blob: c3a92b67a8b97e7865836c729d22e8604c1078ab (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
stages:
- build
- test
- deploy
- fuzz
variables:
FUZZAPI_PROFILE: Quick
FUZZAPI_VERSION: latest
FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml"
FUZZAPI_TIMEOUT: 30
FUZZAPI_REPORT: gl-api-fuzzing-report.xml
#
FUZZAPI_D_NETWORK: testing-net
#
# Wait up to 5 minutes for API Fuzzer and target url to become
# available (non 500 response to HTTP(s))
FUZZAPI_SERVICE_START_TIMEOUT: "300"
#
apifuzzer_fuzz:
stage: fuzz
image: docker:19.03.12
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
FUZZAPI_PROJECT: $CI_PROJECT_PATH
FUZZAPI_API: http://apifuzzer:80
allow_failure: true
rules:
- if: $API_FUZZING_DISABLED
when: never
- if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never
- if: $FUZZAPI_HAR == null &&
$FUZZAPI_OPENAPI == null &&
$FUZZAPI_D_WORKER_IMAGE == null
when: never
- if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
services:
- docker:19.03.12-dind
script:
#
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
#
- docker network create --driver bridge $FUZZAPI_D_NETWORK
#
# Run user provided pre-script
- sh -c "$FUZZAPI_PRE_SCRIPT"
#
# Start peach testing engine container
- |
docker run -d \
--name apifuzzer \
--network $FUZZAPI_D_NETWORK \
-e Proxy:Port=8000 \
-e TZ=America/Los_Angeles \
-e FUZZAPI_API=http://127.0.0.1:80 \
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
-e FUZZAPI_HAR \
-e FUZZAPI_OPENAPI \
-e FUZZAPI_TARGET_URL \
-e FUZZAPI_OVERRIDES_FILE \
-e FUZZAPI_OVERRIDES_ENV \
-e FUZZAPI_OVERRIDES_CMD \
-e FUZZAPI_OVERRIDES_INTERVAL \
-e FUZZAPI_TIMEOUT \
-e FUZZAPI_VERBOSE \
-e FUZZAPI_SERVICE_START_TIMEOUT \
-e FUZZAPI_HTTP_USERNAME \
-e FUZZAPI_HTTP_PASSWORD \
-e GITLAB_FEATURES \
-v $CI_PROJECT_DIR:/app \
-p 80:80 \
-p 8000:8000 \
-p 514:514 \
--restart=no \
registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine
#
# Start target container
- |
if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then \
docker run -d \
--name target \
--network $FUZZAPI_D_NETWORK \
$FUZZAPI_D_TARGET_ENV \
$FUZZAPI_D_TARGET_PORTS \
$FUZZAPI_D_TARGET_VOLUME \
--restart=no \
$FUZZAPI_D_TARGET_IMAGE \
; fi
#
# Start worker container
- |
if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \
docker run \
--name worker \
--network $FUZZAPI_D_NETWORK \
-e FUZZAPI_API=http://apifuzzer:80 \
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_AUTOMATION_CMD \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
-e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
$FUZZAPI_D_WORKER_ENV \
$FUZZAPI_D_WORKER_PORTS \
$FUZZAPI_D_WORKER_VOLUME \
--restart=no \
$FUZZAPI_D_WORKER_IMAGE \
; fi
#
# Wait for testing to complete if api fuzzer is scanning
- if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi
#
# Propagate exit code from api fuzzer (if any)
- if [[ $(docker inspect apifuzzer --format='{{.State.ExitCode}}') != "0" ]]; then echo "API Fuzzing exited with an error. Logs are available as job artifacts."; docker logs apifuzzer; exit 1; fi
#
# Run user provided pre-script
- sh -c "$FUZZAPI_POST_SCRIPT"
#
after_script:
#
# Shutdown all containers
- echo "Stopping all containers"
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
- if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi
- docker stop apifuzzer
#
# Save docker logs
- docker logs apifuzzer &> gl-api_fuzzing-logs.log
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
- if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi
#
artifacts:
when: always
paths:
- ./gl-api_fuzzing*.log
- ./gl-api_fuzzing*.zip
reports:
junit: $FUZZAPI_REPORT
# end
|
