diff options
12 files changed, 301 insertions, 9 deletions
diff --git a/app/assets/javascripts/analytics/cycle_analytics/store/mutations.js b/app/assets/javascripts/analytics/cycle_analytics/store/mutations.js index 4fa88279fe0..d1c8d2c24e7 100644 --- a/app/assets/javascripts/analytics/cycle_analytics/store/mutations.js +++ b/app/assets/javascripts/analytics/cycle_analytics/store/mutations.js @@ -1,7 +1,7 @@ import Vue from 'vue'; import { convertObjectPropsToCamelCase } from '~/lib/utils/common_utils'; import { formatMedianValues } from '../utils'; -import { PAGINATION_SORT_FIELD_END_EVENT, PAGINATION_SORT_DIRECTION_DESC } from '../constants'; +import { PAGINATION_SORT_DIRECTION_DESC, PAGINATION_SORT_FIELD_DURATION } from '../constants'; import * as types from './mutation_types'; export default { @@ -41,7 +41,7 @@ export default { Vue.set(state, 'pagination', { page, hasNextPage, - sort: sort || PAGINATION_SORT_FIELD_END_EVENT, + sort: sort || PAGINATION_SORT_FIELD_DURATION, direction: direction || PAGINATION_SORT_DIRECTION_DESC, }); }, diff --git a/app/assets/javascripts/analytics/cycle_analytics/store/state.js b/app/assets/javascripts/analytics/cycle_analytics/store/state.js index 3d9b56b043d..f387bf65093 100644 --- a/app/assets/javascripts/analytics/cycle_analytics/store/state.js +++ b/app/assets/javascripts/analytics/cycle_analytics/store/state.js @@ -1,5 +1,5 @@ import { - PAGINATION_SORT_FIELD_END_EVENT, + PAGINATION_SORT_FIELD_DURATION, PAGINATION_SORT_DIRECTION_DESC, } from '~/analytics/cycle_analytics/constants'; @@ -29,7 +29,7 @@ export default () => ({ pagination: { page: null, hasNextPage: false, - sort: PAGINATION_SORT_FIELD_END_EVENT, + sort: PAGINATION_SORT_FIELD_DURATION, direction: PAGINATION_SORT_DIRECTION_DESC, }, predefinedDateRange: null, diff --git a/doc/ci/testing/code_quality.md b/doc/ci/testing/code_quality.md index 1d857b8f543..ef9f0b86521 100644 --- a/doc/ci/testing/code_quality.md +++ b/doc/ci/testing/code_quality.md @@ -710,3 +710,39 @@ Replace `gitlab.example.com` with the actual domain of the registry. mount_path = "/etc/docker/certs.d/gitlab.example.com/ca.crt" sub_path = "gitlab.example.com.crt" ``` + +### Failed to load Code Quality report + +The Code Quality report can fail to load when there are issues parsing data from the artifact file. +To gain insight into the errors, you can execute a GraphQL query using the following steps: + +1. Go to the pipeline details page. +1. Append `.json` to the URL. +1. Copy the `iid` of the pipeline. +1. Go to [GraphiQL explorer](../../api/graphql/index.md#graphiql). +1. Run the following query: + + ```graphql + { + project(fullPath: "<fullpath-to-your-project>") { + pipeline(iid: "<iid>") { + codeQualityReports { + count + nodes { + line + description + path + fingerprint + severity + } + pageInfo { + hasNextPage + hasPreviousPage + startCursor + endCursor + } + } + } + } + } + ``` diff --git a/doc/user/application_security/dast/checks/89.1.md b/doc/user/application_security/dast/checks/89.1.md new file mode 100644 index 00000000000..ca7ff5e4593 --- /dev/null +++ b/doc/user/application_security/dast/checks/89.1.md @@ -0,0 +1,37 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# SQL Injection + +## Description + +It is possible to execute arbitrary SQL commands on the target application server's +backend database. +SQL Injection is a critical vulnerability that can lead to a data or system +compromise. + +## Remediation + +Always use parameterized queries when issuing requests to backend database systems. In +situations where dynamic queries must be created, never use direct user input, but +instead use a map or dictionary of valid values and resolve them using a user-supplied key. + +For example, some database drivers do not allow parameterized queries for `>` or `<` comparison +operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user +supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` +values to be used in the construction of the dynamic query. The same goes for other queries where +column or table names are required but can not be parameterized. