Redact password from Selenium logs in DEBUG mode
What does this MR do?
this merge request ensures DAST_PASSWORD
is not present in the selenium logs.
Notes
we do not treat usernames as secrets for on-demand scans, which is why i've restricted scope to passwords. i'm more than happy to address this to in a follow-up merge request if we think this is important.
Related Issue(s)
Before
2021-04-14 03:53:17,371 POST http://127.0.0.1:34389/session/cc32de31-60f0-4697-8f56-0728ac08f87e/element/0087f345-8233-4a96-9ae4-9c37ddf71579/value {"text": "citrusblend", "value": ["c", "i", "t", "r", "u", "s", "b", "l", "e", "n", "d"], "id": "0087f345-8233-4a96-9ae4-9c37ddf71579"}
2021-04-14 03:53:17,409 http://127.0.0.1:34389 "POST /session/cc32de31-60f0-4697-8f56-0728ac08f87e/element/0087f345-8233-4a96-9ae4-9c37ddf71579/value HTTP/1.1" 200 14
After
2021-04-14 03:50:13,584 Disabling logging to fill in password
2021-04-14 03:50:13,694 Re-enabling logging
Why?
we established dast
may leak sensitive information in selenium logs. it was decided in dast
weekly on 2021-04-05
that this was not a major concern because we already strongly advise customers never to run authenticated scans against production servers but i also think it's important to address this in order to help protect users against slips and mistakes.
below is what our docs currently say:
NEVER run an authenticated scan against a production server. When an authenticated scan is run, it may perform any function that the authenticated user can. This includes actions like modifying and deleting data, submitting forms, and following links. Only run an authenticated scan against a test server.
https://docs.gitlab.com/ee/user/application_security/dast/#authentication
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer