Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2019-09-19 18:06:08 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2019-09-19 18:06:08 +0300
commitd948f526eaf995c32699fe9e02c2a7c47b78b635 (patch)
treef10023b5826989a5bdc756ec692b943796db48f8 /doc
parent26804e91d92ce76b741103de6fd0012f9e26d18c (diff)
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
-rw-r--r--doc/development/fe_guide/components.md23
-rw-r--r--doc/user/application_security/dast/index.md112
2 files changed, 111 insertions, 24 deletions
diff --git a/doc/development/fe_guide/components.md b/doc/development/fe_guide/components.md
index b96d92e2d88..f8765f9e202 100644
--- a/doc/development/fe_guide/components.md
+++ b/doc/development/fe_guide/components.md
@@ -3,7 +3,6 @@
## Contents
- [Dropdowns](#dropdowns)
-- [Modals](#modals)
## Dropdowns
@@ -39,25 +38,3 @@ See also the [corresponding UX guide](https://design.gitlab.com/#/components/dro
```
[bootstrap-dropdowns]: https://getbootstrap.com/docs/3.3/javascript/#dropdowns
-
-## Modals
-
-See also the [corresponding UX guide](https://design.gitlab.com/#/components/modals).
-
-We have a reusable Vue component for modals: [vue_shared/components/gl_modal.vue](https://gitlab.com/gitlab-org/gitlab/blob/master/app/assets/javascripts/vue_shared/components/gl_modal.vue)
-
-Here is an example of how to use it:
-
-```html
- <gl-modal
- id="dogs-out-modal"
- :header-title-text="s__('ModalExample|Let the dogs out?')"
- footer-primary-button-variant="danger"
- :footer-primary-button-text="s__('ModalExample|Let them out')"
- @submit="letOut(theDogs)"
- >
- {{ s__('ModalExample|You’re about to let the dogs out.') }}
- </gl-modal>
-```
-
-![example modal](img/gl-modal.png)
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index afeef2a04ba..e90f219337b 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -84,7 +84,7 @@ There are two ways to define the URL to be scanned by DAST:
- Set the `DAST_WEBSITE` [variable](../../../ci/yaml/README.md#variables).
- Add it in an `environment_url.txt` file at the root of your project.
-If both values are set, the `DAST_WEBSITE` value will take precedence.
+If both values are set, the `DAST_WEBSITE` value will take precedence.
The included template will create a `dast` job in your CI/CD pipeline and scan
your project's source code for possible vulnerabilities.
@@ -132,6 +132,115 @@ variables:
DAST_FULL_SCAN_ENABLED: "true"
```
+#### Domain validation
+
+The DAST job can be run anywhere, which means you can accidentally hit live web servers
+and potentially damage them. You could even take down your production environment.
+For that reason, you should use domain validation.
+
+Domain validation is not required by default. It can be required by setting the [environment variable](#available-variables) `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` to true.
+
+```yaml
+include:
+ template: DAST.gitlab-ci.yml
+
+variables:
+ DAST_FULL_SCAN_ENABLED: "true"
+ DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED: "true"
+```
+
+Since ZAP full scan actively attacks the target application, DAST sends a ping to the target (normally defined in `DAST_WEBSITE` or `environment_url.txt`) beforehand.
+
+If `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` is false or unset, the scan will _proceed_ unless the response to the ping
+includes a `Gitlab-DAST-Permission` header with a value of `deny`.
+
+If `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` is true, the scan will _exit_ unless the response to the ping
+includes a `Gitlab-DAST-Permission` header with a value of `allow`.
+
+Here are some examples of adding the `Gitlab-DAST-Permission` header to a response in Rails, Django, and Node (with Express).
+
+##### Ruby on Rails
+
+Here's how you would add a [custom header in Ruby on Rails](https://guides.rubyonrails.org/action_controller_overview.html#setting-custom-headers):
+
+```ruby
+class DastWebsiteTargetController < ActionController::Base
+ def dast_website_target
+ response.headers['Gitlab-DAST-Permission'] = 'allow'
+
+ head :ok
+ end
+end
+```
+
+##### Django
+
+Here's how you would add a [custom header in Django](https://docs.djangoproject.com/en/2.2/ref/request-response/#setting-header-fields):
+
+```python
+class DastWebsiteTargetView(View):
+ def head(self, *args, **kwargs):
+ response = HttpResponse()
+ response['Gitlab-Dast-Permission'] = 'allow'
+
+ return response
+```
+
+##### Node (with Express)
+
+Here's how you would add a [custom header in Node (with Express)](http://expressjs.com/en/5x/api.html#res.append):
+
+```javascript
+app.get('/dast-website-target', function(req, res) {
+ res.append('Gitlab-DAST-Permission', 'allow')
+ res.send('Respond to DAST ping')
+})
+```
+
+##### Domain validation header via a proxy
+
+It's also possible to add the `Gitlab-DAST-Permission` header via a proxy.
+
+###### NGINX
+
+The following config allows NGINX to act as a reverse proxy and add the `Gitlab-DAST-Permission` [header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header):
+
+```
+# default.conf
+server {
+ listen 80;
+ server_name localhost;
+
+ location / {
+ proxy_pass http://test-application;
+ add_header Gitlab-DAST-Permission allow;
+ }
+}
+```
+
+###### Apache
+
+Apache can also be used as a [reverse proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
+to add the Gitlab-DAST-Permission [header](https://httpd.apache.org/docs/current/mod/mod_headers.html).
+
+To do so, add the following lines to `httpd.conf`:
+
+```
+# httpd.conf
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_connect_module modules/mod_proxy_connect.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+
+<VirtualHost *:80>
+ ProxyPass "/" "http://test-application.com/"
+ ProxyPassReverse "/" "http://test-application.com/"
+ Header set Gitlab-DAST-Permission "allow"
+</VirtualHost>
+```
+
+[This snippet](https://gitlab.com/gitlab-org/security-products/dast/snippets/1894732) contains a complete `httpd.conf` file
+configured to act as a remote proxy and add the `Gitlab-DAST-Permission` header.
+
### Customizing the DAST settings
The DAST settings can be changed through environment variables by using the
@@ -194,6 +303,7 @@ variable value.
| `DAST_AUTH_EXCLUDE_URLS` | no | The URLs to skip during the authenticated scan; comma-separated, no spaces in between. |
| `DAST_TARGET_AVAILABILITY_TIMEOUT` | no | Time limit in seconds to wait for target availability. Scan is attempted nevertheless if it runs out. Integer. Defaults to `60`. |
| `DAST_FULL_SCAN_ENABLED` | no | Switches the tool to execute [ZAP Full Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan) instead of [ZAP Baseline Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan). Boolean. `true`, `True`, or `1` are considered as true value, otherwise false. Defaults to `false`. |
+| `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` | no | Requires [domain validation](#domain-validation) when running DAST full scans. Boolean. `true`, `True`, or `1` are considered as true value, otherwise false. Defaults to `false`. |
## Security Dashboard
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-10 09:22:40 +0300