Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
4e4e3994
Commit
4e4e3994
authored
May 14, 2020
by
David Pisek
Committed by
Kushal Pandya
May 14, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add tests for the request header fields
* Updates tests to check for the new fields
parent
955e605f
Changes
13
Hide whitespace changes
Inline
Side-by-side
Showing
13 changed files
with
244 additions
and
23 deletions
+244
-23
app/assets/javascripts/vue_shared/components/code_block.vue
app/assets/javascripts/vue_shared/components/code_block.vue
+18
-3
doc/user/application_security/dast/img/dast_single_v12_9.png
doc/user/application_security/dast/img/dast_single_v12_9.png
+0
-0
doc/user/application_security/dast/img/dast_single_v13_0.png
doc/user/application_security/dast/img/dast_single_v13_0.png
+0
-0
doc/user/application_security/dast/index.md
doc/user/application_security/dast/index.md
+1
-1
ee/app/assets/javascripts/vue_shared/security_reports/components/vulnerability_detail.vue
...ared/security_reports/components/vulnerability_detail.vue
+2
-2
ee/app/assets/javascripts/vue_shared/security_reports/components/vulnerability_details.vue
...red/security_reports/components/vulnerability_details.vue
+31
-5
ee/changelogs/unreleased/215110-dast-vulnerabilities-show-more-information-about-the-request-fr.yml
...rabilities-show-more-information-about-the-request-fr.yml
+5
-0
ee/spec/frontend/vue_shared/security_reports/components/__snapshots__/vulnerability_detail_spec.js.snap
...omponents/__snapshots__/vulnerability_detail_spec.js.snap
+2
-2
ee/spec/frontend/vue_shared/security_reports/components/__snapshots__/vulnerability_details_spec.js.snap
...mponents/__snapshots__/vulnerability_details_spec.js.snap
+43
-2
ee/spec/frontend/vue_shared/security_reports/components/vulnerability_details_spec.js
...security_reports/components/vulnerability_details_spec.js
+96
-0
locale/gitlab.pot
locale/gitlab.pot
+9
-0
spec/frontend/vue_shared/components/__snapshots__/code_block_spec.js.snap
...e_shared/components/__snapshots__/code_block_spec.js.snap
+13
-3
spec/frontend/vue_shared/components/code_block_spec.js
spec/frontend/vue_shared/components/code_block_spec.js
+24
-5
No files found.
app/assets/javascripts/vue_shared/components/code_block.vue
View file @
4e4e3994
...
...
@@ -6,11 +6,26 @@ export default {
type
:
String
,
required
:
true
,
},
maxHeight
:
{
type
:
String
,
required
:
false
,
default
:
'
initial
'
,
},
},
computed
:
{
styleObject
()
{
const
{
maxHeight
}
=
this
;
const
isScrollable
=
maxHeight
!==
'
initial
'
;
const
scrollableStyles
=
{
maxHeight
,
overflowY
:
'
auto
'
,
};
return
isScrollable
?
scrollableStyles
:
null
;
},
},
};
</
script
>
<
template
>
<pre
class=
"code-block rounded"
>
<code
class=
"d-block"
>
{{
code
}}
</code>
</pre>
<pre
class=
"code-block rounded"
:style=
"styleObject"
><code
class=
"d-block"
>
{{
code
}}
</code></pre>
</
template
>
doc/user/application_security/dast/img/dast_single_v12_9.png
deleted
100644 → 0
View file @
955e605f
94.2 KB
doc/user/application_security/dast/img/dast_single_v13_0.png
0 → 100644
View file @
4e4e3994
206 KB
doc/user/application_security/dast/index.md
View file @
4e4e3994
...
...
@@ -38,7 +38,7 @@ Running the pipeline on any other commit has no effect on the merge request.
By clicking on one of the detected linked vulnerabilities, you can
see the details and the URL(s) affected.
