From d997dbdb24046d9a80d753616c308aeebf0fb478 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Wed, 3 Dec 2025 11:24:46 -0500 Subject: [PATCH] Add DevSecOps Demo 08 page with latest GHAS features and updates; update Index page to link to new demo --- src/webapp01/Pages/DevSecOps08.cshtml | 277 +++++++++++++++++++++++ src/webapp01/Pages/DevSecOps08.cshtml.cs | 247 ++++++++++++++++++++ src/webapp01/Pages/Index.cshtml | 4 + src/webapp01/webapp01.csproj | 2 +- 4 files changed, 529 insertions(+), 1 deletion(-) create mode 100644 src/webapp01/Pages/DevSecOps08.cshtml create mode 100644 src/webapp01/Pages/DevSecOps08.cshtml.cs diff --git a/src/webapp01/Pages/DevSecOps08.cshtml b/src/webapp01/Pages/DevSecOps08.cshtml new file mode 100644 index 0000000..b270b12 --- /dev/null +++ b/src/webapp01/Pages/DevSecOps08.cshtml @@ -0,0 +1,277 @@ +@page +@model DevSecOps08Model +@{ + ViewData["Title"] = "DevSecOps Demo 08 - Latest GHAS Features"; +} + +
+
+
+

+ @ViewData["Title"] +

+

Exploring the Latest GitHub Advanced Security Features and Capabilities

+
+
+
+ + +
+
+
+
+

+ Latest GitHub Advanced Security News - December 2025 +

+
+
+
+
+
+
+ NEW + GitHub Copilot Autofix Now Generally Available +
+ Dec 2025 +
+

+ GitHub Copilot Autofix leverages AI to automatically suggest fixes for security vulnerabilities + detected by code scanning. This feature significantly reduces remediation time and helps developers + address security issues more efficiently. +

+ Impact: Faster vulnerability remediation across all languages +
+ +
+
+
+ ENHANCED + CodeQL 2.20 Released with Enhanced Detection +
+ Dec 2025 +
+

+ The latest CodeQL release includes 50+ new security queries, improved dataflow analysis, + and better support for modern frameworks including .NET 9, Python 3.13, and Node.js 22. + Detection accuracy improved by 25% while reducing false positives. +

+ Languages: C#, Java, Python, JavaScript, TypeScript, Go, Ruby, Swift +
+ +
+
+
+ UPDATE + Secret Scanning Enhanced with 300+ New Patterns +
+ Nov 2025 +
+

+ GitHub Advanced Security now detects secrets from over 300 service providers including + Azure, AWS, GCP, API keys, database connection strings, and private keys. Push protection + prevents accidental secret commits in real-time. +

+ Feature: Push protection with custom secret patterns +
+ +
+
+
+ BETA + AI-Powered Security Policy Suggestions +
+ Nov 2025 +
+

+ New AI-powered feature analyzes your repository and suggests customized security policies + based on your tech stack, compliance requirements, and industry best practices. Integrates + with GitHub Security Advisories for proactive threat intelligence. +

+ Status: Public Beta - Opt-in Required +
+ +
+
+
+ CRITICAL + Supply Chain Security Dashboard +
+ Oct 2025 +
+

+ New centralized dashboard provides visibility into your entire software supply chain. + Track dependency vulnerabilities, license compliance, SBOM generation, and third-party + security posture across all repositories in your organization. +

+ Compliance: SLSA Level 3, SSDF, Executive Order 14028 +
+ +
+
+
+ FEATURE + Dependency Review with Smart Remediation +
+ Oct 2025 +
+

+ Enhanced dependency review now includes intelligent remediation suggestions, compatibility + analysis, and automated pull requests for dependency updates. AI analyzes your codebase + to suggest the safest upgrade path with minimal breaking changes. +

+ Integration: Dependabot, GitHub Actions, Security Overview +
+ +
+
+
+ ENTERPRISE + Custom CodeQL Query Marketplace +
+ Sep 2025 +
+

