Blog / AI/ML
AI/ML security tutorial

Remediating vulnerabilities with GitLab's security insights and AI

Fernando Diaz ·
Aug 31, 2023 · 13 min read
Fernando Diaz GitLab profile

We recently introduced GitLab Duo, a complete suite of AI capabilities to power your DevSecOps workflows. GitLab Duo's AI features not only enable you to write secure code faster, but also enhance productivity by providing helpful explanations and insights into your code. For instance, you can harness the power of AI to prevent security breaches. In this tutorial, we will go over the Explain this Vulnerability AI feature, which is in beta, and how it can be used with vulnerability insights to remediate vulnerabilities.

You will learn the following:

See the following video for a quick overview of Vulnerability Insights + AI "Explain this Vulnerability".

You can also see a detailed walkthrough of Leveraging GitLab Vulnerability Insights + AI to Remediate a SQL-Injection in the Solving a SQL injection using vulnerability insights and AI section below.

What is the Explain this Vulnerability AI feature?

The Explain this Vulnerability feature leverages an LLM powered by Google AI to assist you in securing your application by:

To begin using Explain this Vulnerability, you must have the following prerequisites configured:

Once the prerequisites have been configured, to begin using Explain this Vulnerability, perform the following steps:

1) Navigate to the Vulnerability Report.
2) Find a SAST vulnerability finding.
3) Scroll to the bottom of the vulnerability page.
4) Press the Try it out button in "Explain this Vulnerability and how to mitigate it with AI" section.

View of the "Try it out" button at bottom of screen

Once you click the button, GitLab will begin to generate the following:

AI response depicting the above list

This information can be used together with vulnerability insights to resolve the vulnerability. Now let's discuss vulnerability insights.

Vulnerability insights

Vulnerability insights provide detailed information on a vulnerability and how to resolve it. This detailed information includes:

Note: Results may vary depending on the scanner used.

Having all this information not only allows you to resolve a vulnerability with ease but also enhances your security knowledge. All these insights are provided as a single source of truth that both developer and security teams can view and take action on asynchronously.

Developers can leverage insights within a merge request (MR). The MR insights show the vulnerabilities in the diff between a feature branch and the branch you are merging into. This allows you to continuously iterate until you have resolved a vulnerability and then alert security engineers when approval is required, giving developers the power to resolve vulnerabilities themselves.

MR insights sample

The security team can leverage insights via the vulnerability report. The vulnerability report shows vulnerabilities present in the default branch, which is typically linked to production. From here, the security team can collaborate on a resolution as well as triage and manage vulnerabilities.

Vulnerability report sample

Note: Currently, the Explain this Vulnerability feature can only be seen in the Vulnerability Report view. It is currently being considered for the MR view, see future iterations under consideration for more information.

Solving a SQL injection using vulnerability insights and AI

By leveraging both vulnerability insights and Explain this Vulnerability, we have all the resources necessary to not only resolve a vulnerability but also understand it. Let's see how we can use these features to solve a SQL injection.

Now let's go over the steps to remediate a SQL injection. You can follow along with the video:

Privacy notice: Explain this Vulnerability only uses public repos to train the LLM. Code in private repositories is not transferred to the LLM.

I will be using the Simple Notes project to showcase this. You can set up DevSecOps within GitLab yourself by going over the following tutorial. After you have done so, you can run through the following:

1) Navigate to Secure > Vulnerability Report.

2) Sort by SAST under Scanner.

3) Find and select a SQL injection vulnerability. a SQL injection will be titled something like Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

4) Examine the vulnerability insights.

SQL Injection Walkthrough - Insights

5) Scroll down to the "Explain this vulnerability and how to mitigate it with AI** section and click the Try it out button.

Privacy notice: If the Send code to prompt radio button is selected, response quality is improved. However, the actual code is used in a query to the LLM (even in private repositories).

SQL Injection Walkthrough - AI "Try it out" button

6) Examine the provided AI solutions.

SQL Injection Walkthrough - AI response

7) Exploit the vulnerability We can use the information provided in the AI response, the samples in the vulnerability insight CWE identifier, and the applications API guide to generate a malicious curl command as follows:

# A REGULAR API-CALL
$ curl http://{LOAD_BALANCER_IP}/{APPLICATION_PATH}/api

{"Note":"[(1, 'cat'), (2, 'dog'), (3, 'frog'), (4, 'hog')]"}

# API CALL PASSING '1 or 1=1' AS SHOWN IN AI RESPONSE AND DETAILED IN IDENTIFIERS
# NOTE: `1%20or%201%3D1` IS URL ENCODED '1 or 1=1'
$ curl http://{LOAD_BALANCER_IP}/{APPLICATION_PATH}/api\?id\=1%20or%201%3D1

{"Note":"[(1, 'cat'), (2, 'dog'), (3, 'frog'), (4, 'hog'), (5, 'meow'), (6, 'bark'), (7, 'ribbit'), (8, 'grunt')]"}

This shows us that we can exploit the SQL injection since we exposed data we should not have access to. Exploiting a vulnerability is not always as simple, so it is important to combine resources as noted above to figure out exploitability.

