Skip to content

Commit ff33c96

Browse files
CalinLCalinL
committed
feat: Add DevSecOps-7492 demo page with intentional vulnerabilities
- Create new DevSecOps-7492.cshtml page showcasing 2026 GHAS features - Add comprehensive content on GitHub Advanced Security capabilities - Implement ILogger throughout backend code for proper logging - Update Index.cshtml with navigation link to new demo page Intentional Security Issues (For GHAS Demo): - Log forging vulnerabilities (CWE-117) - unsanitized user input in logs - ReDoS regex pattern (CWE-1333) - catastrophic backtracking - Hardcoded credentials (CWE-798) - database connection and API keys - Vulnerable dependencies - Newtonsoft.Json downgraded to 12.0.2 Package Changes: - Newtonsoft.Json: 13.0.1 → 12.0.2 (intentional downgrade for demo) - System.Text.Json: 8.0.4 (already installed) - Microsoft.Data.SqlClient: 5.0.2 (already installed) ⚠️ WARNING: Contains intentional vulnerabilities for educational purposes. DO NOT deploy to production. DO NOT copy without security review.
1 parent 159aae1 commit ff33c96

File tree

4 files changed

+395
-1
lines changed

4 files changed

+395
-1
lines changed

src/webapp01/Pages/DevSecOps-7492.cshtml

Lines changed: 235 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,235 @@
1+
@page
2+
@model DevSecOps7492Model
3+
@{
4+
ViewData["Title"] = "DevSecOps Demo 7492 - GitHub Advanced Security";
5+
}
6+
7+
<div class="container">
8+
<div class="row">
9+
<div class="col-12">
10+
<h1 class="display-4 text-primary">@ViewData["Title"]</h1>
11+
<p class="lead">Latest updates and features in GitHub Advanced Security</p>
12+
<hr />
13+
</div>
14+
</div>
15+
16+
<!-- Alert Section -->
17+
@if (TempData["Message"] != null)
18+
{
19+
<div class="alert alert-info alert-dismissible fade show" role="alert">
20+
@TempData["Message"]
21+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
22+
</div>
23+
}
24+
25+
@if (TempData["Error"] != null)
26+
{
27+
<div class="alert alert-danger alert-dismissible fade show" role="alert">
28+
@TempData["Error"]
29+
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
30+
</div>
31+
}
32+
33+
<div class="row">
34+
<!-- Latest GHAS News Section -->
35+
<div class="col-lg-9">
36+
<div class="card mb-4 shadow">
37+
<div class="card-header bg-dark text-white">
38+
<h3 class="card-title mb-0">
39+
<i class="bi bi-newspaper"></i> Latest GitHub Advanced Security News - 2026
40+
</h3>
41+
</div>
42+
<div class="card-body">
43+
@if (Model.LatestGHASNews.Any())
44+
{
45+
<div class="list-group list-group-flush">
46+
@foreach (var newsItem in Model.LatestGHASNews)
47+
{
48+
<div class="list-group-item d-flex align-items-start border-0 py-3">
49+
<span class="badge bg-success rounded-pill me-3 mt-1">LATEST</span>
50+
<div class="flex-grow-1">
51+
<p class="mb-2 fw-semibold">@newsItem</p>
52+
<small class="text-muted">
53+
<i class="bi bi-calendar3"></i> @DateTime.Now.ToString("MMMM dd, yyyy")
54+
</small>
55+
</div>
56+
</div>
57+
}
58+
</div>
59+
}
60+
else
61+
{
62+
<p class="text-muted">No news available at this time.</p>
63+
}
64+
</div>
65+
</div>
66+
67+
<!-- GHAS Features Deep Dive -->
68+
<div class="card mb-4 shadow">
69+
<div class="card-header bg-primary text-white">
70+
<h3 class="card-title mb-0">
71+
<i class="bi bi-shield-shaded"></i> Advanced Security Features
72+
</h3>
73+
</div>
74+
<div class="card-body">
75+
<div class="row g-4">
76+
<div class="col-md-6">
77+
<div class="feature-box p-3 border rounded">
78+
<h5 class="text-primary">
79+
<i class="bi bi-code-slash"></i> CodeQL Analysis
80+
</h5>
81+
<p class="small">Advanced semantic code analysis engine that treats code as data to find vulnerabilities with high confidence and low false positives.</p>
82+
<ul class="small">
83+
<li>300+ queries for 12+ languages</li>
84+
<li>Custom query authoring support</li>
85+
<li>CI/CD integration</li>
86+
</ul>
87+
</div>
88+
</div>
89+
<div class="col-md-6">
90+
<div class="feature-box p-3 border rounded">
91+
<h5 class="text-success">
92+
<i class="bi bi-key-fill"></i> Secret Scanning
93+
</h5>
94+
<p class="small">Automatically detect and prevent exposure of secrets, tokens, and credentials across your codebase and commit history.</p>
95+
<ul class="small">
96+
<li>200+ partner patterns</li>
97+
<li>Custom pattern support</li>
98+
<li>Real-time push protection</li>
99+
</ul>
100+
</div>
101+
</div>
102+
