Commit 6b3945a7 authored by Nikhil George's avatar Nikhil George Committed by Rémy Coutable

Update DAST in ci jobs to version 2

parent f5bf00dc
...@@ -10,29 +10,21 @@ ...@@ -10,29 +10,21 @@
variables: variables:
DAST_USERNAME_FIELD: "user[login]" DAST_USERNAME_FIELD: "user[login]"
DAST_PASSWORD_FIELD: "user[password]" DAST_PASSWORD_FIELD: "user[password]"
DAST_SUBMIT_FIELD: "commit"
DAST_FULL_SCAN_ENABLED: "true" DAST_FULL_SCAN_ENABLED: "true"
DAST_SPIDER_MINS: 0 DAST_VERSION: 2
# TBD pin to a version GIT_STRATEGY: none
DAST_VERSION: 1.22.1
# -Xmx is used to set the JVM memory to 6GB to prevent DAST OutOfMemoryError. # -Xmx is used to set the JVM memory to 6GB to prevent DAST OutOfMemoryError.
DAST_ZAP_CLI_OPTIONS: "-Xmx6144m" DAST_ZAP_CLI_OPTIONS: "-Xmx6144m"
DAST_RULES: "41,42,43,10027,10032,10041,10042,10045,10047,10052,10053,10057,10061,10096,10097,10104,10106,20012,20014,20015,20016,20017,20018,40019,40020,40021,40024,40025,40027,40029,40032,90001,90019,10109,10026,10028,10029,10030,10031,10033,10034,10035,10036,10038,10039,10043,10044,10048,10050,10051,10058,10062,10095,10107,10108,30003,40013,40022,40023,40028,90021,90023,90024,90025,90027,90028,10003,50003,0,2,3,6,7,10010,10011,10015,10017,10019,10020,10021,10023,10024,10025,10037,10040,10054,10055,10056,10098,10105,10202,20019,30001,30002,40003,40008,40009,40012,40014,40016,40017,40018,50000,50001,90011,90020,90022,90033"
before_script: before_script:
- 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"' - 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"'
- 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"' - 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"'
- 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"' - 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"'
# Below three lines can be removed once https://gitlab.com/gitlab-org/gitlab/-/issues/230687 is fixed
- mkdir -p /zap/xml
- 'sed -i "84 s/true/false/" /zap/xml/config.xml'
- cat /zap/xml/config.xml
# Help pages are excluded from scan as they are static pages. # Help pages are excluded from scan as they are static pages.
# profile/two_factor_auth is excluded from scan to prevent 2FA from being turned on from user profile, which will reduce coverage. # profile/two_factor_auth is excluded from scan to prevent 2FA from being turned on from user profile, which will reduce coverage.
- 'export DAST_AUTH_EXCLUDE_URLS="${DAST_WEBSITE}/help/.*,${DAST_WEBSITE}/profile/two_factor_auth,${DAST_WEBSITE}/users/sign_out"' - 'DAST_EXCLUDE_URLS="${DAST_WEBSITE}/help/.*,${DAST_WEBSITE}/-/profile/two_factor_auth,${DAST_WEBSITE}/users/sign_out"'
# Exclude the automatically generated monitoring project from being tested due to https://gitlab.com/gitlab-org/gitlab/-/issues/260362 # Exclude the automatically generated monitoring project from being tested due to https://gitlab.com/gitlab-org/gitlab/-/issues/260362
- 'DAST_AUTH_EXCLUDE_URLS="${DAST_AUTH_EXCLUDE_URLS},https://.*\.gitlab-review\.app/gitlab-instance-(administrators-)?[a-zA-Z0-9]{8}/.*"' - 'export DAST_EXCLUDE_URLS="${DAST_EXCLUDE_URLS},${DAST_WEBSITE}/gitlab-instance-.*"'
- enable_rule () { read all_rules; rule=$1; echo $all_rules | sed -r "s/(,)?$rule(,)?/\1-1\2/" ; }
# Sort ids in DAST_RULES ascendingly, which is required when using DAST_RULES as argument to enable_rule
- 'DAST_RULES=$(echo $DAST_RULES | tr "," "\n" | sort -n | paste -sd ",")'
needs: ["review-deploy"] needs: ["review-deploy"]
stage: dast stage: dast
# Default job timeout set to 90m and dast rules needs 2h to so that it won't timeout. # Default job timeout set to 90m and dast rules needs 2h to so that it won't timeout.
