From 6d08a89c18fbc630511afbabbdd73b07edeb160d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 15:02:09 +0000 Subject: [PATCH 1/3] Initial plan From 1c63dbc7e7c6c6fd5cd1fba45f322f7ae38e6fbf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 15:06:26 +0000 Subject: [PATCH 2/3] Fix .NET compatibility and packages for DevSecOps demo Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com> --- src/webapp01/Program.cs | 5 ++--- src/webapp01/webapp01.csproj | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/webapp01/Program.cs b/src/webapp01/Program.cs index a04832b..3177bcf 100644 --- a/src/webapp01/Program.cs +++ b/src/webapp01/Program.cs @@ -19,8 +19,7 @@ app.UseAuthorization(); -app.MapStaticAssets(); -app.MapRazorPages() - .WithStaticAssets(); +app.UseStaticFiles(); +app.MapRazorPages(); app.Run(); diff --git a/src/webapp01/webapp01.csproj b/src/webapp01/webapp01.csproj index 9b11105..97303be 100644 --- a/src/webapp01/webapp01.csproj +++ b/src/webapp01/webapp01.csproj @@ -1,7 +1,7 @@ - net9.0 + net8.0 enable enable 7f0355f0-e3cb-4a1e-bf2d-0431db9b93f8 @@ -13,7 +13,7 @@ - + From 9e3878b9ee6d2df66fe19fa8ee7ce1249d9cf72f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 15:11:20 +0000 Subject: [PATCH 3/3] Implement DevSecOps5 page with latest GHAS features and security demos Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com> --- src/webapp01/Pages/DevSecOps5.cshtml | 183 +++++++++++++++++++++++ src/webapp01/Pages/DevSecOps5.cshtml.cs | 181 ++++++++++++++++++++++ src/webapp01/Pages/Index.cshtml | 4 + src/webapp01/Pages/Shared/_Layout.cshtml | 3 + 4 files changed, 371 insertions(+) create mode 100644 src/webapp01/Pages/DevSecOps5.cshtml create mode 100644 src/webapp01/Pages/DevSecOps5.cshtml.cs diff --git a/src/webapp01/Pages/DevSecOps5.cshtml b/src/webapp01/Pages/DevSecOps5.cshtml new file mode 100644 index 0000000..177cfec --- /dev/null +++ b/src/webapp01/Pages/DevSecOps5.cshtml @@ -0,0 +1,183 @@ +@page +@model DevSecOps5Model +@{ + ViewData["Title"] = "DevSecOps5 - Latest GHAS Features Demo"; +} + +
+
+
+

@ViewData["Title"]

+

Explore the newest features and capabilities of GitHub Advanced Security (GHAS) 2025

+
+
+
+ + + @if (TempData["SecurityTest"] != null) + { + + } + +
+ +
+
+
+

+ Latest GitHub Advanced Security News 2025 +

+
+
+ @if (Model.LatestGHASNews.Any()) + { +
+ @foreach (var newsItem in Model.LatestGHASNews) + { +
+
+
+ HOT +

@newsItem

+
+
+
+ } +
+ } + else + { +

No latest news available.

+ } +
+
+ + +
+
+

🚀 GHAS 2025 Enhanced Features

+
+
+
+
+
AI-Powered Code Review
+

Enhanced CodeQL with AI suggestions for vulnerability remediation.

+ +
Advanced Secret Scanning
+

Real-time secret detection with custom pattern matching and auto-remediation.

+
+
+
Supply Chain Security
+

Enhanced dependency graph with SBOM generation and license compliance.

+ +
Cloud Security Posture
+

Infrastructure as Code scanning with cloud configuration analysis.

