Skip to content

ETV: include_source_code param for ai action

What does this MR do and why?

This MR provides the include_source_code parameter to the Explain This Vulnerability AI action parameter, enabling the frontend (and thereby the user) to engage with the AI action and choose to include the source code in the AI prompt sent. This puts the power over the personal information possibly present in the code in the hands of the user to determine if they want it to be sent.

Screenshots or screen recordings

Screenshot_from_2023-06-22_19-59-11

How to set up and validate locally

Assuming you've a GDK sufficiently configured to execute Vertex AI explain this vulnerability requests against vulnerabilities which possess valid code, execution of the following mutation succeed.

mutation {
  aiAction(input: { explainVulnerability: {resourceId: "gid://gitlab/Vulnerability/677", includeSourceCode: true }}) {
    requestId
  }
}

Unfortunately because the AiAction mutation respond through a subscription webhook, we're unable to retrieve the response for this request, so you will need to execute a script in the rails console to validate the response output behaves as expected:

::Gitlab::Llm::OpenAi::Completions::ExplainVulnerability.new(::Gitlab::Llm::Templates::ExplainVulnerability).execute(User.first, Vulnerability.last, include_source_code: true)

=> {:request_id=>nil,
 :errors=>[],
 :role=>"assistant",
 :content=>
  "# Vulnerability Explanation\n\nThe vulnerability \"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\" occurs when user input is not properly sanitized and is directly incorporated into an SQL query. This allows an attacker to inject malicious SQL code into the query, potentially giving them unauthorized access to sensitive data or the ability to modify or delete data.\n\nIn the file \"SqliteDbProvider.cs\", the vulnerable code is:\n\n```\nSqliteCommand command = new SqliteCommand(sql, connection);\n```\n\nThis code creates an SQL command using the \"sql\" variable without properly sanitizing it, making it vulnerable to SQL injection attacks.\n\n# Code Example of Exploiting the Vulnerability\n\nAn attacker can take advantage of this vulnerability by injecting malicious SQL code into the \"sql\" variable. For example, consider the following code:\n\n```\nstring username = \"admin'; DROP TABLE users; --\";\nstring sql = \"SELECT * FROM users WHERE username = '\" + username + \"';\";\nSqliteCommand command = new SqliteCommand(sql, connection);\n```\n\nIn this code, the attacker has injected the SQL command \"DROP TABLE users\" into the query by adding it to the \"username\" variable. When the query is executed, it will not only retrieve data for the \"admin\" user, but also delete the entire \"users\" table.\n\n# Code Example of Fixing the Vulnerability\n\nTo fix this vulnerability, user input must be properly sanitized before being incorporated into an SQL query. One way to do this is to use parameterized queries, which separate the SQL code from the user input. Here is an example of how to fix the vulnerable code using parameterized queries:\n\n```\nstring username = \"admin'; DROP TABLE users; --\";\nstring sql = \"SELECT * FROM users WHERE username = @username;\";\nSqliteCommand command = new SqliteCommand(sql, connection);\ncommand.Parameters.AddWithValue(\"@username\", username);\n```\n\nIn this code, the SQL code is separated from the user input by using the \"@username\" parameter. The user input is then added to the query using the \"AddWithValue\" method, which properly sanitizes the input.\n\n# Conclusion\n\nThe vulnerability \"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\" can be a serious security risk if not properly addressed. By using parameterized queries and properly sanitizing user input, developers can prevent SQL injection attacks and protect sensitive data."}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #415615 (closed)

Edited by Gregory Havenga

Merge request reports

Loading