...@@ -47,159 +39,152 @@ ...@@ -47,159 +39,152 @@
expire_in: 1 week # GitLab-specific expire_in: 1 week # GitLab-specific
# DAST scan with a subset of Release scan rules. # DAST scan with a subset of Release scan rules.
DAST-fullscan-ruleset1: # ZAP rule details can be found at https://www.zaproxy.org/docs/alerts/
# 10019, 10021 Missing security headers
# 10023, 10024, 10025, 10037 Information Disclosure
# 10040 Secure Pages Include Mixed Content
# 10055 CSP
# 10056 X-Debug-Token Information Leak
# Duration: 14 minutes 20 seconds
dast:secureHeaders-csp-infoLeak:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user1" DAST_USERNAME: "user1"
DAST_ONLY_INCLUDE_RULES: "10019,10021,10023,10024,10025,10037,10040,10055,10056"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 10019 | enable_rule 10020 | enable_rule 10021 | enable_rule 10023 | enable_rule 10024 | enable_rule 10025 | enable_rule 10037 | enable_rule 10040 | enable_rule 10054 | enable_rule 10055 | enable_rule 10056) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with a subset of Release scan rules. # 90023 XML External Entity Attack
DAST-fullscan-ruleset2: # Duration: 41 minutes 20 seconds
# 90019 Server Side Code Injection
# Duration: 34 minutes 31 seconds
dast:XXE-SrvSideInj:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user2" DAST_USERNAME: "user2"
DAST_ONLY_INCLUDE_RULES: "90023,90019"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 90011 | enable_rule 90020 | enable_rule 90022 | enable_rule 90033) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with a subset of Release scan rules. # 0 Directory Browsing
DAST-fullscan-ruleset3: # 2 Private IP Disclosure
# 3 Session ID in URL Rewrite
# 7 Remote File Inclusion
# Duration: 63 minutes 43 seconds
# 90034 Cloud Metadata Potentially Exposed
# Duration: 13 minutes 48 seconds
# 90022 Application Error Disclosure
# Duration: 12 minutes 7 seconds
dast:infoLeak-fileInc-DirBrowsing:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user3" DAST_USERNAME: "user3"
DAST_ONLY_INCLUDE_RULES: "0,2,3,7,90034,90022"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 40016 | enable_rule 40017 | enable_rule 50000 | enable_rule 50001) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with a subset of Release scan rules. # 10010 Cookie No HttpOnly Flag
DAST-fullscan-ruleset4: # 10011 Cookie Without Secure Flag
# 10017 Cross-Domain JavaScript Source File Inclusion
# 10029 Cookie Poisoning
# 90033 Loosely Scoped Cookie
# 10054 Cookie Without SameSite Attribute
# Duration: 13 minutes 23 seconds
dast:insecureCookie:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user4" DAST_USERNAME: "user4"
DAST_ONLY_INCLUDE_RULES: "10010,10011,10017,10029,90033,10054"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 0 | enable_rule 2 | enable_rule 3 | enable_rule 7 ) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with a subset of Release scan rules.
DAST-fullscan-ruleset5:
extends:
- .dast_conf
variables:
DAST_USERNAME: "user5"
script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 10010 | enable_rule 10011 | enable_rule 10017 | enable_rule 10019)
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with a subset of Release scan rules.
