用gitlab卑鄙地打嗝

问题描述 投票:0回答:2

我想使用 Burp dastardly,这是 portswigger 的新 DAST 工具。
实际上我在 Gitlab CI/CD 中尝试过,但出现错误!即使我在我的服务器上尝试过。

这就是我在 Gitlab 中使用它的方式:

Burp_DAST:
  stage: dast
  image: docker:stable
  script:
    - |
      docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e \
      DASTARDLY_TARGET_URL=$TARGET_URL -e \
      DASTARDLY_OUTPUT_FILE=/dastardly/$CI_PROJECT_NAME-dastardly-report.xml \
      public.ecr.aws/portswigger/dastardly:latest
  artifacts:
    paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
    when: always

我有这个错误:

2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:22 INFORMATION Audit started.
2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:23 ERROR Could not start Burp's browser sandbox because you are running as root. Either switch to running as an unprivileged user or allow running without sandbox.
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Failing build as scanner identified issue(s) with severity higher than "INFO":
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: / Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: /robots.txt Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:10 INFO  bsee.BurpProcess.scan.scan-1 - Deleting temporary files - please wait ... done.

编辑

我确实在我的服务器中尝试过它,发现如果您使用除 root 之外的任何 sudoer 用户运行它,它都会正常工作。这是我使用的命令:

 sudo docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e DASTARDLY_TARGET_URL=$TAGET_URL -e DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml public.ecr.aws/portswigger/dastardly:latest

所以我需要如何在 Gitlab 中执行此操作,因为 

docker:dind
使用 root 用户运行并且 
docker:dind-rootless
在 gitlab 中无法正常工作?

security gitlab devops gitlab-ci burp
2个回答
1
投票

我正在运行脚本来运行 docker-entrypoint.sh 这是我实现的工作 CI。

stages:
    - dastardly

dastardly_burpsuit:
    image: 
        name: public.ecr.aws/portswigger/dastardly:latest
        entrypoint: [""]
    stage: dastardly
    variables:
        # No need to clone the repo, we exclusively work on artifacts.  See
        # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
        GIT_STRATEGY: none
        DASTARDLY_TARGET_URL: "https://ginandjuice.shop"
        DASTARDLY_OUTPUT_FILE: "$CI_PROJECT_NAME-dastardly-report.xml"
    artifacts:
      paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
      when: always
    script:
        - "/bin/bash /usr/local/bin/docker-entrypoint.sh dastardly"
0
投票

如果其他人遇到这篇文章并且上述解决方案不起作用,请尝试将脚本替换为

"/bin/bash /usr/local/bin/dastardly-entrypoint.sh dastardly"

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.