Skip to content

feat: Implement DevSecOps demo page for GHAS features #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Implement DevSecOps demo page for GHAS features #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 169 additions & 0 deletions src/webapp01/Pages/DevSecOps.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
@page
@model DevSecOpsModel
@{
ViewData["Title"] = "DevSecOps & GitHub Advanced Security";
}

<div class="container">
<div class="row">
<div class="col-md-12">
<h1 class="display-4 text-primary">@ViewData["Title"]</h1>
<hr />
</div>
</div>

<div class="row">
<div class="col-md-8">
<div class="card mb-4">
<div class="card-header bg-primary text-white">
<h3 class="mb-0"><i class="bi bi-newspaper"></i> Latest GHAS News & Updates</h3>
</div>
<div class="card-body">
<p class="lead">Stay up-to-date with the latest GitHub Advanced Security features and enhancements:</p>

@if (Model.LatestNews.Any())
{
<ul class="list-group list-group-flush">
@foreach (var newsItem in Model.LatestNews)
{
<li class="list-group-item">
<i class="bi bi-check-circle text-success me-2"></i>
@newsItem
</li>
}
</ul>
}
</div>
</div>

<div class="card mb-4">
<div class="card-header bg-success text-white">
<h4 class="mb-0"><i class="bi bi-shield-check"></i> DevSecOps Best Practices</h4>
</div>
<div class="card-body">
<div class="row">
<div class="col-md-6">
<h5>Security in Development</h5>
<ul>
<li>Shift-left security testing</li>
<li>Automated code scanning</li>
<li>Secret detection & management</li>
<li>Dependency vulnerability scanning</li>
</ul>
</div>
<div class="col-md-6">
<h5>GHAS Integration</h5>
<ul>
<li>CodeQL static analysis</li>
<li>Dependabot alerts & updates</li>
<li>Security advisories</li>
<li>Supply chain protection</li>
</ul>
</div>
</div>
</div>
</div>
</div>

<div class="col-md-4">
<div class="card mb-4">
<div class="card-header bg-warning text-dark">
<h5 class="mb-0"><i class="bi bi-exclamation-triangle"></i> Demo Security Testing</h5>
</div>
<div class="card-body">
<p class="text-muted">This form demonstrates security vulnerabilities for educational purposes:</p>

<form method="post">
<div class="mb-3">
<label for="userInput" class="form-label">Test Input:</label>
<input type="text" class="form-control" id="userInput" name="userInput"
value="@Model.UserInput" placeholder="Enter test data...">
<small class="form-text text-muted">
⚠️ This input is intentionally vulnerable for demo purposes
</small>
</div>
<button type="submit" class="btn btn-warning">
<i class="bi bi-bug"></i> Test Vulnerabilities
</button>
</form>

@if (!string.IsNullOrEmpty(Model.UserInput))
{
<div class="mt-3 alert alert-info">
<strong>Input processed:</strong> @Model.UserInput
<br>
<small>Check application logs for security demonstrations</small>
</div>
}
</div>
</div>

<div class="card">
<div class="card-header bg-info text-white">
<h5 class="mb-0"><i class="bi bi-link-45deg"></i> GHAS Resources</h5>
</div>
<div class="card-body">
<div class="d-grid gap-2">
<a href="https://docs.github.com/en/code-security" target="_blank" class="btn btn-outline-primary btn-sm">
Code Security Docs
</a>
<a href="https://docs.github.com/en/code-security/code-scanning" target="_blank" class="btn btn-outline-primary btn-sm">
Code Scanning Guide
</a>
<a href="https://docs.github.com/en/code-security/secret-scanning" target="_blank" class="btn btn-outline-primary btn-sm">
Secret Scanning
</a>
<a href="https://docs.github.com/en/code-security/dependabot" target="_blank" class="btn btn-outline-primary btn-sm">
Dependabot
</a>
<a href="https://docs.github.com/en/code-security/security-advisories" target="_blank" class="btn btn-outline-primary btn-sm">
Security Advisories
</a>
</div>
</div>
</div>
</div>
</div>

<div class="row mt-4">
<div class="col-md-12">
<div class="alert alert-warning">
<i class="bi bi-exclamation-triangle-fill"></i>
<strong>Educational Demo:</strong> This page contains intentionally vulnerable code patterns for GitHub Advanced Security demonstration purposes.
Never use these patterns in production environments.
</div>
</div>
</div>
</div>

@section Scripts {
<script>
// Enhance the demo experience
document.addEventListener('DOMContentLoaded', function() {
const newsItems = document.querySelectorAll('.list-group-item');
newsItems.forEach((item, index) => {
setTimeout(() => {
item.style.opacity = '1';
item.style.transform = 'translateX(0)';
}, index * 100);
});
});
</script>
}