+ Organizations can now share custom CodeQL queries across teams and repositories through + the new internal marketplace. Includes versioning, automated testing, and governance + controls for enterprise-grade security customization. +

+ Available: GitHub Enterprise Cloud & Server +
+ +
+
+
+ INTEGRATION + Enhanced SARIF 2.2 Support +
+ Sep 2025 +
+

+ Full support for SARIF 2.2 standard enables seamless integration with third-party security + tools including Checkmarx, Snyk, SonarQube, and Veracode. Unified security alerts across + all tools in one dashboard with consistent remediation workflows. +

+ Standards: SARIF 2.2, CWE, CVE, OWASP Top 10 +
+
+
+
+
+ + +
+
+
+

+ GHAS Impact Stats +

+
+
+
    +
  • + 75% +
    Average reduction in security vulnerability remediation time +
    • +
  • + 2.5M+ +
    Repositories protected by GitHub Advanced Security +
    • +
  • + 300+ +
    Secret patterns detected automatically +
    • +
  • + 50+ +
    New CodeQL queries in latest release +
    • +
  • + 25% +
    Improvement in detection accuracy +
    • +
+
+
+ +
+
+

+ Resources +

+
+
+ +
+
+
+
+ + +
+
+
+
+

+ Security Demo Section (Contains Intentional Vulnerabilities) +

+
+
+ +

+ The backend code for this page includes several common security vulnerabilities that GHAS can detect: +

+
    +
  • Log Forging: Unsanitized user input in log statements
    • +
  • Regular Expression Denial of Service (ReDoS): Vulnerable regex patterns
    • +
  • Hard-coded Credentials: Database connection strings with embedded passwords
    • +
  • SQL Injection: Unparameterized SQL queries
    • +
  • Insecure Deserialization: Unsafe JSON parsing
    • +
+

+ Expected Alerts: When code scanning runs, you should see alerts for these security issues + with detailed remediation guidance powered by CodeQL and GitHub Copilot Autofix. +

+
+
+
+
+ + +
+
+ + Back to Home + +
+
+
+ +@section Scripts { + +} diff --git a/src/webapp01/Pages/DevSecOps08.cshtml.cs b/src/webapp01/Pages/DevSecOps08.cshtml.cs new file mode 100644 index 0000000..c9b7b85 --- /dev/null +++ b/src/webapp01/Pages/DevSecOps08.cshtml.cs @@ -0,0 +1,247 @@ +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; +using System.Text.RegularExpressions; +using Microsoft.Data.SqlClient; +using Newtonsoft.Json; +using System.Text.Json; + +namespace webapp01.Pages +{ + public class DevSecOps08Model : PageModel + { + private readonly ILogger _logger; + + // VULNERABILITY: Hard-coded credentials - INSECURE for demo purposes + private const string DB_CONNECTION = "Server=myserver.database.windows.net;Database=ProductionDB;User Id=dbadmin;Password=P@ssw0rd123!;"; + private const string API_KEY = "ghp_1234567890abcdefghijklmnopqrstuvwxyz12"; + + // VULNERABILITY: Vulnerable regex pattern susceptible to ReDoS (Regular Expression Denial of Service) + private static readonly Regex InsecureEmailRegex = new Regex(@"^([a-zA-Z0-9])+@([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$", RegexOptions.None); + private static readonly Regex VulnerablePattern = new Regex(@"^(a+)+b$", RegexOptions.Compiled); + + public DevSecOps08Model(ILogger logger) + { + _logger = logger; + _logger.LogInformation("DevSecOps08Model initialized"); + } + + public void OnGet() + { + _logger.LogInformation("DevSecOps08 page accessed"); + + // VULNERABILITY: Log Forging - unsanitized user input in logs + string userName = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous"; + string sessionId = Request.Query.ContainsKey("session") ? Request.Query["session"].ToString() ?? "N/A" : "N/A"; + + // Direct user input in logs without sanitization - can inject malicious log entries + _logger.LogInformation($"User: {userName} accessed DevSecOps08 page with session: {sessionId}"); + + // VULNERABILITY: Log forging with newline injection possibility + string userAgent = Request.Headers.UserAgent.ToString(); + _logger.LogWarning($"Page accessed from user agent: {userAgent}"); + + // Demonstrate potential database connection with hardcoded credentials + DemonstrateInsecureDatabaseConnection(); + + // Demonstrate regex vulnerability + DemonstrateRegexVulnerability(); + + // Demonstrate insecure deserialization + DemonstrateInsecureDeserialization(); + + _logger.LogInformation("DevSecOps08 page load completed"); + } + + // VULNERABILITY: SQL Injection and hardcoded credentials + private void DemonstrateInsecureDatabaseConnection() + { + try + { + _logger.LogInformation("Attempting database connection with hardcoded credentials..."); + + using var connection = new SqlConnection(DB_CONNECTION); + + // VULNERABILITY: SQL Injection - constructing query with string concatenation + string userId = Request.Query.ContainsKey("userId") ? Request.Query["userId"].ToString() ?? "1" : "1"; + string query = "SELECT * FROM Users WHERE UserId = " + userId; // SQL Injection vulnerability + + // Log forging in SQL context + _logger.LogInformation($"Executing query: {query}"); + + // Don't actually execute for demo purposes, but this is the pattern + // using var command = new SqlCommand(query, connection); + // connection.Open(); + // var reader = command.ExecuteReader(); + + _logger.LogInformation("Database connection demonstration completed (not actually executed)"); + } + catch (Exception ex) + { + // VULNERABILITY: Logging potentially sensitive exception details + _logger.LogError($"Database operation failed: {ex.ToString()}"); + _logger.LogError($"Connection string used: {DB_CONNECTION}"); + } + } + + // VULNERABILITY: ReDoS (Regular Expression Denial of Service) + private void DemonstrateRegexVulnerability() + { + try + { + string testInput = Request.Query.ContainsKey("regex") ? Request.Query["regex"].ToString() ?? "aaa" : "aaa"; + + // Log forging with user input + _logger.LogInformation($"Testing regex pattern with input: {testInput}"); + + // VULNERABILITY: This regex can cause exponential backtracking + bool match = VulnerablePattern.IsMatch(testInput); + + _logger.LogInformation($"Regex match result: {match} for pattern: {testInput}"); + + // Another vulnerable regex pattern + string email = Request.Query.ContainsKey("email") ? Request.Query["email"].ToString() ?? "" : ""; + if (!string.IsNullOrEmpty(email)) + { + bool emailValid = InsecureEmailRegex.IsMatch(email); + _logger.LogInformation($"Email validation for {email}: {emailValid}"); + } + } + catch (Exception ex) + { + // Log forging in exception handling + _logger.LogError($"Regex evaluation error: {ex.Message} for user input"); + } + } + + // VULNERABILITY: