Catch YAML errors when parsing security policies

Changelog: fixed EE: true

Catch YAML errors when parsing security policies
Changelog: fixed EE: true
19a5e915 · Alan (Maciej) Paruszewski · Matthias Käppler · 05c81df5 · 19a5e915 · 19a5e915
Commit 19a5e915 authored Nov 24, 2021 by Alan (Maciej) Paruszewski Committed by Matthias Käppler Nov 24, 2021
3 changed files
--- a/doc/user/application_security/policies/index.md
+++ b/doc/user/application_security/policies/index.md
@@ -357,7 +357,7 @@ scan_execution_policy:
  - type: schedule
    branches:
    - main
-    cadence: */10 * * * *
+    cadence: "*/10 * * * *"
  actions:
  - scan: dast
    scanner_profile: Scanner Profile C
@@ -378,7 +378,7 @@ scan_execution_policy:
  enabled: true
  rules:
  - type: schedule
-    cadence: '15 3 * * *'
+    cadence: "15 3 * * *
    clusters:
      production-cluster:
        containers:

--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -35,6 +35,8 @@ module Security

        Gitlab::Config::Loader::Yaml.new(policy_blob).load!
      end
+    rescue Gitlab::Config::Loader::FormatError
+      nil
    end

    def policy_configuration_exists?

--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -102,6 +102,14 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
      it { expect(subject.dig(:scan_execution_policy, 0, :name)).to eq('Run DAST in every pipeline') }
    end

+    context 'when policy has invalid YAML format' do
+      let(:policy_yaml) do
+        'cadence: * 1 2 3'
+      end
+
+      it { expect(subject).to be_nil }
+    end
+
    context 'when policy is nil' do
      let(:policy_yaml) { nil }