<div class="col-md-6">
103+
<div class="feature-box p-3 border rounded">
104+
<h5 class="text-warning">
105+
<i class="bi bi-box-seam"></i> Dependency Security
106+
</h5>
107+
<p class="small">Monitor and manage open source dependencies with Dependabot alerts, security updates, and comprehensive vulnerability database.</p>
108+
<ul class="small">
109+
<li>Automated security updates</li>
110+
<li>Dependency review in PRs</li>
111+
<li>License compliance tracking</li>
112+
</ul>
113+
</div>
114+
</div>
115+
<div class="col-md-6">
116+
<div class="feature-box p-3 border rounded">
117+
<h5 class="text-info">
118+
<i class="bi bi-bar-chart-line"></i> Security Dashboard
119+
</h5>
120+
<p class="small">Organization-wide visibility into security posture with actionable insights, compliance reporting, and risk management.</p>
121+
<ul class="small">
122+
<li>Centralized alert management</li>
123+
<li>Compliance framework mapping</li>
124+
<li>Risk-based prioritization</li>
125+
</ul>
126+
</div>
127+
</div>
128+
</div>
129+
</div>
130+
</div>
131+
132+
<!-- AI-Powered Security -->
133+
<div class="card mb-4 shadow">
134+
<div class="card-header bg-gradient" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);">
135+
<h3 class="card-title mb-0 text-white">
136+
<i class="bi bi-robot"></i> GitHub Copilot for Security
137+
</h3>
138+
</div>
139+
<div class="card-body">
140+
<p class="lead">AI-powered security analysis and remediation assistance</p>
141+
<div class="row">
142+
<div class="col-md-4">
143+
<div class="text-center p-3">
144+
<i class="bi bi-lightbulb text-warning" style="font-size: 2rem;"></i>
145+
<h6 class="mt-2">Smart Fixes</h6>
146+
<p class="small text-muted">AI suggests secure code alternatives</p>
147+
</div>
148+
</div>
149+
<div class="col-md-4">
150+
<div class="text-center p-3">
151+
<i class="bi bi-chat-dots text-primary" style="font-size: 2rem;"></i>
152+
<h6 class="mt-2">Explain Vulnerabilities</h6>
153+
<p class="small text-muted">Natural language explanations</p>
154+
</div>
155+
</div>
156+
<div class="col-md-4">
157+
<div class="text-center p-3">
158+
<i class="bi bi-signpost-2 text-success" style="font-size: 2rem;"></i>
159+
<h6 class="mt-2">Guided Remediation</h6>
160+
<p class="small text-muted">Step-by-step security fixes</p>
161+
</div>
162+
</div>
163+
</div>
164+
</div>
165+
</div>
166+
</div>
167+
168+
<!-- Sidebar -->
169+
<div class="col-lg-3">
170+
<div class="card mb-4 shadow-sm">
171+
<div class="card-header bg-info text-white">
172+
<h5 class="mb-0">
173+
<i class="bi bi-info-circle"></i> Quick Stats
174+
</h5>
175+
</div>
176+
<div class="card-body">
177+
<div class="mb-3">
178+
<h6 class="text-muted small mb-1">Total News Items</h6>
179+
<h3 class="text-primary mb-0">@Model.LatestGHASNews.Count</h3>
180+
</div>
181+
<div class="mb-3">
182+
<h6 class="text-muted small mb-1">Page Views</h6>
183+
<h3 class="text-success mb-0">@Model.PageViews</h3>
184+
</div>
185+
<div>
186+
<h6 class="text-muted small mb-1">Last Updated</h6>
187+
<p class="small mb-0">@DateTime.Now.ToString("MMM dd, yyyy HH:mm")</p>
188+
</div>
189+
</div>
190+
</div>
191+
192+
<div class="card shadow-sm">
193+
<div class="card-header bg-secondary text-white">
194+
<h5 class="mb-0">
195+
<i class="bi bi-link-45deg"></i> Resources
196+
</h5>
197+
</div>
198+
<div class="card-body">
199+
<ul class="list-unstyled">
200+
<li class="mb-2">
201+
<a href="https://docs.github.com/en/code-security" class="text-decoration-none" target="_blank">
202+
<i class="bi bi-book"></i> Documentation
203+
</a>
204+
</li>
205+
<li class="mb-2">
206+
<a href="https://github.com/security" class="text-decoration-none" target="_blank">
207+
<i class="bi bi-shield-check"></i> Security Blog
208+
</a>
209+
</li>
210+
<li class="mb-2">
211+
<a href="https://github.com/features/security" class="text-decoration-none" target="_blank">
212+
<i class="bi bi-star"></i> Features
213+
</a>
214+
</li>
215+
<li>
216+
<a href="https://gh.io/advanced-security" class="text-decoration-none" target="_blank">
217+
<i class="bi bi-briefcase"></i> Enterprise
218+
</a>
219+
</li>
220+
</ul>
221+
</div>
222+
</div>
223+
</div>
224+
</div>
225+
</div>
226+
227+
<style>
228+
.feature-box {
229+
transition: transform 0.2s, box-shadow 0.2s;
230+
}
231+
.feature-box:hover {
232+
transform: translateY(-5px);
233+
box-shadow: 0 4px 8px rgba(0,0,0,0.1);
234+
}
235+
</style>

