Remove logging that shared session tokens in debug mode
What does this MR do?
urllib3
was sharing all the ZAP API requests at debug level which meant session tokens were being shared in the logs.
This MR increases the logging level of urllib3
to WARNING
meaning only log messages greater than that will be output.
This MR also MASKS session tokens being shared at debug when iterating the cookies during authentication.
No tests are included in this MR but an e2e test will come in a follow-up.
How to test if this MR is working
Update test_railsgoat_authenticated_scan
with --env DEBUG=1
to run in debug mode and run invoke dast.build && bash_unit test/end-to-end/test-authenticated-scan.sh
.
Once the test is complete open test/end-to-end/output/test_railsgoat_authenticated_scan.log
and search for _railsgoat_session
. You should not see any session tokens in the log.
What are the relevant issue numbers?
gitlab-org/gitlab#385005 (closed)