![
DAST Widget Clicked
](
img/dast_single_v1
2_9
.png
)
![
DAST Widget Clicked
](
img/dast_single_v1
3_0
.png
)
[
Dynamic Application Security Testing (DAST)
](
https://en.wikipedia.org/wiki/Dynamic_Application_Security_Testing
)
uses the popular open source tool
[
OWASP ZAProxy
](
https://github.com/zaproxy/zaproxy
)
...
...
ee/app/assets/javascripts/vue_shared/security_reports/components/vulnerability_detail.vue
View file @
4e4e3994
...
...
@@ -12,8 +12,8 @@ export default {
<
template
functional
>
<div
class=
"d-sm-flex my-sm-2 my-4"
>
<label
class=
"col-sm-
3
text-sm-right font-weight-bold pl-0"
>
{{
props
.
label
}}
:
</label>
<div
class=
"col-sm-
9
pl-0 text-secondary"
>
<label
class=
"col-sm-
4
text-sm-right font-weight-bold pl-0"
>
{{
props
.
label
}}
:
</label>
<div
class=
"col-sm-
8
pl-0 text-secondary"
>
<slot></slot>
</div>
</div>
...
...
ee/app/assets/javascripts/vue_shared/security_reports/components/vulnerability_details.vue
View file @
4e4e3994
<
script
>
import
{
GlFriendlyWrap
}
from
'
@gitlab/ui
'
;
import
CodeBlock
from
'
~/vue_shared/components/code_block.vue
'
;
import
SafeLink
from
'
ee/vue_shared/components/safe_link.vue
'
;
import
Icon
from
'
~/vue_shared/components/icon.vue
'
;
import
ExpandButton
from
'
~/vue_shared/components/expand_button.vue
'
;
...
...
@@ -12,6 +13,7 @@ import { REPORT_TYPES } from 'ee/security_dashboard/store/constants';
export
default
{
name
:
'
VulnerabilityDetails
'
,
components
:
{
CodeBlock
,
ExpandButton
,
GlFriendlyWrap
,
Icon
,
...
...
@@ -27,7 +29,7 @@ export default {
},
computed
:
{
url
()
{
return
getFileLocation
(
this
.
vulnerability
.
location
);
return
this
.
vulnerability
.
request
?.
url
||
getFileLocation
(
this
.
vulnerability
.
location
);
},
file
()
{
const
file
=
this
.
vulnerability
?.
location
?.
file
;
...
...
@@ -69,6 +71,15 @@ export default {
instances
()
{
return
this
.
asNonEmptyListOrNull
(
this
.
vulnerability
.
instances
);
},
requestHeaders
()
{
return
this
.
headersToFormattedString
(
this
.
vulnerability
.
request
?.
headers
);
},
responseHeaders
()
{
return
this
.
headersToFormattedString
(
this
.
vulnerability
.
response
?.
headers
);
},
responseStatusCode
()
{
return
this
.
vulnerability
.
response
?.
status_code
;
},
scannerType
()
{
return
REPORT_TYPES
[
this
.
vulnerability
.
report_type
];
},
...
...
@@ -99,6 +110,9 @@ export default {
asNonEmptyListOrNull
(
list
)
{
return
list
?.
length
>
0
?
list
:
null
;
},
headersToFormattedString
(
headers
=
[])
{
return
headers
.
map
(({
name
,
value
})
=>
`
${
name
}
:
${
value
}
`
).
join
(
'
\n
'
);
},
},
};
</
script
>
...
...