<style>
.list-group-item {
opacity: 0;
transform: translateX(-20px);
transition: all 0.3s ease;
}

.card {
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
transition: transform 0.2s ease;
}

.card:hover {
transform: translateY(-2px);
}
</style>
86 changes: 86 additions & 0 deletions src/webapp01/Pages/DevSecOps.cshtml.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using System.Text.RegularExpressions;
using System.Data.SqlClient;
using Microsoft.Data.SqlClient;
using Newtonsoft.Json;

namespace webapp01.Pages
{
public class DevSecOpsModel : PageModel
{
private readonly ILogger<DevSecOpsModel> _logger;

// Insecure: Hard-coded connection string for demo purposes
private const string CONNECTION_STRING = "Server=localhost;Database=DemoDb;User Id=sa;Password=P@ssw0rd123;";

// Insecure: Vulnerable regex pattern for demo purposes
private static readonly Regex EmailRegex = new Regex(@"^(.+)@(.+)$", RegexOptions.Compiled);

public DevSecOpsModel(ILogger<DevSecOpsModel> logger)
{
_logger = logger;
}

public List<string> LatestNews { get; set; } = new List<string>();
public string UserInput { get; set; } = string.Empty;

public void OnGet()
{
_logger.LogInformation("DevSecOps page accessed at {Time}", DateTime.UtcNow);

LoadLatestGHASNews();

// Insecure: Log user data without sanitization for demo purposes
string userAgent = Request.Headers["User-Agent"].ToString();
_logger.LogInformation("User accessed DevSecOps page with User-Agent: " + userAgent);

Check failure

Code scanning / CodeQL

Log entries created from user input High

This log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI 23 days ago

To fix the issue, the user-provided User-Agent header should be sanitized before being logged. Since the logs are likely stored as plain text, newline characters should be removed from the User-Agent string to prevent log forging. This can be achieved using String.Replace to replace newline characters (\n and \r) with an empty string. Additionally, the input should be clearly marked in the log entry to avoid confusion.

Changes will be made to line 36 in the OnGet method to sanitize the userAgent value before logging it.

Suggested changeset 1
src/webapp01/Pages/DevSecOps.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
--- a/src/webapp01/Pages/DevSecOps.cshtml.cs
+++ b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -35,3 +35,4 @@
             string userAgent = Request.Headers["User-Agent"].ToString();
-            _logger.LogInformation("User accessed DevSecOps page with User-Agent: " + userAgent);
+            string sanitizedUserAgent = userAgent.Replace("\n", "").Replace("\r", "");
+            _logger.LogInformation("User accessed DevSecOps page with sanitized User-Agent: " + sanitizedUserAgent);
         }
EOF
@@ -35,3 +35,4 @@
string userAgent = Request.Headers["User-Agent"].ToString();
_logger.LogInformation("User accessed DevSecOps page with User-Agent: " + userAgent);
string sanitizedUserAgent = userAgent.Replace("\n", "").Replace("\r", "");
_logger.LogInformation("User accessed DevSecOps page with sanitized User-Agent: " + sanitizedUserAgent);
}
Copilot is powered by AI and may make mistakes. Always verify output.
}

public void OnPost(string userInput)
{
UserInput = userInput ?? string.Empty;

// Insecure: Log forging vulnerability for demo purposes
_logger.LogInformation("User input received: " + userInput + " from user: " + User.Identity?.Name);

// Insecure: SQL injection vulnerability for demo purposes
if (!string.IsNullOrEmpty(userInput))
{
try
{
using var connection = new SqlConnection(CONNECTION_STRING);
var query = $"SELECT * FROM Users WHERE Name = '{userInput}'"; // Vulnerable to SQL injection
_logger.LogWarning("Executing query: " + query);
}
catch (Exception ex)
{
_logger.LogError("Database error: " + ex.Message);
}
Comment on lines +55 to +58

Check notice

Code scanning / CodeQL

Generic catch clause Note

Generic catch clause.

Copilot Autofix

AI 23 days ago

To fix the problem, replace the generic catch clause catch (Exception ex) with specific exception types that are relevant to the database operation. For SQL-related errors, the SqlException class should be caught. If additional exceptions need to be handled, they can be added as separate catch blocks. This approach ensures that only relevant exceptions are caught, improving error diagnosis and handling.

