Skip to content

Improve UX for redacted fields in DAST Profiles

Dheeraj Joshi requested to merge djadmin-fix-auth-placeholders into master

A follow-up MR from !58735 (merged)

What does this MR do?

This tries to improve the UX for request headers and password field in DAST Site Profile Form.

  • backend has started sending redacted values for request headers & password field - when present
  • frontend starts utilizing backend values directly instead of mocking them with placeholders, for SSOT
  • frontend also makes sure not to send these dummy values in the mutations

Screenshots (strongly suggested)

Refer the request headers / password fields.

before (using placeholders) after (input values)
image image

How to test this?

  1. Enable feature flag security_dast_site_profiles_additional_fields 
echo "Feature.enable(:security_dast_site_profiles_additional_fields)" | rails c
  1. Navigate to the DAST profile library page in your GDK: /:namespace/:project/-/security/configuration/dast_profiles#site-profiles
  2. Select New > Site Profile or edit an existing profile

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Dheeraj Joshi

Merge request reports