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 89.1 | false | 89 | Active | high | + +## Links + +- [OWASP](https://owasp.org/www-community/attacks/SQL_Injection) +- [CWE](https://cwe.mitre.org/data/definitions/89.html) diff --git a/doc/user/application_security/dast/checks/917.1.md b/doc/user/application_security/dast/checks/917.1.md new file mode 100644 index 00000000000..68b9665e393 --- /dev/null +++ b/doc/user/application_security/dast/checks/917.1.md @@ -0,0 +1,33 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Expression Language Injection + +## Description + +It is possible to execute arbitrary Expression Language (EL) statements on the target +application server. EL injection is a critical severity vulnerability that can lead to +full system compromise. EL injection can occur when attacker-controlled data is used to construct +EL statements without neutralizing special characters. These special characters could modify the +intended EL statement prior to it being executed by an interpreter. + +## Remediation + +User-controlled data should always have special elements neutralized when used as part of +constructing Expression Language statements. Please consult the documentation for the EL +interpreter in use on how properly neutralize user controlled data. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 917.1 | false | 917 | Active | high | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/917.html) +- [OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection) +- [Expression Language Injection [PDF]](https://mindedsecurity.com/wp-content/uploads/2020/10/ExpressionLanguageInjection.pdf) diff --git a/doc/user/application_security/dast/checks/94.1.md b/doc/user/application_security/dast/checks/94.1.md new file mode 100644 index 00000000000..ec30b41c5e8 --- /dev/null +++ b/doc/user/application_security/dast/checks/94.1.md @@ -0,0 +1,53 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Server-side code injection (PHP) + +## Description + +The target application was found vulnerable to code injection. A malicious actor could inject arbitrary +PHP code to be executed on the server. This could lead to a full system compromise by accessing +stored secrets, injecting code to take over accounts, or executing OS commands. + +## Remediation + +Never pass user input directly into functions which evaluate string data as code, such as `eval`. +There is almost no benefit of passing string values to `eval`, as such the best recommendation is +to replace the current logic with more safe implementations of dynamically evaluating logic with +user input. One alternative is to use an `array()`, storing expected user inputs in an array +key, and use that key as a look up to execute functions: + +```php +$func_to_run = function() +{ + print('hello world'); +}; + +$function_map = array(); +$function_map["fn"] = $func_to_run; // store additional input to function mappings here + +$input = "fn"; + +// lookup "fn" as the key +if (array_key_exists($input, $function_map)) { + // run the $func_to_run that was stored in the "fn" array hash value. + $func = $function_map[$input]; + $func(); +} else { + print('invalid input'); +} +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 94.1 | false | 94 | Active | high | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/94.html) +- [OWASP](https://owasp.org/www-community/attacks/Code_Injection) diff --git a/doc/user/application_security/dast/checks/94.2.md b/doc/user/application_security/dast/checks/94.2.md new file mode 100644 index 00000000000..666052807b5 --- /dev/null +++ b/doc/user/application_security/dast/checks/94.2.md @@ -0,0 +1,51 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Server-side code injection (Ruby) + +## Description + +The target application was found vulnerable to code