DAST-fullscan-ruleset6:
extends:
- .dast_conf
variables:
DAST_USERNAME: "user6"
script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 30001 | enable_rule 40009)
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# Enable when https://gitlab.com/gitlab-org/gitlab/-/merge_requests/39749 is fixed # 20012 Anti-CSRF Tokens Check
# DAST scan with a subset of Beta scan rules. # 10202 Absence of Anti-CSRF Tokens
# DAST-fullscan-ruleset7: # https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/192
# extends:
# - .dast_conf
# variables:
# DAST_USERNAME: "user7"
# script:
# - export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 10098 | enable_rule 10105 | enable_rule 10202 | enable_rule 30002 | enable_rule 40003 | enable_rule 40008 | enable_rule 40009)
# - echo $DAST_EXCLUDE_RULES
# - /analyze -t $DAST_WEBSITE -d
# Enable when https://gitlab.com/gitlab-org/gitlab/-/merge_requests/39749 is fixed # Commented because of lot of FP's
# Below jobs runs DAST scans with one time consuming scan rule. These scan rules are disabled in above jobs so that those jobs won't timeout. # dast:csrfTokenCheck:
# DAST scan with rule - 20019 External Redirect
# DAST-fullscan-rule-20019:
# extends: # extends:
# - .dast_conf # - .dast_conf
# variables: # variables:
# DAST_USERNAME: "user8" # DAST_USERNAME: "user6"
# DAST_ONLY_INCLUDE_RULES: "20012,10202"
# script: # script:
# - export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 20019) # - /analyze
# - echo $DAST_EXCLUDE_RULES
# - /analyze -t $DAST_WEBSITE -d
# Enable when https://gitlab.com/gitlab-org/gitlab/-/merge_requests/39749 is fixed # 10098 Cross-Domain Misconfiguration
# DAST scan with rule - 10107 Httpoxy - Proxy Header Misuse - Active/beta # 10105 Weak Authentication Method
# DAST-fullscan-rule-10107: # 40003 CRLF Injection
# extends: # 40008 Parameter Tampering
# - .dast_conf # Duration: 71 minutes 15 seconds
# variables: dast:corsMisconfig-weakauth-crlfInj:
# DAST_USERNAME: "user9" extends:
# script: - .dast_conf
# - export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 10107) variables:
# - echo $DAST_EXCLUDE_RULES DAST_USERNAME: "user5"
# - /analyze -t $DAST_WEBSITE -d DAST_ONLY_INCLUDE_RULES: "10098,10105,40003,40008"
script:
- /analyze
# DAST scan with rule - 90020 Remote OS Command Injection # 20019 External Redirect
DAST-fullscan-rule-90020: # 20014 HTTP Parameter Pollution
# Duration: 46 minutes 12 seconds
dast:extRedirect-paramPollution:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user10" DAST_USERNAME: "user6"
DAST_ONLY_INCLUDE_RULES: "20019,20014"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 90020) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with rule - 40018 SQL Injection - Active/release # 40022 SQL Injection - PostgreSQL
DAST-fullscan-rule-40018: # Duration: 53 minutes 59 seconds
dast:sqlInjection:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user11" DAST_USERNAME: "user7"
DAST_ONLY_INCLUDE_RULES: "40022"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 40018) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with rule - 40014 Cross Site Scripting (Persistent) - Active/release # 40014 Cross Site Scripting (Persistent)
DAST-fullscan-rule-40014: # Duration: 21 minutes 50 seconds
dast:xss-persistent:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user12" DAST_USERNAME: "user8"
DAST_ONLY_INCLUDE_RULES: "40014"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 40014) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with rule - 6 Path travesal # 40012 Cross Site Scripting (Reflected)
DAST-fullscan-rule-6: # Duration: 73 minutes 15 seconds
dast:xss-reflected:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user13" DAST_USERNAME: "user9"
DAST_ONLY_INCLUDE_RULES: "40012"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 6) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
# DAST scan with rule - 40012 Cross Site Scripting (Reflected) # 40013 Session Fixation
DAST-fullscan-rule-40012: # Duration: 44 minutes 25 seconds
dast:sessionFixation:
extends: extends:
- .dast_conf - .dast_conf
variables: variables:
DAST_USERNAME: "user14" DAST_USERNAME: "user10"
DAST_ONLY_INCLUDE_RULES: "40013"
script: script:
- export DAST_EXCLUDE_RULES=$(echo $DAST_RULES | enable_rule 40012) - /analyze
- echo $DAST_EXCLUDE_RULES
- /analyze -t $DAST_WEBSITE -d
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment