Skip to content

Commit dfb13f0

Browse files
CalinLCalinL
committed
Implement DevSecOps3 demo page with GHAS v3 features
- Add new DevSecOps3.cshtml page with latest GitHub Advanced Security content - Implement DevSecOps3Model with intentionally insecure code for demo purposes - ReDoS vulnerable regex pattern - Log forging vulnerabilities - Hardcoded credentials and secrets - SQL injection potential - Excessive error information disclosure - Update package references to exact versions specified: - System.Text.Json 8.0.4 - Microsoft.Data.SqlClient 5.0.2 - Newtonsoft.Json 12.0.2 - Add navigation links to DevSecOps3 page in layout and index - Add ILogger implementation for backend code - Build successful with intentional vulnerability warnings for GHAS demo Addresses issue #84
1 parent ec181db commit dfb13f0

File tree

5 files changed

+299
-1
lines changed

5 files changed

+299
-1
lines changed

src/webapp01/Pages/DevSecOps3.cshtml

Lines changed: 189 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,189 @@
1+
@page
2+
@model DevSecOps3Model
3+
@{
4+
ViewData["Title"] = "DevSecOps with GitHub Advanced Security v3";
5+
}
6+
7+
<div class="container">
8+
<div class="row">
9+
<div class="col-12">
10+
<h1 class="display-4 text-primary">@ViewData["Title"]</h1>
11+
<p class="lead">Explore the latest features and capabilities of GitHub Advanced Security (GHAS) v3</p>
12+
<hr />
13+
</div>
14+
</div>
15+
16+
<!-- Alert for TempData messages -->
17+
@if (TempData["RegexResult"] != null)
18+
{
19+
<div class="alert alert-info alert-dismissible fade show" role="alert">
20+
@TempData["RegexResult"]
21+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
22+
</div>
23+
}
24+
25+
@if (TempData["RegexError"] != null)
26+
{
27+
<div class="alert alert-danger alert-dismissible fade show" role="alert">
28+
@TempData["RegexError"]
29+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
30+
</div>
31+
}
32+
33+
@if (TempData["LogResult"] != null)
34+
{
35+
<div class="alert alert-warning alert-dismissible fade show" role="alert">
36+
@TempData["LogResult"]
37+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
38+
</div>
39+
}
40+
41+
<!-- Latest GHAS News Section -->
42+
<div class="row mb-4">
43+
<div class="col-12">
44+
<div class="card">
45+
<div class="card-header bg-success text-white">
46+
<h3 class="mb-0">Latest GitHub Advanced Security News</h3>
47+
</div>
48+
<div class="card-body">
49+
<h5 class="card-title">What's New in GHAS 2024-2025</h5>
50+
<ul class="list-group list-group-flush">
51+
<li class="list-group-item">
52+
<strong>Enhanced CodeQL Analysis:</strong> Improved detection for supply chain vulnerabilities and zero-day exploits
53+
</li>
54+
<li class="list-group-item">
55+
<strong>AI-Powered Security Insights:</strong> GitHub Copilot integration for automated security recommendations
56+
</li>
57+
<li class="list-group-item">
58+
<strong>Advanced Secret Scanning:</strong> Real-time detection with enterprise-grade pattern matching
59+
</li>
60+
<li class="list-group-item">
61+
<strong>Dependency Review v3:</strong> Enhanced vulnerability assessment with risk scoring and remediation guidance
62+
</li>
63+
<li class="list-group-item">
64+
<strong>Security Advisory Database:</strong> Comprehensive threat intelligence with automated patch suggestions
65+
</li>
66+
</ul>
67+
</div>
68+
</div>
69+
</div>
70+
</div>
71+
72+
<!-- Demo Sections -->
73+
<div class="row">
74+
<div class="col-md-6">
75+
<div class="card mb-4">
76+
<div class="card-header bg-warning text-dark">
77+
<h4 class="mb-0">Security Demo: Regex Exposure</h4>
78+
</div>
79+
<div class="card-body">
80+
<p>This demo shows potential ReDoS (Regular Expression Denial of Service) vulnerabilities:</p>
81+
<form method="post" asp-page-handler="TestRegex">
82+
<div class="mb-3">
83+
<label for="userInput" class="form-label">Test Input:</label>
84+
<input type="text" class="form-control" id="userInput" name="userInput"
85+
value="aaaaaaaaaaaaaaaaaaaaaaaaaaaa!" placeholder="Enter text to test against regex">
86+
</div>
87+
<button type="submit" class="btn btn-warning">Test Regex Pattern</button>
88+
</form>
89+
<small class="text-muted">Note: This uses a potentially vulnerable regex pattern for demonstration purposes</small>
90+
</div>
91+
</div>
92+
</div>
93+
94+
<div class="col-md-6">
95+
<div class="card mb-4">
96+
<div class="card-header bg-danger text-white">
97+
<h4 class="mb-0">Security Demo: Log Forging</h4>
98+
</div>
99+
<div class="card-body">
100+
<p>This demo shows log injection vulnerabilities:</p>
101+
<form method="post" asp-page-handler="TestLogging">
102+
<div class="mb-3">
103+
<label for="logMessage" class="form-label">Log Message:</label>
104+
<input type="text" class="form-control" id="logMessage" name="logMessage"
105+
value="Normal user action" placeholder="Enter log message">
106+
</div>
107+
<button type="submit" class="btn btn-danger">Write to Log</button>
108+
</form>
109+
<small class="text-muted">Note: This demonstrates insecure logging practices</small>
110+
</div>
111+
</div>
112+
</div>
113+
</div>
114+
115+
<!-- Security Features Overview -->
116+
<div class="row">
117+
<div class="col-12">
118+
<div class="card">
119+
<div class="card-header bg-primary text-white">
120+
<h4 class="mb-0">GHAS v3 Core Features</h4>
121+
</div>
122+
<div class="card-body">
123+
<div class="row">
124+
<div class="col-md-4">
125+
<h5>Code Scanning</h5>
126+
<ul>
127+
<li>CodeQL semantic analysis</li>
128+
<li>Third-party tool integration</li>
129+
<li>Custom query development</li>
130+
<li>Real-time PR scanning</li>
131+
</ul>
132+
</div>
133+
<div class="col-md-4">
134+
<h5>Secret Scanning</h5>
135+
<ul>
136+
<li>Provider-specific patterns</li>
137+
<li>Custom secret patterns</li>
138+
<li>Push protection</li>
139+
<li>Historical scan capabilities</li>
140+
</ul>
141+
</div>
142+
<div class="col-md-4">
143+
<h5>Dependency Management</h5>
144+
<ul>
145+
<li>Dependabot security updates</li>
146+
<li>License compliance</li>
147+
<li>Vulnerability database</li>
148+
<li>Supply chain security</li>
149+
</ul>
150+
</div>
151+
</div>
152+
</div>
153+
</div>
154+
</div>
155+
</div>
156+
157+
<!-- Resources Section -->
158+
<div class="row mt-4">
159+
<div class="col-12">
160+
<div class="card">
161+
<div class="card-header bg-info text-white">
162+
<h4 class="mb-0">GHAS v3 Resources</h4>
163+
</div>
164+
<div class="card-body">
165+
<div class="row">
166+
<div class="col-md-6">
167+
<h5>Documentation</h5>
168+
<ul class="list-unstyled">
169+
<li><a href="https://docs.github.com/en/code-security" target="_blank">GitHub Code Security Documentation</a></li>
170+
<li><a href="https://docs.github.com/en/code-security/code-scanning" target="_blank">Code Scanning v3 Documentation</a></li>
171+
<li><a href="https://docs.github.com/en/code-security/secret-scanning" target="_blank">Secret Scanning v3 Documentation</a></li>
172+
<li><a href="https://docs.github.com/en/code-security/dependabot" target="_blank">Dependabot v3 Documentation</a></li>
173+
</ul>
174+
</div>
175+
<div class="col-md-6">
176+
<h5>Training & Certification</h5>
177+
<ul class="list-unstyled">
178+
<li><a href="https://skills.github.com/" target="_blank">GitHub Skills Training</a></li>
179+
<li><a href="https://github.com/security-lab" target="_blank">GitHub Security Lab</a></li>
180+
<li><a href="https://codeql.github.com/" target="_blank">CodeQL Learning Resources</a></li>
181+
<li><a href="https://github.blog/category/security/" target="_blank">Security Blog Updates</a></li>
182+
</ul>
183+
</div>
184+
</div>
185+
</div>
186+
</div>
187+
</div>
188+
</div>
189+
</div>

