Merge branch 'check-content-type-and-be-less-permissive-in-site-validation' into 'master'

Address on-demand DAST site validation feedback

See merge request gitlab-org/gitlab!46906

ee/app/services/dast_site_validations/validate_service.rb

@@ -41,7 +41,7 @@ module DastSiteValidations
 
       case dast_site_validation.validation_strategy
       when 'text_file'
-        response.body.include?(token)
+        response.content_type == 'text/plain' && response.body == token
       when 'header'
         response.headers[DastSiteValidation::HEADER] == token
       else

ee/spec/services/dast_site_validations/validate_service_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe DastSiteValidations::ValidateService do
   let(:dast_site_validation) { create(:dast_site_validation) }
   let(:token) { dast_site_validation.dast_site_token.token }
+  let(:headers) { { 'Content-Type' => 'text/plain; charset=utf-8' } }
 
   subject do
     described_class.new(
@@ -36,7 +37,7 @@ RSpec.describe DastSiteValidations::ValidateService do
       before do
         stub_licensed_features(security_on_demand_scans: true)
         stub_feature_flags(security_on_demand_scans_site_validation: true)
-        stub_request(:get, dast_site_validation.validation_url).to_return(body: token)
+        stub_request(:get, dast_site_validation.validation_url).to_return(body: token, headers: headers)
       end
 
       it 'validates the url before making an http request' do
@@ -110,7 +111,7 @@ RSpec.describe DastSiteValidations::ValidateService do
 
         context 'when the token is not found' do
           let(:token) do
-            SecureRandom.hex
+            '<div>' + dast_site_validation.dast_site_token.token + '</div>'
           end
 
           it 'raises an exception' do
@@ -123,10 +124,18 @@ RSpec.describe DastSiteValidations::ValidateService do
         let(:dast_site_validation) { create(:dast_site_validation, validation_strategy: :text_file) }
 
         before do
-          stub_request(:get, dast_site_validation.validation_url).to_return(body: token)
+          stub_request(:get, dast_site_validation.validation_url).to_return(body: token, headers: headers)
         end
 
         it_behaves_like 'a validation'
+
+        context 'when content type is incorrect' do
+          let(:headers) { { 'Content-Type' => 'text/html; charset=UTF-8' } }
+
+          it 'raises an exception' do
+            expect { subject }.to raise_error(DastSiteValidations::ValidateService::TokenNotFound)
+          end
+        end
       end
 
       context 'when validation_strategy=header' do

ee/spec/workers/dast_site_validation_worker_spec.rb

@@ -21,14 +21,13 @@ RSpec.describe DastSiteValidationWorker do
     end
 
     context 'when the feature is enabled' do
-      let(:response_body) do
-        dast_site_validation.dast_site_token.token
-      end
+      let(:response_body) { dast_site_validation.dast_site_token.token }
+      let(:headers) { { 'Content-Type' => 'text/plain; charset=utf-8' } }
 
       before do
         stub_licensed_features(security_on_demand_scans: true)
         stub_feature_flags(security_on_demand_scans_site_validation: true)
-        stub_request(:get, dast_site_validation.validation_url).to_return(body: response_body)
+        stub_request(:get, dast_site_validation.validation_url).to_return(body: response_body, headers: headers)
       end
 
       context 'when the request body contains the token' do