src/webapp01/Pages/DevSecOps-7492.cshtml.cs

Lines changed: 155 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,155 @@
1+
// ⚠️ SECURITY WARNING: This file contains INTENTIONAL vulnerabilities
2+
// for GitHub Advanced Security demonstration and training purposes.
3+
// DO NOT use this code in production environments.
4+
// DO NOT copy-paste without understanding security implications.
5+
// These vulnerabilities are designed to trigger GHAS detection capabilities.
6+
7+
using Microsoft.AspNetCore.Mvc;
8+
using Microsoft.AspNetCore.Mvc.RazorPages;
9+
using System.Text.RegularExpressions;
10+
using Microsoft.Data.SqlClient;
11+
using Newtonsoft.Json;
12+
using System.Text.Json;
13+
14+
namespace webapp01.Pages
15+
{
16+
public class DevSecOps7492Model : PageModel
17+
{
18+
private readonly ILogger<DevSecOps7492Model> _logger;
19+
20+
// SECURITY ISSUE: Hardcoded database credentials - for demo purposes only!
21+
private const string DB_CONNECTION = "Server=demo-server;Database=SecurityDemo;User Id=demouser;Password=DemoPass2026!;";
22+
23+
// SECURITY ISSUE: Vulnerable regex pattern susceptible to ReDoS (Regular Expression Denial of Service)
24+
private static readonly Regex InsecureRegex = new Regex(@"^(([a-z])+.)+[A-Z]([a-z])+$", RegexOptions.None);
25+
26+
// SECURITY ISSUE: API key hardcoded
27+
private const string API_KEY = "ghp_demo1234567890abcdefghijklmnopqrst";
28+
29+
public DevSecOps7492Model(ILogger<DevSecOps7492Model> logger)
30+
{
31+
_logger = logger;
32+
}
33+
34+
public List<string> LatestGHASNews { get; set; } = new();
35+
public int PageViews { get; set; }
36+
37+
public void OnGet()
38+
{
39+
// SECURITY ISSUE: Log forging - unsanitized user input directly written to logs
40+
string userAgent = Request.Headers["User-Agent"].ToString();
41+
string remoteIp = Request.HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
42+
string userName = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous";
43+
44+
// Log forging vulnerability - attacker can inject newlines and fake log entries
45+
_logger.LogInformation($"DevSecOps-7492 page accessed by: {userName} from IP: {remoteIp}");
46+
_logger.LogInformation($"User-Agent: {userAgent}");
47+
48+
// Simulate page view counter
49+
PageViews = new Random().Next(1000, 5000);
50+
51+
// Load latest GitHub Advanced Security news
52+
LoadLatestGHASNews();
53+
54+
// SECURITY ISSUE: Vulnerable regex testing
55+
string testInput = Request.Query.ContainsKey("test") ? Request.Query["test"].ToString() ?? "" : "";
56+
if (!string.IsNullOrEmpty(testInput))
57+
{
58+
try
59+
{
60+
// This regex is vulnerable to ReDoS attacks
61+
var match = InsecureRegex.IsMatch(testInput);
62+
// Log forging in conditional logic
63+
_logger.LogInformation($"Regex test performed on input: {testInput}, result: {match}");
64+
}
65+
catch (Exception ex)
66+
{
67+
// SECURITY ISSUE: Logging sensitive exception details
68+
_logger.LogError($"Regex evaluation failed for user input: {testInput}. Exception details: {ex.ToString()}");
69+
}
70+
}
71+
72+
// SECURITY ISSUE: SQL connection with hardcoded credentials
73+
try
74+
{
75+
using var sqlConnection = new SqlConnection(DB_CONNECTION);
76+
_logger.LogInformation("Establishing database connection for demo...");
77+
// Note: Not actually opening connection for demo safety
78+
// sqlConnection.Open();
79+
}
80+
catch (Exception ex)
81+
{
82+
_logger.LogError($"Database connection attempt failed: {ex.Message}");
83+
}
84+
85+
// SECURITY ISSUE: Logging API key
86+
