Show better error descriptions in on-demand dast
Follows-up on #327640 (closed)
When min length requirement is not met for request headers or password fields on saving a profile.
Example:
GraphQL Response
[
{
"data": {
"dastSiteProfileCreate": {
"id": null,
"errors": [
"Value is invalid"
],
"dastSiteProfile": null,
"__typename": "DastSiteProfileCreatePayload"
}
}
}
]
This error is happening because the Maskable module included by the Dast::SiteProfileSecretVariable class validates the size of the attributes. The Password and Request Headers fields are masked attributes, and the minimum length is 8.
If we add a validation message on the Maskable module, it wouldn't be clear which attribute is invalid because all maskable attributes will have the same error message.
We are also encoding the password and the request headers before the size validation. This pre-encoding makes us accept password/request headers with less than 8 characters since the encoding value will meet the minimum length requirement as shown below:
[31] pry(main)> secret_variable.update(raw_value: "1ba")
TRANSACTION (0.5ms) BEGIN
Dast::SiteProfileSecretVariable Exists? (0.4ms) SELECT 1 AS one FROM "dast_site_profile_secret_variables" WHERE "dast_site_profile_secret_variables"."key" = 'DAST_PASSWORD_BASE64' AND "dast_site_profile_secret_variables"."id" != 2 AND "dast_site_profile_secret_variables"."dast_site_profile_id" = 3 LIMIT 1
TRANSACTION (0.2ms) ROLLBACK
=> false
[32] pry(main)> secret_variable.update(raw_value: "1bae")
TRANSACTION (0.2ms) BEGIN
Dast::SiteProfileSecretVariable Exists? (0.4ms) SELECT 1 AS one FROM "dast_site_profile_secret_variables" WHERE "dast_site_profile_secret_variables"."key" = 'DAST_PASSWORD_BASE64' AND "dast_site_profile_secret_variables"."id" != 2 AND "dast_site_profile_secret_variables"."dast_site_profile_id" = 3 LIMIT 1
Dast::SiteProfileSecretVariable Update (1.3ms) UPDATE "dast_site_profile_secret_variables" SET "updated_at" = '2022-11-15 17:23:09.054484', "encrypted_value" = '\x912ac2f96868cc19080ce318d5362b9390ee5c0531a74747', "encrypted_value_iv" = '\x364b70383443746d6d564a613545362b0a' WHERE "dast_site_profile_secret_variables"."id" = 2
TRANSACTION (0.4ms) COMMIT
=> true
Based on the two points above, I believe we should add a minimum length size validation to the Dast::SiteProfiles::CreateService for the following reasons:
- We could skip the transaction creation if the attributes are invalid
- We could return a more informative error message