@@ -118,12 +132,28 @@ export default {
</safe-link>
</vulnerability-detail>
<vulnerability-detail
v-if=
"methodName"
:label=
"s__('Vulnerability|Method')"
>
<gl-friendly-wrap
:text=
"methodName"
/>
</vulnerability-detail>
<vulnerability-detail
v-if=
"url"
:label=
"__('URL')"
>
<safe-link
ref=
"urlLink"
:href=
"url"
target=
"_blank"
>
<gl-friendly-wrap
:text=
"url"
/>
</safe-link>
</vulnerability-detail>
<vulnerability-detail
v-if=
"requestHeaders"
:label=
"__('Request Headers')"
>
<code-block
ref=
"requestHeaders"
:code=
"requestHeaders"
max-height=
"225px"
/>
</vulnerability-detail>
<vulnerability-detail
v-if=
"responseStatusCode"
:label=
"__('Response Status')"
>
<gl-friendly-wrap
ref=
"responseStatusCode"
:text=
"responseStatusCode"
/>
</vulnerability-detail>
<vulnerability-detail
v-if=
"responseHeaders"
:label=
"__('Response Headers')"
>
<code-block
ref=
"responseHeaders"
:code=
"responseHeaders"
max-height=
"225px"
/>
</vulnerability-detail>
<vulnerability-detail
v-if=
"file"
:label=
"s__('Vulnerability|File')"
>
<safe-link
v-if=
"vulnerability.blob_path"
...
...
@@ -177,10 +207,6 @@ export default {
<gl-friendly-wrap
:text=
"className"
/>
</vulnerability-detail>
<vulnerability-detail
v-if=
"methodName"
:label=
"s__('Vulnerability|Method')"
>
<gl-friendly-wrap
:text=
"methodName"
/>
</vulnerability-detail>
<vulnerability-detail
v-if=
"image"
:label=
"s__('Vulnerability|Image')"
>
<gl-friendly-wrap
:text=
"image"
/>
</vulnerability-detail>
...
...
ee/changelogs/unreleased/215110-dast-vulnerabilities-show-more-information-about-the-request-fr.yml
0 → 100644
View file @
4e4e3994
---
title
:
Add request information to vulnerability-detail modal
merge_request
:
31422
author
:
type
:
changed
ee/spec/frontend/vue_shared/security_reports/components/__snapshots__/vulnerability_detail_spec.js.snap
View file @
4e4e3994
...
...
@@ -5,13 +5,13 @@ exports[`VulnerabilityDetail component renders the label prop and default slot 1
class="d-sm-flex my-sm-2 my-4"
>
<label
class="col-sm-
3
text-sm-right font-weight-bold pl-0"
class="col-sm-
4
text-sm-right font-weight-bold pl-0"
>
foo:
</label>
<div
class="col-sm-
9
pl-0 text-secondary"
class="col-sm-
8
pl-0 text-secondary"
>
<p>
bar
...
...
ee/spec/frontend/vue_shared/security_reports/components/__snapshots__/vulnerability_details_spec.js.snap
View file @
4e4e3994
...
...
@@ -29,6 +29,49 @@ exports[`VulnerabilityDetails component pin test renders correctly 1`] = `
<!---->
<vulnerability-detail-stub
label="URL"
>
<safe-link-stub
href="http://foo.bar/path"
target="_blank"
>
<gl-friendly-wrap-stub
symbols="/"
text="http://foo.bar/path"
/>
</safe-link-stub>
</vulnerability-detail-stub>
<vulnerability-detail-stub
label="Request Headers"
>
<code-block-stub
code="key1: value1
key2: value2"
maxheight="225px"
/>
</vulnerability-detail-stub>
<vulnerability-detail-stub
label="Response Status"
>
<gl-friendly-wrap-stub
symbols="/"
text="200"
/>
</vulnerability-detail-stub>
<vulnerability-detail-stub
label="Response Headers"
>
<code-block-stub
code="key1: value1
key2: value2"
maxheight="225px"
/>
</vulnerability-detail-stub>
<vulnerability-detail-stub
label="File"
>
...
...
@@ -124,8 +167,6 @@ exports[`VulnerabilityDetails component pin test renders correctly 1`] = `
<!---->
<!---->
<vulnerability-detail-stub
label="Links"
>
...