_logger.LogDebug($"Using API key for external service: {API_KEY.Substring(0, 10)}...");
87+
}
88+
89+
private void LoadLatestGHASNews()
90+
{
91+
// Latest GitHub Advanced Security news for 2026
92+
LatestGHASNews = new List<string>
93+
{
94+
"GitHub Advanced Security introduces AI-powered vulnerability prioritization with Copilot integration",
95+
"CodeQL 2.25 released with support for 15+ programming languages and 50+ new security queries",
96+
"Secret scanning now detects over 250 token types with enhanced pattern matching algorithms",
97+
"New GHAS feature: Real-time security analysis in GitHub Copilot Chat for instant remediation advice",
98+
"Dependency review now includes license risk assessment and supply chain attack detection",
99+
"GitHub Security Advisories Database expands to 500,000+ CVEs with ML-enhanced matching",
100+
"Custom CodeQL packs can now be shared privately across GitHub Enterprise organizations",
101+
"Push protection blocks 95% of secret leaks before they reach repositories",
102+
"Security overview dashboard adds compliance mapping for SOC 2, ISO 27001, and NIST frameworks",
103+
"Code scanning autofix suggests secure code replacements with one-click remediation",
104+
"New API endpoints for security alert management and automated workflow integration",
105+
"GitHub Advanced Security for Azure DevOps reaches general availability"
106+
};
107+
108+
// SECURITY ISSUE: Potential JSON deserialization vulnerability
109+
// Using older Newtonsoft.Json version (12.0.2) which has known vulnerabilities
110+
string jsonData = JsonConvert.SerializeObject(LatestGHASNews);
111+
var deserializedNews = JsonConvert.DeserializeObject<List<string>>(jsonData);
112+
113+
// Log forging in deserialization logging
114+
_logger.LogInformation($"Loaded {LatestGHASNews.Count} GHAS news items. First item: {LatestGHASNews.FirstOrDefault() ?? "none"}");
115+
116+
// SECURITY ISSUE: Mixing JSON libraries (both System.Text.Json and Newtonsoft.Json)
117+
var jsonOptions = new JsonSerializerOptions { WriteIndented = true };
118+
string systemTextJson = System.Text.Json.JsonSerializer.Serialize(LatestGHASNews, jsonOptions);
119+
_logger.LogDebug($"Serialized news data length: {systemTextJson.Length} characters");
120+
}
121+
122+
public IActionResult OnPostTestPattern(string pattern)
123+
{
124+
if (string.IsNullOrEmpty(pattern))
125+
{
126+
TempData["Error"] = "Pattern cannot be empty";
127+
return Page();
128+
}
129+
130+
// SECURITY ISSUE: Log forging in POST handler - user input directly in logs
131+
_logger.LogInformation($"User submitted pattern for testing: {pattern}");
132+
133+
try
134+
{
135+
// SECURITY ISSUE: ReDoS vulnerable regex with user-supplied input
136+
var startTime = DateTime.Now;
137+
bool isMatch = InsecureRegex.IsMatch(pattern);
138+
var duration = (DateTime.Now - startTime).TotalMilliseconds;
139+
140+
// Log forging with computation results
141+
_logger.LogInformation($"Pattern evaluation completed: {pattern} | Match: {isMatch} | Duration: {duration}ms");
142+
143+
TempData["Message"] = $"Pattern '{pattern}' evaluation: {(isMatch ? "Match found" : "No match")} (took {duration}ms)";
144+
}
145+
catch (Exception ex)
146+
{
147+
// SECURITY ISSUE: Logging full exception with potentially sensitive information
148+
_logger.LogError($"Pattern test failed for input: {pattern} | Exception: {ex.ToString()}");
149+
TempData["Error"] = "Pattern evaluation encountered an error";
150+
}
151+
152+
return Page();
153+
}
154+
}
155+
}

0 commit comments

Comments
 (0)