+
+
+
+
+
+ + +
+ +
+
+

+ Security Vulnerability Demo +

+
+
+

+ ⚠️ This demo contains intentionally vulnerable code patterns for GHAS detection testing. +

+ + +
+
+ + +
+ ⚠️ This may be vulnerable to SQL injection +
+
+ +
+ + +
+
+ + +
+ ⚠️ This may be vulnerable to ReDoS attacks +
+
+ +
+
+
+ + +
+
+

GHAS Resources

+
+
+
+ + GHAS Documentation + + + CodeQL Queries + + + Code Scanning Setup + +
+
+
+
+
+ + +
+
+
+
+
Demo Statistics
+
+
+

@Model.VulnerabilityCount

+ Vulnerabilities Detected +
+
+

@Model.SecretsFound

+ Secrets Found +
+
+

@Model.DependenciesScanned

+ Dependencies Scanned +
+
+

@Model.SecurityScore

+ Security Score +
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/src/webapp01/Pages/DevSecOps5.cshtml.cs b/src/webapp01/Pages/DevSecOps5.cshtml.cs new file mode 100644 index 0000000..5f6ded3 --- /dev/null +++ b/src/webapp01/Pages/DevSecOps5.cshtml.cs @@ -0,0 +1,181 @@ +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; +using System.Text.RegularExpressions; +using Microsoft.Data.SqlClient; +using Newtonsoft.Json; +using System.Text.Json; + +namespace webapp01.Pages +{ + public class DevSecOps5Model : PageModel + { + private readonly ILogger _logger; + + // INSECURE: Hardcoded database credentials for demo purposes + private const string DB_CONNECTION = "Server=localhost;Database=DemoApp;User Id=admin;Password=SuperSecret123!;TrustServerCertificate=true;"; + + // INSECURE: API Key hardcoded for demo purposes + private const string API_KEY = "sk-demo-1234567890abcdef-NEVER-USE-IN-PROD"; + + // INSECURE: Vulnerable regex pattern susceptible to ReDoS attacks + private static readonly Regex VulnerableRegex = new Regex(@"^(a+)+$", RegexOptions.Compiled); + private static readonly Regex EmailRegex = new Regex(@"^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$", RegexOptions.Compiled); + + public DevSecOps5Model(ILogger logger) + { + _logger = logger; + } + + public List LatestGHASNews { get; set; } = new(); + public int VulnerabilityCount { get; set; } + public int SecretsFound { get; set; } + public int DependenciesScanned { get; set; } + public string SecurityScore { get; set; } = "C+"; + + public void OnGet() + { + // LOG FORGING: User input directly logged without sanitization + string userAgent = Request.Headers.UserAgent.ToString(); + string ipAddress = Request.HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown"; + string userInput = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous"; + + // INSECURE: Direct user input in logs + _logger.LogInformation($"DevSecOps5 page accessed by user: {userInput} from IP: {ipAddress} with UserAgent: {userAgent}"); + + LoadLatestGHASNews(); + GenerateSecurityStats(); + + // INSECURE: Simulate database connection with hardcoded credentials + try + { + // Don't actually connect for demo, but log the attempt with sensitive info + _logger.LogInformation($"Attempting database connection to: {DB_CONNECTION}"); + _logger.LogDebug($"Using API key: {API_KEY}"); + + using var connection = new SqlConnection(DB_CONNECTION); + // Simulated connection - don't actually open + + _logger.LogInformation("Database connection simulation completed"); + } + catch (Exception ex) + { + // LOG FORGING: Exception details with user input + _logger.LogError($"Database connection failed for user {userInput}: {ex.Message}"); + } + + // INSECURE: Test vulnerable regex patterns + TestVulnerableRegex(); + } + + private void LoadLatestGHASNews() + { + LatestGHASNews = new List + { + "GitHub Advanced Security now includes AI-powered vulnerability remediation suggestions", + "New CodeQL 2.25 with enhanced C# and .NET analysis capabilities released", + "Secret scanning now supports 500+ new token patterns including cloud services", + "Dependency review with automated security updates and license compliance checking", + "Advanced threat modeling integration with STRIDE methodology support", + "Real-time security alerts with Slack and Microsoft Teams integration", + "Enhanced SARIF support with custom security rule definitions", + "Supply chain security with SBOM generation and