Address on-demand DAST site validation feedback

Checks content type and matches string absolutely to avoid embedding.

Address on-demand DAST site validation feedback
Checks content type and matches string absolutely to avoid embedding.
84aca59b · Philip Cunningham · f367f7df · 84aca59b · 84aca59b · 84aca59b
Commit 84aca59b authored Nov 04, 2020 by Philip Cunningham
3 changed files
--- a/ee/app/services/dast_site_validations/validate_service.rb
+++ b/ee/app/services/dast_site_validations/validate_service.rb
@@ -41,7 +41,7 @@ module DastSiteValidations

      case dast_site_validation.validation_strategy
      when 'text_file'
-        response.body.include?(token)
+        response.content_type == 'text/plain' && response.body == token
      when 'header'
        response.headers[DastSiteValidation::HEADER] == token
      else

--- a/ee/spec/services/dast_site_validations/validate_service_spec.rb
+++ b/ee/spec/services/dast_site_validations/validate_service_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe DastSiteValidations::ValidateService do
  let(:dast_site_validation) { create(:dast_site_validation) }
  let(:token) { dast_site_validation.dast_site_token.token }
+  let(:headers) { { 'Content-Type' => 'text/plain; charset=utf-8' } }

  subject do
    described_class.new(
@@ -36,7 +37,7 @@ RSpec.describe DastSiteValidations::ValidateService do
      before do
        stub_licensed_features(security_on_demand_scans: true)
        stub_feature_flags(security_on_demand_scans_site_validation: true)
-        stub_request(:get, dast_site_validation.validation_url).to_return(body: token)
+        stub_request(:get, dast_site_validation.validation_url).to_return(body: token, headers: headers)
      end

      it 'validates the url before making an http request' do
@@ -110,7 +111,7 @@ RSpec.describe DastSiteValidations::ValidateService do

        context 'when the token is not found' do
          let(:token) do
-            SecureRandom.hex
+            '<div>' + dast_site_validation.dast_site_token.token + '</div>'
          end

          it 'raises an exception' do
@@ -123,10 +124,18 @@ RSpec.describe DastSiteValidations::ValidateService do
        let(:dast_site_validation) { create(:dast_site_validation, validation_strategy: :text_file) }

        before do
-          stub_request(:get, dast_site_validation.validation_url).to_return(body: token)
+          stub_request(:get, dast_site_validation.validation_url).to_return(body: token, headers: headers)
        end

        it_behaves_like 'a validation'
+
+        context 'when content type is incorrect' do
+          let(:headers) { { 'Content-Type' => 'text/html; charset=UTF-8' } }
+
+          it 'raises an exception' do
+            expect { subject }.to raise_error(DastSiteValidations::ValidateService::TokenNotFound)
+          end
+        end
      end

      context 'when validation_strategy=header' do

--- a/ee/spec/workers/dast_site_validation_worker_spec.rb
+++ b/ee/spec/workers/dast_site_validation_worker_spec.rb
@@ -21,14 +21,13 @@ RSpec.describe DastSiteValidationWorker do
    end

    context 'when the feature is enabled' do
-      let(:response_body) do
-        dast_site_validation.dast_site_token.token
-      end
+      let(:response_body) { dast_site_validation.dast_site_token.token }
+      let(:headers) { { 'Content-Type' => 'text/plain; charset=utf-8' } }

      before do
        stub_licensed_features(security_on_demand_scans: true)
        stub_feature_flags(security_on_demand_scans_site_validation: true)
-        stub_request(:get, dast_site_validation.validation_url).to_return(body: response_body)
+        stub_request(:get, dast_site_validation.validation_url).to_return(body: response_body, headers: headers)
      end

      context 'when the request body contains the token' do