...
ee/spec/frontend/vue_shared/security_reports/components/vulnerability_details_spec.js
View file @
4e4e3994
import
{
mount
,
shallowMount
}
from
'
@vue/test-utils
'
;
import
CodeBlock
from
'
~/vue_shared/components/code_block.vue
'
;
import
VulnerabilityDetails
from
'
ee/vue_shared/security_reports/components/vulnerability_details.vue
'
;
import
SeverityBadge
from
'
ee/vue_shared/security_reports/components/severity_badge.vue
'
;
import
SafeLink
from
'
ee/vue_shared/components/safe_link.vue
'
;
...
...
@@ -29,6 +30,9 @@ describe('VulnerabilityDetails component', () => {
};
const
findLink
=
name
=>
wrapper
.
find
({
ref
:
`
${
name
}
Link`
});
const
findRequestHeaders
=
()
=>
wrapper
.
find
({
ref
:
'
requestHeaders
'
});
const
findResponseHeaders
=
()
=>
wrapper
.
find
({
ref
:
'
responseHeaders
'
});
const
findResponseStatusCode
=
()
=>
wrapper
.
find
({
ref
:
'
responseStatusCode
'
});
afterEach
(()
=>
{
wrapper
.
destroy
();
...
...
@@ -151,6 +155,90 @@ describe('VulnerabilityDetails component', () => {
});
});
describe
(
'
with request information
'
,
()
=>
{
beforeEach
(()
=>
{
const
vulnerability
=
makeVulnerability
({
request
:
{
url
:
'
http://foo.bar/path
'
,
headers
:
[{
name
:
'
key1
'
,
value
:
'
value1
'
},
{
name
:
'
key2
'
,
value
:
'
value2
'
}],
},
});
componentFactory
(
vulnerability
);
});
it
(
'
renders the request-url
'
,
()
=>
{
expect
(
findLink
(
'
url
'
).
props
(
'
href
'
)).
toBe
(
'
http://foo.bar/path
'
);
});
it
(
'
renders a code-block containing the http headers
'
,
()
=>
{
expect
(
findRequestHeaders
().
is
(
CodeBlock
)).
toBe
(
true
);
expect
(
findRequestHeaders
().
text
()).
toBe
(
'
key1: value1
\n
key2: value2
'
);
});
it
(
'
limits the code-blocks maximum height
'
,
()
=>
{
expect
(
findRequestHeaders
().
props
(
'
maxHeight
'
)).
not
.
toBeFalsy
();
expect
(
findRequestHeaders
().
props
(
'
maxHeight
'
)).
toEqual
(
expect
.
any
(
String
));
});
});
describe
(
'
without request information
'
,
()
=>
{
beforeEach
(()
=>
{
const
vulnerability
=
makeVulnerability
({
location
:
{
hostname
:
'
http://foo.com
'
,
path
:
'
/bar
'
,
},
});
componentFactory
(
vulnerability
);
});
it
(
'
renders the location-url
'
,
()
=>
{
expect
(
findLink
(
'
url
'
).
text
()).
toBe
(
'
http://foo.com/bar
'
);
});
it
(
'
does not render a code block containing the request-headers
'
,
()
=>
{
expect
(
findRequestHeaders
().
exists
()).
toBe
(
false
);
});
});
describe
(
'
with response information
'
,
()
=>
{
beforeEach
(()
=>
{
const
vulnerability
=
makeVulnerability
({
response
:
{
status_code
:
'
200
'
,
headers
:
[{
name
:
'
key1
'
,
value
:
'
value1
'
},
{
name
:
'
key2
'
,
value
:
'
value2
'
}],
},
});
componentFactory
(
vulnerability
);
});
it
(
'
renders the response status code
'
,
()
=>
{
expect
(
findResponseStatusCode
().
text
()).
toBe
(
'
200
'
);
});
it
(
'
renders a code block containing the request-headers
'
,
()
=>
{
const
responseHeaders
=
findResponseHeaders
();
expect
(
responseHeaders
.
is
(
CodeBlock
)).
toBe
(
true
);
expect
(
responseHeaders
.
text
()).