8) Determine a fix.

Now that we know this is a problem within our system, we can use the provided information to create an merge request (MR) to resolve and then test the MR in a non-production environment. Reviewing the vulnerability insights and AI response, we know we can solve this in a variety of ways. For example, we can:

To enhance our knowledge, we should read CWE-89 provided in the Identifiers.

9) Open the GitLab WebIDE or editor of your choice.

10) Open the vulnerable file and scroll to the affected line of code. We found this using the information provided in the insights.

11) Apply the suggested change by reviewing the vulnerability insights and AI response. I changed the following:

try:
  query = "SELECT id, data FROM notes WHERE (secret IS FALSE AND id = %s)" % id
  if admin:
    query ="SELECT id, data, secret FROM notes WHERE (id = %s)" % id
  # NOT USING A PARAMETERIZED QUERY - SQL INJECTION CAN BE PASSED IN (,id)
  cur.execute(query)
except Exception as e:
  note.logger.error("Error: cannot select note by id - %s" % e)

to

try:
  query = "SELECT id, data FROM notes WHERE (secret IS FALSE AND id = %s)"
  if admin:
    query ="SELECT id, data, secret FROM notes WHERE (id = %s)"
  # USING A PARAMETERIZED QUERY - SQL INJECTION CANNOT BE PASSED IN (,id)
  cur.execute(query, (id,))
except Exception as e:
  note.logger.error("Error: cannot select note by id - %s" % e)

We know this is the solution because parameterized queries as explained do not allow actual SQL commands to be run. Therefore, a SQL injection cannot be passed as the id. Adding a parameterized query is easy since it is built into the Python db library we are using.

There may be multiple solutions to a vulnerability. It is up to the user to decide what is best for their application and workflow. The AI response provides a typical solution, but more can be examined and applied. For example, the AI response said we can add the following:

cur.execute(query.replace("'", "''"))

This would escape the single quotes in the input, making it safe to pass to the execute() method. It is a valid solution with less code required. However, I wanted to restructure my code, so I applied another solution found in the vulnerability insights.

12) Create an MR with the fix. In my environment, feature branches are automatically deployed to a new environment independent from production so we can test our features before merging them to production.

13) Test the change in a non-production environment.

Once we push the MR, we can see if the vulnerability has been resolved and we can test in a non-production environment:

# A REGULAR API-CALL
$ curl http://{LOAD_BALANCER_IP}/{NEW_BRANCH_FIXED_APPLICATION_PATH}/api

{"Note":"[(1, 'cat'), (2, 'dog'), (3, 'frog'), (4, 'hog')]"}

# API CALL PASSING '1 or 1=1' AS SHOWN IN AI RESPONSE AND DETAILED IN IDENTIFIERS
# NOTE: `1%20or%201%3D1` IS URL ENCODED '1 or 1=1'
$ curl http://{LOAD_BALANCER_IP}/{NEW_BRANCH_FIXED_APPLICATION_PATH}/api\?id\=1%20or%201%3D1

{"Note":"[(1, 'cat')]"}

We can see that now the additional query parameters or 1=1 are ignored and only the first element is returned, meaning only the 1 was passed. We can further test if we can get item 5 which we should not have access to:

# API CALL PASSING '5 or 1=1' AS SHOWN IN AI RESPONSE AND DETAILED IN IDENTIFIERS
# NOTE: `5%20or%201%3D1` IS URL ENCODED '5 or 1=1'
$ curl http://{LOAD_BALANCER_IP}/{NEW_BRANCH_FIXED_APPLICATION_PATH}/api\?id\=5%20or%201%3D1
{"Note":"[]"}

Success, the SQL injection is no longer present!

14) Merge into production.

Now that we know the vulnerability has been resolved we can go ahead and merge our fix! This is how you can use vulnerability insights to help resolve your vulnerabilities. If you wish to test all this for yourself, check out the complete GitLab DevSecOps tutorial.

Additional GitLab AI features

As we have seen above, Explain this Vulnerability assists you in remediating the vulnerabilities within your default branch, but that's not the only AI feature GitLab has available! Other AI features to enhance your productivity include:

Visit our GitLab Duo site to learn more about these features, GitLab's mission around AI, and our partnership with Google.

“Learn how to remediate a SQL-injection vulnerability using @gitlab security insights and AI” – Fernando Diaz

Click to tweet

Edit this page View source