src/webapp01/Pages/DevSecOps3.cshtml.cs

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
using Microsoft.AspNetCore.Mvc;
2+
using Microsoft.AspNetCore.Mvc.RazorPages;
3+
using System.Text.RegularExpressions;
4+
using Microsoft.Data.SqlClient;
5+
using Newtonsoft.Json;
6+
using System.Text.Json;
7+
8+
namespace webapp01.Pages
9+
{
10+
public class DevSecOps3Model : PageModel
11+
{
12+
private readonly ILogger<DevSecOps3Model> _logger;
13+
14+
public DevSecOps3Model(ILogger<DevSecOps3Model> logger)
15+
{
16+
_logger = logger;
17+
}
18+
19+
public void OnGet()
20+
{
21+
_logger.LogInformation("DevSecOps3 page accessed at {DateTime}", DateTime.Now);
22+
}
23+
24+
public IActionResult OnPostTestRegex(string userInput)
25+
{
26+
try
27+
{
28+
// SECURITY ISSUE: This regex pattern is vulnerable to ReDoS (Regular Expression Denial of Service)
29+
// The pattern (a+)+ creates exponential backtracking with inputs like "aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
30+
var vulnerablePattern = @"^(a+)+$";
31+
32+
_logger.LogInformation("Testing regex with input: {Input}", userInput);
33+
34+
var regex = new Regex(vulnerablePattern);
35+
var isMatch = regex.IsMatch(userInput ?? "");
36+
37+
TempData["RegexResult"] = $"Regex test completed. Input '{userInput}' match result: {isMatch}";
38+
39+
return RedirectToPage();
40+
}
41+
catch (Exception ex)
42+
{
43+
// SECURITY ISSUE: Exposing exception details in logs without sanitization
44+
_logger.LogError("Regex processing failed: {Exception}", ex.ToString());
45+
TempData["RegexError"] = $"Regex processing failed: {ex.Message}";
46+
return RedirectToPage();
47+
}
48+
}
49+
50+
public IActionResult OnPostTestLogging(string logMessage)
51+
{
52+
try
53+
{
54+
// SECURITY ISSUE: Log forging vulnerability - user input directly written to logs
55+
// Malicious input like "Normal log\r\n[ADMIN] Unauthorized access granted"
56+
// could inject fake log entries
57+
_logger.LogInformation("User action: {Message}", logMessage);
58+
59+
// SECURITY ISSUE: Hardcoded credentials for demo purposes
60+
var connectionString = "Server=localhost;Database=TestDB;User Id=admin;Password=Password123!;";
61+
62+
// SECURITY ISSUE: Potential SQL injection if this were used in actual queries
63+
var sqlQuery = $"INSERT INTO Logs (Message) VALUES ('{logMessage}')";
64+
65+
// SECURITY ISSUE: Using both JSON libraries unnecessarily (dependency confusion risk)
66+
var jsonData = JsonConvert.SerializeObject(new { message = logMessage, timestamp = DateTime.Now });
67+
var systemJsonData = System.Text.Json.JsonSerializer.Serialize(new { message = logMessage, timestamp = DateTime.Now });
68+
69+
_logger.LogInformation("Serialized data: {JsonData}", jsonData);
70+
71+
TempData["LogResult"] = $"Log entry created: '{logMessage}' at {DateTime.Now}";
72+
73+
return RedirectToPage();
74+
}
75+
catch (Exception ex)
76+
{
77+
// SECURITY ISSUE: Excessive error information disclosure
78+
_logger.LogError("Logging operation failed with full exception: {FullException}", ex);
79+
TempData["LogResult"] = $"Logging failed: {ex.Message} - {ex.StackTrace}";
80+
return RedirectToPage();
81+
}
82+
}
83+
84+
// SECURITY ISSUE: Method with potential for misuse if exposed
85+
private void ProcessSensitiveData(string userData)
86+
{
87+
// SECURITY ISSUE: No input validation or sanitization
88+
var processedData = userData.ToUpper();
89+
90+
// SECURITY ISSUE: Logging sensitive data without redaction
91+
_logger.LogInformation("Processing sensitive data: {SensitiveData}", processedData);
92+
93+
// SECURITY ISSUE: Hardcoded secret key
94+
var secretKey = "MySecretKey123!@#";
95+
96+
// SECURITY ISSUE: Weak encryption simulation
97+
var encodedData = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(processedData + secretKey));
98+
99+
_logger.LogInformation("Encoded result: {EncodedData}", encodedData);
100+
}
101+
}
102+
}

src/webapp01/Pages/Index.cshtml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,9 @@
1313
<strong>New!</strong> Check out our <a asp-page="/DevSecOps" class="btn btn-primary btn-sm">DevSecOps Demo</a>
1414
page to see the latest GHAS features and security demonstrations.
1515
</p>
16+
<p class="card-text">
17+
<strong>Latest!</strong> Explore our brand new <a asp-page="/DevSecOps3" class="btn btn-success btn-sm">DevSecOps v3 Demo</a>
18+
page featuring the newest GitHub Advanced Security v3 capabilities and enhanced security demonstrations.
19+
</p>
1620
</div>
1721
</div>

src/webapp01/Pages/Shared/_Layout.cshtml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@
2828
<li class="nav-item">
2929
<a class="nav-link text-dark" asp-area="" asp-page="/DevSecOps">DevSecOps Demo</a>
3030
</li>
31+
<li class="nav-item">
32+
<a class="nav-link text-dark" asp-area="" asp-page="/DevSecOps3">DevSecOps v3</a>
33+
</li>
3134
<li class="nav-item">
3235
<a class="nav-link text-dark" asp-area="" asp-page="/Privacy">Privacy</a>
3336
</li>

src/webapp01/webapp01.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
<PackageReference Include="Microsoft.Data.SqlClient" Version="5.0.2" />
1414
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
1515
<PackageReference Include="System.Text.Json" Version="8.0.4" />
16-
<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
16+
<PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
1717
</ItemGroup>
1818

1919
</Project>

0 commit comments

Comments
 (0)