injection. A malicious actor could inject arbitrary +Ruby code to be executed on the server. This could lead to a full system compromise by accessing +stored secrets, injecting code to take over accounts, or executing OS commands. + +## Remediation + +Never pass user input directly into functions which evaluate string data as code, such as `eval`, +`send`, `public_send`, `instance_eval` or `class_eval`. There is almost no benefit of passing string +values to these methods, as such the best recommendation is to replace the current logic with more safe +implementations of dynamically evaluating logic with user input. If using `send` or `public_send` ensure +the first argument is to a known, hardcoded method/symbol and does not come from user input. + +For `eval`, `instance_eval` and `class_eval`, user input should never be sent directly to these methods. +One alternative is to store functions or methods in a Hash that can be looked up using a key. If the key +exists, the function can be executed. + +```ruby +def func_to_run + puts 'hello world' +end + +input = 'fn' + +function_map = { fn: method(:func_to_run) } + +if function_map.key?(input.to_sym) + function_map[input.to_sym].call +else + puts 'invalid input' +end +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 94.2 | false | 94 | Active | high | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/94.html) diff --git a/doc/user/application_security/dast/checks/94.3.md b/doc/user/application_security/dast/checks/94.3.md new file mode 100644 index 00000000000..772cdb1d3ea --- /dev/null +++ b/doc/user/application_security/dast/checks/94.3.md @@ -0,0 +1,45 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Server-side code injection (Python) + +## Description + +The target application was found vulnerable to code injection. A malicious actor could inject arbitrary +Python code to be executed on the server. This could lead to a full system compromise by accessing +stored secrets, injecting code to take over accounts, or executing OS commands. + +## Remediation + +Never pass user input directly into functions which evaluate string data as code, such as `eval`, +or `exec`. There is almost no benefit of passing string values to these methods, as such the best +recommendation is to replace the current logic with more safe implementations of dynamically evaluating +logic with user input. One alternative is to store functions or methods in a hashmap that can be looked +up using a key. If the key exists, the function can be executed. + +```python +def func_to_run(): + print('hello world') + +function_map = {'fn': func_to_run} + +input = 'fn' + +if input in function_map: + function_map[input]() +else: + print('invalid input') +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 94.3 | false | 94 | Active | high | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/94.html) diff --git a/doc/user/application_security/dast/checks/943.1.md b/doc/user/application_security/dast/checks/943.1.md new file mode 100644 index 00000000000..debae65669a --- /dev/null +++ b/doc/user/application_security/dast/checks/943.1.md @@ -0,0 +1,30 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Improper neutralization of special elements in data query logic + +## Description + +The application generates a query intended to interact with MongoDB, +but it does not neutralize or incorrectly neutralizes special elements +that can modify the intended logic of the query. + +## Remediation + +Refactor find or search queries to use standard +filtering operators such as `$gt` or `$in` instead of broad operators such +as `$where`. If possible, disable the MongoDB JavaScript interface entirely. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 943.1 | false | 943 | Active | high | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/943.html) +- [Disabling MongoDB Server Side JS](https://www.mongodb.com/docs/manual/core/server-side-javascript/#std-label-disable-server-side-js) diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md index 4d41f08672e..b6f8f1cea3f 100644 --- a/doc/user/application_security/dast/checks/index.md +++ b/doc/user/application_security/dast/checks/index.md @@ -170,4 +170,11 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne | [113.1](113.1.md) | Improper Neutralization of CRLF Sequences in HTTP Headers | High | Active | | [22.1](22.1.md) | Improper limitation of a pathname to a restricted directory (Path traversal) | High | Active | | [611.1](611.1.md) | External XML Entity Injection (XXE) | High | Active | +| [89.1](89.1.md) | SQL Injection | High | Active | +| [917.1](917.1.md) | Expression Language Injection | High | Active | +| [94.1](94.1.md) | Server-side code injection (PHP) | High | Active | +| [94.2](94.2.md) | Server-side code injection (Ruby) | High | Active | +| [94.3](94.3.md) | Server-side code injection (Python) | High | Active | | [94.4](94.4.md) | Server-side code injection (NodeJS) | High | Active | +| [943.1](943.1.md) | Improper neutralization of special elements in data query logic | High | Active | +> diff --git a/spec/frontend/analytics/cycle_analytics/mock_data.js b/spec/frontend/analytics/cycle_analytics/mock_data.js index 7ad95cab9ad..e0b6f4aa8c4 100644 --- a/spec/frontend/analytics/cycle_analytics/mock_data.js +++ b/spec/frontend/analytics/cycle_analytics/mock_data.js @@ -11,7 +11,7 @@ import { DEFAULT_VALUE_STREAM, PAGINATION_TYPE, PAGINATION_SORT_DIRECTION_DESC, - PAGINATION_SORT_FIELD_END_EVENT, + PAGINATION_SORT_FIELD_DURATION, } from '~/analytics/cycle_analytics/constants'; import { convertObjectPropsToCamelCase } from '~/lib/utils/common_utils'; import { getDateInPast } from '~/lib/utils/datetime_utility'; @@ -245,7 +245,7 @@ export const valueStreamStages = rawValueStreamStages.map((s) => export const initialPaginationQuery = { page: 15, - sort: PAGINATION_SORT_FIELD_END_EVENT, + sort: PAGINATION_SORT_FIELD_DURATION, direction: PAGINATION_SORT_DIRECTION_DESC, }; @@ -257,7 +257,7 @@ export const initialPaginationState = { export const basePaginationResult = { pagination: PAGINATION_TYPE, - sort: PAGINATION_SORT_FIELD_END_EVENT, + sort: PAGINATION_SORT_FIELD_DURATION, direction: PAGINATION_SORT_DIRECTION_DESC, page: null, }; diff --git a/spec/frontend/analytics/cycle_analytics/store/mutations_spec.js b/spec/frontend/analytics/cycle_analytics/store/mutations_spec.js index 25fed2b1714..a37f37aaaf4 100644 --- a/spec/frontend/analytics/cycle_analytics/store/mutations_spec.js +++ b/spec/frontend/analytics/cycle_analytics/store/mutations_spec.js @@ -2,7 +2,7 @@ import { useFakeDate } from 'helpers/fake_date'; import * as types from '~/analytics/cycle_analytics/store/mutation_types'; import mutations from '~/analytics/cycle_analytics/store/mutations'; import { - PAGINATION_SORT_FIELD_END_EVENT, + PAGINATION_SORT_FIELD_DURATION, PAGINATION_SORT_DIRECTION_DESC, } from '~/analytics/cycle_analytics/constants'; import { @@ -99,7 +99,7 @@ describe('Project Value Stream Analytics mutations', () => { ${types.SET_LOADING} | ${true} | ${'isLoading'} | ${true} ${types.SET_LOADING} | ${false} | ${'isLoading'} | ${false} ${types.SET_SELECTED_VALUE_STREAM} | ${selectedValueStream} | ${'selectedValueStream'} | ${selectedValueStream} - ${types.SET_PAGINATION} | ${pagination} | ${'pagination'} | ${{ ...pagination, sort: PAGINATION_SORT_FIELD_END_EVENT, direction: PAGINATION_SORT_DIRECTION_DESC }} + ${types.SET_PAGINATION} | ${pagination} | ${'pagination'} | ${{ ...pagination, sort: PAGINATION_SORT_FIELD_DURATION, direction: PAGINATION_SORT_DIRECTION_DESC }} ${types.SET_PAGINATION} | ${{ ...pagination, sort: 'duration', direction: 'asc' }} | ${'pagination'} | ${{ ...pagination, sort: 'duration', direction: 'asc' }} ${types.SET_SELECTED_STAGE} | ${selectedStage} | ${'selectedStage'} | ${selectedStage} ${types.RECEIVE_VALUE_STREAMS_SUCCESS} | ${[selectedValueStream]} | ${'valueStreams'} | ${[selectedValueStream]} |