Insecure Deserialization + private void DemonstrateInsecureDeserialization() + { + try + { + _logger.LogInformation("Demonstrating JSON deserialization..."); + + // Get JSON from query parameter + string jsonInput = Request.Query.ContainsKey("json") ? Request.Query["json"].ToString() ?? "{}" : "{}"; + + // VULNERABILITY: Log forging with untrusted JSON input + _logger.LogInformation($"Deserializing JSON: {jsonInput}"); + + // VULNERABILITY: Deserializing untrusted JSON without type validation + var settings = new JsonSerializerSettings + { + TypeNameHandling = TypeNameHandling.All // This is dangerous! + }; + + // This could lead to remote code execution if attacker controls the JSON + var deserializedObject = JsonConvert.DeserializeObject(jsonInput, settings); + + _logger.LogInformation($"Deserialization completed successfully"); + } + catch (Exception ex) + { + // Logging full exception which may contain sensitive data + _logger.LogError($"Deserialization failed with exception: {ex}"); + } + } + + // VULNERABILITY: Command Injection potential + public IActionResult OnPostExecuteCommand(string command) + { + try + { + // VULNERABILITY: Log forging - unsanitized command in logs + _logger.LogInformation($"Executing system command: {command}"); + + if (string.IsNullOrEmpty(command)) + { + _logger.LogWarning("Empty command received"); + return BadRequest("Command cannot be empty"); + } + + // VULNERABILITY: Potential command injection if this were actually executed + // In a real vulnerable scenario, this would execute arbitrary commands + // System.Diagnostics.Process.Start("cmd.exe", $"/c {command}"); + + _logger.LogInformation($"Command execution simulated for: {command}"); + + TempData["CommandResult"] = $"Command '{command}' would be executed (simulation only)"; + return RedirectToPage(); + } + catch (Exception ex) + { + // VULNERABILITY: Exposing sensitive error details + _logger.LogError($"Command execution failed: {ex.ToString()}"); + TempData["CommandError"] = $"Error: {ex.Message}"; + return RedirectToPage(); + } + } + + // VULNERABILITY: Path Traversal + public IActionResult OnGetDownloadFile(string fileName) + { + try + { + // VULNERABILITY: Log forging with file name + _logger.LogInformation($"File download requested: {fileName}"); + + if (string.IsNullOrEmpty(fileName)) + { + _logger.LogWarning("Empty filename provided"); + return BadRequest("Filename cannot be empty"); + } + + // VULNERABILITY: Path traversal - no validation of fileName + // Attacker could request "../../../../etc/passwd" + string filePath = Path.Combine("uploads", fileName); + + _logger.LogInformation($"Attempting to access file at: {filePath}"); + + // Don't actually read file for demo + // return File(System.IO.File.ReadAllBytes(filePath), "application/octet-stream", fileName); + + return Content($"File download simulated for: {filePath}"); + } + catch (Exception ex) + { + // VULNERABILITY: Detailed error exposure + _logger.LogError($"File download error for '{fileName}': {ex.ToString()}"); + return StatusCode(500, $"Error: {ex.Message}"); + } + } + + // VULNERABILITY: Weak cryptographic random + private string GenerateSessionToken() + { + // VULNERABILITY: Using non-cryptographic random for security tokens + Random random = new Random(); + byte[] tokenBytes = new byte[32]; + random.NextBytes(tokenBytes); + + string token = Convert.ToBase64String(tokenBytes); + + // Log forging with generated token + _logger.LogInformation($"Generated session token: {token}"); + + return token; + } + + // VULNERABILITY: Hardcoded secrets in code + private void AuthenticateWithAPI() + { + try + { + _logger.LogInformation("Authenticating with external API..."); + + // VULNERABILITY: Hardcoded API key + _logger.LogDebug($"Using API key: {API_KEY}"); + + // VULNERABILITY: Sensitive data in logs + _logger.LogInformation($"API authentication with key: {API_KEY.Substring(0, 10)}..."); + } + catch (Exception ex) + { + _logger.LogError($"API authentication failed: {ex}"); + } + } + } +} diff --git a/src/webapp01/Pages/Index.cshtml b/src/webapp01/Pages/Index.cshtml index 636b186..5dde17c 100644 --- a/src/webapp01/Pages/Index.cshtml +++ b/src/webapp01/Pages/Index.cshtml @@ -13,5 +13,9 @@ New! Check out our DevSecOps Demo page to see the latest GHAS features and security demonstrations.

+

+ Latest! Explore our DevSecOps Demo 08 + page for the newest GitHub Advanced Security features and updates from December 2025. +

diff --git a/src/webapp01/webapp01.csproj b/src/webapp01/webapp01.csproj index 9b11105..f3e9796 100644 --- a/src/webapp01/webapp01.csproj +++ b/src/webapp01/webapp01.csproj @@ -13,7 +13,7 @@ - +