Steps to implement the fix:

  1. Replace the generic catch (Exception ex) block with a specific catch (SqlException ex) block.
  2. Optionally, add additional catch blocks for other specific exceptions if necessary.
  3. Ensure that the logging remains intact to provide diagnostic information.
Suggested changeset 1
src/webapp01/Pages/DevSecOps.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
--- a/src/webapp01/Pages/DevSecOps.cshtml.cs
+++ b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -54,5 +54,5 @@
                 }
-                catch (Exception ex)
+                catch (SqlException ex)
                 {
-                    _logger.LogError("Database error: " + ex.Message);
+                    _logger.LogError("SQL error: " + ex.Message);
                 }
EOF
@@ -54,5 +54,5 @@
}
catch (Exception ex)
catch (SqlException ex)
{
_logger.LogError("Database error: " + ex.Message);
_logger.LogError("SQL error: " + ex.Message);
}
Copilot is powered by AI and may make mistakes. Always verify output.
}
// Insecure: Regex vulnerability for demo purposes
if (!string.IsNullOrEmpty(userInput) && EmailRegex.IsMatch(userInput))
{
_logger.LogInformation("Valid email format detected");
}

LoadLatestGHASNews();
}

private void LoadLatestGHASNews()
{
LatestNews = new List<string>
{
"GitHub Advanced Security now supports AI-powered code scanning with enhanced vulnerability detection",
"New Dependabot features include automated security updates for container dependencies",
"Secret scanning now detects over 200+ token types including cloud provider keys",
"Code scanning with CodeQL now supports Python 3.12 and enhanced C# analysis",
"Dependency review action helps prevent vulnerable dependencies in pull requests",
"GHAS now integrates with third-party security tools through the Security tab API",
"Enhanced supply chain security with SLSA compliance and artifact attestation",
"New security advisories database provides comprehensive vulnerability information"
};

_logger.LogInformation("Loaded {Count} GHAS news items", LatestNews.Count);
}
}
}
34 changes: 34 additions & 0 deletions src/webapp01/Pages/Index.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,39 @@
<h5 class="card-title">.NET 💜 Azure v5</h5>
<p class="card-text">Learn about <a href="https://learn.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
<p class="card-text">Visit our <a asp-page="/About">About GHAS</a> page to learn about GitHub Advanced Security features.</p>
<p class="card-text">
<strong>🚀 New!</strong> Check out our <a asp-page="/DevSecOps" class="btn btn-primary btn-sm">DevSecOps Demo</a>
to explore the latest GitHub Advanced Security features and best practices.
</p>
</div>
</div>

<div class="row mt-4">
<div class="col-md-6">
<div class="card">
<div class="card-header bg-info text-white">
<h5 class="mb-0">🔐 Security Features</h5>
</div>
<div class="card-body">
<ul class="list-unstyled">
<li>✅ Code Scanning with CodeQL</li>
<li>✅ Secret Scanning</li>
<li>✅ Dependency Management</li>
<li>✅ Security Advisories</li>
</ul>
<a asp-page="/DevSecOps" class="btn btn-outline-info">Explore GHAS →</a>
</div>
</div>
</div>
<div class="col-md-6">
<div class="card">
<div class="card-header bg-success text-white">
<h5 class="mb-0">🛠️ DevSecOps Integration</h5>
</div>
<div class="card-body">
<p>Learn how to integrate security into your development workflow with our comprehensive DevSecOps guide.</p>
<a asp-page="/DevSecOps" class="btn btn-success">Get Started</a>
</div>
</div>
</div>
</div>
6 changes: 4 additions & 2 deletions src/webapp01/Pages/Shared/_Layout.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,17 @@
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target=".navbar-collapse" aria-controls="navbarSupportedContent"
aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="navbar-collapse collapse d-sm-inline-flex justify-content-between">
</button> <div class="navbar-collapse collapse d-sm-inline-flex justify-content-between">
<ul class="navbar-nav flex-grow-1">
<li class="nav-item">
<a class="nav-link text-dark" asp-area="" asp-page="/Index">Home</a>
</li>
<li class="nav-item">
<a class="nav-link text-dark" asp-area="" asp-page="/About">About GHAS</a>
</li>
<li class="nav-item">
<a class="nav-link text-dark" asp-area="" asp-page="/DevSecOps">DevSecOps Demo</a>
</li>
<li class="nav-item">
<a class="nav-link text-dark" asp-area="" asp-page="/Privacy">Privacy</a>
</li>
Expand Down
6 changes: 3 additions & 3 deletions src/webapp01/webapp01.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,12 @@
<DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
<DockerfileContext>.</DockerfileContext>
</PropertyGroup>

<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.13.2" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="5.0.2" />
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
<PackageReference Include="System.Text.Json" Version="9.0.4" />
<PackageReference Include="System.Text.Json" Version="8.0.4" />
<PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
</ItemGroup>

</Project>
Loading