Skip to content
代码片段 群组 项目
提交 10f80602 编辑于 作者: mc_rocha's avatar mc_rocha
浏览文件

Add GraphQL Scan method to DastSiteProfile 

This Merge Request adds support for the
graphql scan method

Changelog: added
EE: true
上级 b620c271
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
ee/app/models/dast_site_profile.rb
+ 7
8
浏览文件 @ 10f80602
......@@ -32,10 +32,15 @@ class DastSiteProfile < ApplicationRecord
enum target_type: { website: 0, api: 1 }
enum scan_method: { site: 0, openapi: 1, har: 2, postman: 3 }, _prefix: true
enum scan_method: { site: 0, openapi: 1, har: 2, postman: 3, graphql: 4 }, _prefix: true
delegate :dast_site_validation, to: :dast_site, allow_nil: true
SCAN_METHOD_VARIABLE_MAP = { openapi: 'DAST_API_OPENAPI',
har: 'DAST_API_HAR',
postman: 'DAST_API_POSTMAN_COLLECTION',
graphql: 'DAST_API_GRAPHQL' }.with_indifferent_access.freeze
sanitizes! :name, :scan_file_path
before_save :ensure_scan_method, :ensure_scan_file_path
......@@ -178,13 +183,7 @@ def dast_api_config(url)
dast_api_config.append(key: 'DAST_API_EXCLUDE_URLS', value: excluded_urls.join(',')) unless excluded_urls.empty?
if scan_method_openapi?
dast_api_config.append(key: 'DAST_API_OPENAPI', value: api_specification)
elsif scan_method_har?
dast_api_config.append(key: 'DAST_API_HAR', value: api_specification)
elsif scan_method_postman?
dast_api_config.append(key: 'DAST_API_POSTMAN_COLLECTION', value: api_specification)
end
dast_api_config.append(key: SCAN_METHOD_VARIABLE_MAP[scan_method], value: api_specification)
end
end
......
ee/spec/models/dast_site_profile_spec.rb
+ 36
4
浏览文件 @ 10f80602
......@@ -181,7 +181,7 @@
end
let(:scan_methods) do
{ site: 0, openapi: 1, har: 2, postman: 3 }
{ site: 0, openapi: 1, har: 2, postman: 3, graphql: 4 }
end
it { is_expected.to define_enum_for(:target_type).with_values(**target_types) }
......@@ -369,7 +369,7 @@
let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
let(:scan_method) { :openapi }
let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_HAR DAST_API_POSTMAN_COLLECTION] }
let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_HAR DAST_API_POSTMAN_COLLECTION DAST_API_GRAPHQL] }
let(:included) do
[
......@@ -401,7 +401,7 @@
let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
let(:scan_method) { :har }
let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_POSTMAN_COLLECTION] }
let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_POSTMAN_COLLECTION DAST_API_GRAPHQL] }
let(:included) do
[
......@@ -433,7 +433,7 @@
let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
let(:scan_method) { :postman }
let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_HAR] }
let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_HAR DAST_API_GRAPHQL] }
let(:included) do
[
......@@ -459,6 +459,38 @@
it_behaves_like 'an api target'
end
end
context 'when scan_method is graphql' do
let(:targeting_api) { 'graphql' }
let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
let(:scan_method) { :graphql }
let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_HAR DAST_API_POSTMAN_COLLECTION] }
let(:included) do
[
{ key: 'DAST_API_GRAPHQL', value: scan_file_path, public: true },
{ key: 'DAST_API_EXCLUDE_URLS', value: excluded_urls, public: true }
]
end
it_behaves_like 'an api target'
it_behaves_like 'an api target when dast_api_scanner is disabled'
context 'when scan_file_path is blank' do
let(:scan_file_path) { nil }
let(:included) do
[
{ key: 'DAST_API_GRAPHQL', value: subject.dast_site.url, public: true },
{ key: 'DAST_API_EXCLUDE_URLS', value: excluded_urls, public: true }
]
end
it_behaves_like 'an api target'
end
end
end
context 'when auth is disabled' do
......
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册