Set DAST_API_HOST_OVERRIDE for on-demand API scans

2bb794f7 · Philip Cunningham · Stan Hu · 91ce444c · 2bb794f7 · 2bb794f7
Commit 2bb794f7 authored Apr 26, 2021 by Philip Cunningham Committed by Stan Hu Apr 26, 2021
4 changed files
--- a/ee/app/services/ci/dast_scan_ci_configuration_service.rb
+++ b/ee/app/services/ci/dast_scan_ci_configuration_service.rb
@@ -7,6 +7,7 @@ module Ci
      target_timeout: 'DAST_TARGET_AVAILABILITY_TIMEOUT',
      target_url: 'DAST_WEBSITE',
      api_specification_url: 'DAST_API_SPECIFICATION',
+      api_host_override: 'DAST_API_HOST_OVERRIDE',
      use_ajax_spider: 'DAST_USE_AJAX_SPIDER',
      show_debug_messages: 'DAST_DEBUG',
      full_scan_enabled: 'DAST_FULL_SCAN_ENABLED',

--- a/ee/app/services/dast_on_demand_scans/params_create_service.rb
+++ b/ee/app/services/dast_on_demand_scans/params_create_service.rb
@@ -45,7 +45,7 @@ module DastOnDemandScans

    def dast_site
      strong_memoize(:dast_site) do
-        dast_site_profile&.dast_site
+        dast_site_profile.dast_site
      end
    end

@@ -66,12 +66,12 @@ module DastOnDemandScans
    end

    def target_config
-      url = dast_site&.url
+      url = dast_site.url

      if dast_site_profile.target_type == 'website'
        { target_url: url }
      else
-        { api_specification_url: url }
+        { api_specification_url: url, api_host_override: URI(url).host }
      end
    end


--- a/ee/spec/services/ci/dast_scan_ci_configuration_service_spec.rb
+++ b/ee/spec/services/ci/dast_scan_ci_configuration_service_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
          target_timeout: 100,
          target_url: 'https://gitlab.local',
          api_specification_url: 'https://gitlab.local/api.json',
+          api_host_override: 'gitlab.local',
          use_ajax_spider: true,
          show_debug_messages: true,
          full_scan_enabled: true,
@@ -36,6 +37,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
          DAST_TARGET_AVAILABILITY_TIMEOUT: 100
          DAST_WEBSITE: https://gitlab.local
          DAST_API_SPECIFICATION: https://gitlab.local/api.json
+          DAST_API_HOST_OVERRIDE: gitlab.local
          DAST_USE_AJAX_SPIDER: 'true'
          DAST_DEBUG: 'true'
          DAST_FULL_SCAN_ENABLED: 'true'

--- a/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
+++ b/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
@@ -7,6 +7,9 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
  let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
  let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) }

+  let(:excluded_urls) { dast_site_profile.excluded_urls.join(',') }
+  let(:target_url) { dast_site_profile.dast_site.url }
+
  let(:params) { { dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile } }

  subject { described_class.new(container: project, params: params).execute }
@@ -45,8 +48,8 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
            auth_url: dast_site_profile.auth_url,
            branch: project.default_branch,
            dast_profile: nil,
-            excluded_urls: dast_site_profile.excluded_urls.join(','),
-            target_url: dast_site_profile.dast_site.url
+            excluded_urls: excluded_urls,
+            target_url: target_url
          )
        end
      end
@@ -62,12 +65,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
            auth_url: dast_site_profile.auth_url,
            branch: project.default_branch,
            dast_profile: nil,
-            excluded_urls: dast_site_profile.excluded_urls.join(','),
+            excluded_urls: excluded_urls,
            full_scan_enabled: false,
            show_debug_messages: false,
            spider_timeout: nil,
            target_timeout: nil,
-            target_url: dast_site_profile.dast_site.url,
+            target_url: target_url,
            use_ajax_spider: false
          )
        end
@@ -99,12 +102,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
          expect(subject.payload).to eq(
            branch: project.default_branch,
            dast_profile: nil,
-            excluded_urls: dast_site_profile.excluded_urls.join(','),
+            excluded_urls: excluded_urls,
            full_scan_enabled: false,
            show_debug_messages: false,
            spider_timeout: nil,
            target_timeout: nil,
-            target_url: dast_site_profile.dast_site.url,
+            target_url: target_url,
            use_ajax_spider: false
          )
        end
@@ -113,9 +116,13 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
      context 'when target_type=api' do
        let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: :api) }

-        it 'returns params including the api_specification_url and omitting the target_url', :aggregate_failures do
-          expect(subject.payload[:api_specification_url]).to eq(dast_site_profile.dast_site.url)
-          expect(subject.payload[:target_url]).to be_nil
+        it 'returns params including the api_specification_url and omitting the target_url' do
+          expected_payload = hash_including(
+            api_specification_url: target_url,
+            api_host_override: URI(target_url).host
+          )
+
+          expect(subject.payload).to match(expected_payload).and exclude(:target_url)
        end
      end
    end
@@ -133,12 +140,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
          branch: dast_profile.branch_name,
          auth_url: dast_site_profile.auth_url,
          dast_profile: dast_profile,
-          excluded_urls: dast_site_profile.excluded_urls.join(','),
+          excluded_urls: excluded_urls,
          full_scan_enabled: false,
          show_debug_messages: false,
          spider_timeout: nil,
          target_timeout: nil,
-          target_url: dast_site_profile.dast_site.url,
+          target_url: target_url,
          use_ajax_spider: false
        )
      end