toBe
(
'
key1: value1
\n
key2: value2
'
);
});
});
describe
(
'
without response information
'
,
()
=>
{
beforeEach
(()
=>
{
const
vulnerability
=
makeVulnerability
();
componentFactory
(
vulnerability
);
});
it
(
'
does not render the status code
'
,
()
=>
{
expect
(
findResponseStatusCode
().
exists
()).
toBe
(
false
);
});
it
(
'
does not render the http-headers
'
,
()
=>
{
expect
(
findResponseHeaders
().
exists
()).
toBe
(
false
);
});
});
describe
(
'
scanner details
'
,
()
=>
{
describe
(
'
with additional information
'
,
()
=>
{
beforeEach
(()
=>
{
...
...
@@ -211,6 +299,14 @@ describe('VulnerabilityDetails component', () => {
uri
:
'
/bar
'
,
},
],
request
:
{
url
:
'
http://foo.bar/path
'
,
headers
:
[{
name
:
'
key1
'
,
value
:
'
value1
'
},
{
name
:
'
key2
'
,
value
:
'
value2
'
}],
},
response
:
{
status_code
:
'
200
'
,
headers
:
[{
name
:
'
key1
'
,
value
:
'
value1
'
},
{
name
:
'
key2
'
,
value
:
'
value2
'
}],
},
}),
);
...
...
locale/gitlab.pot
View file @
4e4e3994
...
...
@@ -17863,6 +17863,9 @@ msgstr ""
msgid "Request Access"
msgstr ""
msgid "Request Headers"
msgstr ""
msgid "Request parameter %{param} is missing."
msgstr ""
...
...
@@ -18002,6 +18005,12 @@ msgstr ""
msgid "Response"
msgstr ""
msgid "Response Headers"
msgstr ""
msgid "Response Status"
msgstr ""
msgid "Response didn't include `service_desk_address`"
msgstr ""
...
...
spec/frontend/vue_shared/components/__snapshots__/code_block_spec.js.snap
View file @
4e4e3994
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`Code Block
matches snapshot
1`] = `
exports[`Code Block
with default props renders correctly
1`] = `
<pre
class="code-block rounded"
>
<code
class="d-block"
>
test-code
</code>
</pre>
`;
exports[`Code Block with maxHeight set to "200px" renders correctly 1`] = `
<pre
class="code-block rounded"
style="max-height: 200px; overflow-y: auto;"
>
<code
class="d-block"
>
test-code
</code>
</pre>
`;
spec/frontend/vue_shared/components/code_block_spec.js
View file @
4e4e3994
...
...
@@ -4,10 +4,15 @@ import CodeBlock from '~/vue_shared/components/code_block.vue';
describe
(
'
Code Block
'
,
()
=>
{
let
wrapper
;
const
createComponent
=
()
=>
{
const
defaultProps
=
{
code
:
'
test-code
'
,
};
const
createComponent
=
(
props
=
{})
=>
{
wrapper
=
shallowMount
(
CodeBlock
,
{
propsData
:
{
code
:
'
test-code
'
,
...
defaultProps
,
...
props
,
},
});
};
...
...
@@ -17,9 +22,23 @@ describe('Code Block', () => {
wrapper
=
null
;
});
it
(
'
matches snapshot
'
,
()
=>
{
createComponent
();
describe
(
'
with default props
'
,
()
=>
{
beforeEach
(()
=>
{
createComponent
();
});
expect
(
wrapper
.
element
).
toMatchSnapshot
();
it
(
'
renders correctly
'
,
()
=>
{
expect
(
wrapper
.
element
).
toMatchSnapshot
();
});
});
describe
(
'
with maxHeight set to "200px"
'
,
()
=>
{
beforeEach
(()
=>
{
createComponent
({
maxHeight
:
'
200px
'
});
});
it
(
'
renders correctly
'
,
()
=>
{
expect
(
wrapper
.
element
).
toMatchSnapshot
();
});
});
});
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment