Remove logging that shared session tokens in debug mode (!691) · Merge requests · GitLab.org / security-products / dast

Craig Smith requested to merge remove-zap-api-logging into main Dec 08, 2022

What does this MR do?

urllib3 was sharing all the ZAP API requests at debug level which meant session tokens were being shared in the logs.

This MR increases the logging level of urllib3 to WARNING meaning only log messages greater than that will be output.

This MR also MASKS session tokens being shared at debug when iterating the cookies during authentication.

No tests are included in this MR but an e2e test will come in a follow-up.

How to test if this MR is working

Update test_railsgoat_authenticated_scan with --env DEBUG=1 to run in debug mode and run invoke dast.build && bash_unit test/end-to-end/test-authenticated-scan.sh.

Once the test is complete open test/end-to-end/output/test_railsgoat_authenticated_scan.log and search for _railsgoat_session. You should not see any session tokens in the log.

What are the relevant issue numbers?

gitlab-org/gitlab#385005 (closed)

GitLab Docs MR

Edited Dec 09, 2022 by Craig Smith

Remove logging that shared session tokens in debug mode

What does this MR do?

How to test if this MR is working

What are the relevant issue numbers?

GitLab Docs MR

Merge request reports