Commit 2bb794f7 authored by Philip Cunningham's avatar Philip Cunningham Committed by Stan Hu

Set DAST_API_HOST_OVERRIDE for on-demand API scans

parent 91ce444c
...@@ -7,6 +7,7 @@ module Ci ...@@ -7,6 +7,7 @@ module Ci
target_timeout: 'DAST_TARGET_AVAILABILITY_TIMEOUT', target_timeout: 'DAST_TARGET_AVAILABILITY_TIMEOUT',
target_url: 'DAST_WEBSITE', target_url: 'DAST_WEBSITE',
api_specification_url: 'DAST_API_SPECIFICATION', api_specification_url: 'DAST_API_SPECIFICATION',
api_host_override: 'DAST_API_HOST_OVERRIDE',
use_ajax_spider: 'DAST_USE_AJAX_SPIDER', use_ajax_spider: 'DAST_USE_AJAX_SPIDER',
show_debug_messages: 'DAST_DEBUG', show_debug_messages: 'DAST_DEBUG',
full_scan_enabled: 'DAST_FULL_SCAN_ENABLED', full_scan_enabled: 'DAST_FULL_SCAN_ENABLED',
......
...@@ -45,7 +45,7 @@ module DastOnDemandScans ...@@ -45,7 +45,7 @@ module DastOnDemandScans
def dast_site def dast_site
strong_memoize(:dast_site) do strong_memoize(:dast_site) do
dast_site_profile&.dast_site dast_site_profile.dast_site
end end
end end
...@@ -66,12 +66,12 @@ module DastOnDemandScans ...@@ -66,12 +66,12 @@ module DastOnDemandScans
end end
def target_config def target_config
url = dast_site&.url url = dast_site.url
if dast_site_profile.target_type == 'website' if dast_site_profile.target_type == 'website'
{ target_url: url } { target_url: url }
else else
{ api_specification_url: url } { api_specification_url: url, api_host_override: URI(url).host }
end end
end end
......
...@@ -13,6 +13,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do ...@@ -13,6 +13,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
target_timeout: 100, target_timeout: 100,
target_url: 'https://gitlab.local', target_url: 'https://gitlab.local',
api_specification_url: 'https://gitlab.local/api.json', api_specification_url: 'https://gitlab.local/api.json',
api_host_override: 'gitlab.local',
use_ajax_spider: true, use_ajax_spider: true,
show_debug_messages: true, show_debug_messages: true,
full_scan_enabled: true, full_scan_enabled: true,
...@@ -36,6 +37,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do ...@@ -36,6 +37,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
DAST_TARGET_AVAILABILITY_TIMEOUT: 100 DAST_TARGET_AVAILABILITY_TIMEOUT: 100
DAST_WEBSITE: https://gitlab.local DAST_WEBSITE: https://gitlab.local
DAST_API_SPECIFICATION: https://gitlab.local/api.json DAST_API_SPECIFICATION: https://gitlab.local/api.json
DAST_API_HOST_OVERRIDE: gitlab.local
DAST_USE_AJAX_SPIDER: 'true' DAST_USE_AJAX_SPIDER: 'true'
DAST_DEBUG: 'true' DAST_DEBUG: 'true'
DAST_FULL_SCAN_ENABLED: 'true' DAST_FULL_SCAN_ENABLED: 'true'
......
...@@ -7,6 +7,9 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do ...@@ -7,6 +7,9 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) } let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) } let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) }
let(:excluded_urls) { dast_site_profile.excluded_urls.join(',') }
let(:target_url) { dast_site_profile.dast_site.url }
let(:params) { { dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile } } let(:params) { { dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile } }
subject { described_class.new(container: project, params: params).execute } subject { described_class.new(container: project, params: params).execute }
...@@ -45,8 +48,8 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do ...@@ -45,8 +48,8 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
auth_url: dast_site_profile.auth_url, auth_url: dast_site_profile.auth_url,
branch: project.default_branch, branch: project.default_branch,
dast_profile: nil, dast_profile: nil,
excluded_urls: dast_site_profile.excluded_urls.join(','), excluded_urls: excluded_urls,
target_url: dast_site_profile.dast_site.url target_url: target_url
) )
end end
end end
...@@ -62,12 +65,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do ...@@ -62,12 +65,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
auth_url: dast_site_profile.auth_url, auth_url: dast_site_profile.auth_url,
branch: project.default_branch, branch: project.default_branch,
dast_profile: nil, dast_profile: nil,
excluded_urls: dast_site_profile.excluded_urls.join(','), excluded_urls: excluded_urls,
full_scan_enabled: false, full_scan_enabled: false,
show_debug_messages: false, show_debug_messages: false,
spider_timeout: nil, spider_timeout: nil,
target_timeout: nil, target_timeout: nil,
target_url: dast_site_profile.dast_site.url, target_url: target_url,
use_ajax_spider: false use_ajax_spider: false
) )
end end
...@@ -99,12 +102,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do ...@@ -99,12 +102,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
expect(subject.payload).to eq( expect(subject.payload).to eq(
branch: project.default_branch, branch: project.default_branch,
dast_profile: nil, dast_profile: nil,
excluded_urls: dast_site_profile.excluded_urls.join(','), excluded_urls: excluded_urls,
full_scan_enabled: false, full_scan_enabled: false,
show_debug_messages: false, show_debug_messages: false,
spider_timeout: nil, spider_timeout: nil,
target_timeout: nil, target_timeout: nil,
target_url: dast_site_profile.dast_site.url, target_url: target_url,
use_ajax_spider: false use_ajax_spider: false
) )
end end
...@@ -113,9 +116,13 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do ...@@ -113,9 +116,13 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
context 'when target_type=api' do context 'when target_type=api' do
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: :api) } let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: :api) }
it 'returns params including the api_specification_url and omitting the target_url', :aggregate_failures do it 'returns params including the api_specification_url and omitting the target_url' do
expect(subject.payload[:api_specification_url]).to eq(dast_site_profile.dast_site.url) expected_payload = hash_including(
expect(subject.payload[:target_url]).to be_nil api_specification_url: target_url,
api_host_override: URI(target_url).host
)
expect(subject.payload).to match(expected_payload).and exclude(:target_url)
end end
end end
end end
...@@ -133,12 +140,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do ...@@ -133,12 +140,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
branch: dast_profile.branch_name, branch: dast_profile.branch_name,
auth_url: dast_site_profile.auth_url, auth_url: dast_site_profile.auth_url,
dast_profile: dast_profile, dast_profile: dast_profile,
excluded_urls: dast_site_profile.excluded_urls.join(','), excluded_urls: excluded_urls,
full_scan_enabled: false, full_scan_enabled: false,
show_debug_messages: false, show_debug_messages: false,
spider_timeout: nil, spider_timeout: nil,
target_timeout: nil, target_timeout: nil,
target_url: dast_site_profile.dast_site.url, target_url: target_url,
use_ajax_spider: false use_ajax_spider: false
) )
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment