gpt4 book ai didi

security - 用 gitlab 卑鄙地打嗝

转载 作者:行者123 更新时间:2023-12-05 05:31:48 26 4
gpt4 key购买 nike

我想使用 Burp dastardly这是来自 portswigger 的新 DAST 工具。
实际上,我在 Gitlab CI/CD 中尝试过,但出现错误!我什至在我的服务器上试过了。

这是我在 Gitlab 中使用它的方式:

Burp_DAST:
stage: dast
image: docker:stable
script:
- |
docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e \
DASTARDLY_TARGET_URL=$TARGET_URL -e \
DASTARDLY_OUTPUT_FILE=/dastardly/$CI_PROJECT_NAME-dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest
artifacts:
paths:
- "$CI_PROJECT_NAME-dastardly-report.xml"
when: always

我有这个错误:

2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:22 INFORMATION Audit started.
2022-11-01 12:03:09 INFO dastardly.EventLogPrinter - Nov 01 2022 11:52:23 ERROR Could not start Burp's browser sandbox because you are running as root. Either switch to running as an unprivileged user or allow running without sandbox.
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Failing build as scanner identified issue(s) with severity higher than "INFO":
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: / Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: /robots.txt Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:10 INFO bsee.BurpProcess.scan.scan-1 - Deleting temporary files - please wait ... done.

编辑

我确实在我的服务器上试过了,发现如果你用除 root 以外的任何 sudoer 用户运行它,它都能正常工作。这是我使用的命令:

 sudo docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e DASTARDLY_TARGET_URL=$TAGET_URL -e DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml public.ecr.aws/portswigger/dastardly:latest

所以我需要如何在 Gitlab 中执行此操作,因为 docker:dind 以 root 用户运行并且 docker:dind-rootless 在 gitlab 中无法正常工作?

最佳答案

我正在运行脚本来运行 docker-entrypoint.sh这是我实现的工作 CI。

stages:
- dastardly

dastardly_burpsuit:
image:
name: public.ecr.aws/portswigger/dastardly:latest
entrypoint: [""]
stage: dastardly
variables:
# No need to clone the repo, we exclusively work on artifacts. See
# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
GIT_STRATEGY: none
DASTARDLY_TARGET_URL: "https://ginandjuice.shop"
DASTARDLY_OUTPUT_FILE: "$CI_PROJECT_NAME-dastardly-report.xml"
artifacts:
paths:
- "$CI_PROJECT_NAME-dastardly-report.xml"
when: always
script:
- "/bin/bash /usr/local/bin/docker-entrypoint.sh dastardly"

关于security - 用 gitlab 卑鄙地打嗝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74282431/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com