provenance tracking" + }; + + // INSECURE: Potential JSON deserialization vulnerability + try + { + string jsonData = JsonConvert.SerializeObject(LatestGHASNews); + // INSECURE: Deserializing without type validation + var deserializedData = JsonConvert.DeserializeObject>(jsonData); + + _logger.LogInformation($"Successfully loaded {LatestGHASNews.Count} latest GHAS news items"); + } + catch (Exception ex) + { + _logger.LogError($"Failed to process GHAS news: {ex.Message}"); + } + } + + private void GenerateSecurityStats() + { + // Simulate security statistics + Random rand = new Random(); + VulnerabilityCount = rand.Next(15, 25); + SecretsFound = rand.Next(3, 8); + DependenciesScanned = rand.Next(150, 300); + + string[] scores = { "A+", "A", "B+", "B", "C+", "C", "D" }; + SecurityScore = scores[rand.Next(scores.Length)]; + + _logger.LogInformation($"Generated security stats - Vulnerabilities: {VulnerabilityCount}, Secrets: {SecretsFound}, Dependencies: {DependenciesScanned}, Score: {SecurityScore}"); + } + + private void TestVulnerableRegex() + { + // INSECURE: Testing with potentially dangerous regex patterns + string testPattern = Request.Query.ContainsKey("pattern") ? Request.Query["pattern"].ToString() ?? "aaa" : "aaa"; + + try + { + bool isMatch = VulnerableRegex.IsMatch(testPattern); + _logger.LogInformation($"Vulnerable regex test result: {isMatch} for pattern: {testPattern}"); + } + catch (Exception ex) + { + // LOG FORGING: User input in error logs + _logger.LogError($"Regex evaluation failed for pattern: {testPattern}. Error: {ex.Message}"); + } + } + + public IActionResult OnPostTestSql(string sqlInput) + { + if (!string.IsNullOrEmpty(sqlInput)) + { + // INSECURE: Direct SQL input logging (potential injection vulnerability demo) + _logger.LogWarning($"SQL test executed: {sqlInput}"); + + // INSECURE: Simulated SQL injection vulnerability + string userAgent = Request.Headers.UserAgent.ToString(); + string queryToExecute = $"SELECT * FROM logs WHERE query = '{sqlInput}' AND user_agent = '{userAgent}'"; + + _logger.LogInformation($"Constructed query: {queryToExecute}"); + + TempData["SecurityTest"] = $"SQL Query processed: {sqlInput} (Check logs for potential injection patterns)"; + } + + return RedirectToPage(); + } + + public IActionResult OnPostTestRegex(string regexPattern) + { + if (!string.IsNullOrEmpty(regexPattern)) + { + try + { + // INSECURE: User-provided regex pattern could cause ReDoS + var userRegex = new Regex(regexPattern, RegexOptions.Compiled); + string testString = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + + // LOG FORGING: User input in logs + _logger.LogWarning($"Testing user-provided regex pattern: {regexPattern}"); + + DateTime start = DateTime.Now; + bool result = userRegex.IsMatch(testString); + TimeSpan duration = DateTime.Now - start; + + _logger.LogInformation($"Regex test completed in {duration.TotalMilliseconds}ms - Result: {result}"); + + TempData["SecurityTest"] = $"Regex pattern '{regexPattern}' processed in {duration.TotalMilliseconds:F2}ms - Result: {result}"; + } + catch (Exception ex) + { + // LOG FORGING: Exception with user input + _logger.LogError($"Regex test failed for pattern '{regexPattern}': {ex.Message}"); + TempData["SecurityTest"] = $"Regex test failed: {ex.Message}"; + } + } + + return RedirectToPage(); + } + } +} \ No newline at end of file diff --git a/src/webapp01/Pages/Index.cshtml b/src/webapp01/Pages/Index.cshtml index e528b40..931e1c3 100644 --- a/src/webapp01/Pages/Index.cshtml +++ b/src/webapp01/Pages/Index.cshtml @@ -13,5 +13,9 @@ New! Check out our DevSecOps Demo page to see the latest GHAS features and security demonstrations.

+

+ Latest! Explore our enhanced DevSecOps5 Demo + featuring the newest 2025 GHAS capabilities and vulnerability testing. +

diff --git a/src/webapp01/Pages/Shared/_Layout.cshtml b/src/webapp01/Pages/Shared/_Layout.cshtml index bcaf503..4f4eb02 100644 --- a/src/webapp01/Pages/Shared/_Layout.cshtml +++ b/src/webapp01/Pages/Shared/_Layout.cshtml @@ -28,6 +28,9 @@
  • DevSecOps Demo
    • +
  • + DevSecOps5 Latest +
  • Privacy