579/value {"text": "citrusblend", "value": ["c", "i", "t", "r", "u", "s", "b", "l", "e", "n", "d"], "id": "0087f345-8233-4a96-9ae4-9c37ddf71579"}
2021-04-14 03:53:17,409 http://127.0.0.1:34389 "POST /session/cc32de31-60f0-4697-8f56-0728ac08f87e/element/0087f345-8233-4a96-9ae4-9c37ddf71579/value HTTP/1.1" 200 14

After

2021-04-14 03:50:13,584 Disabling logging to fill in password
2021-04-14 03:50:13,694 Re-enabling logging

Why?

we established dast may leak sensitive information in selenium logs. it was decided in dast weekly on 2021-04-05 that this was not a major concern because we already strongly advise customers never to run authenticated scans against production servers but i also think it's important to address this in order to help protect users against slips and mistakes.

below is what our docs currently say:

NEVER run an authenticated scan against a production server. When an authenticated scan is run, it may perform any function that the authenticated user can. This includes actions like modifying and deleting data, submitting forms, and following links. Only run an authenticated scan against a test server.

https://docs.gitlab.com/ee/user/application_security/dast/#authentication

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Edited by Philip Cunningham

Merge request reports