From 728048277cd0c7ee6edfda864e3cf19d9236f7f0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 18:39:28 +0000 Subject: [PATCH 1/3] Initial plan From 55dc6907ed6a3ddb18d2c1c64803990e57e5f755 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 18:43:56 +0000 Subject: [PATCH 2/3] Initial analysis: Update .NET framework to 8.0 and fix Program.cs for compatibility Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com> --- src/webapp01/Program.cs | 5 ++--- src/webapp01/webapp01.csproj | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/webapp01/Program.cs b/src/webapp01/Program.cs index a04832b..3177bcf 100644 --- a/src/webapp01/Program.cs +++ b/src/webapp01/Program.cs @@ -19,8 +19,7 @@ app.UseAuthorization(); -app.MapStaticAssets(); -app.MapRazorPages() - .WithStaticAssets(); +app.UseStaticFiles(); +app.MapRazorPages(); app.Run(); diff --git a/src/webapp01/webapp01.csproj b/src/webapp01/webapp01.csproj index 9b11105..5dab0ad 100644 --- a/src/webapp01/webapp01.csproj +++ b/src/webapp01/webapp01.csproj @@ -1,7 +1,7 @@ - net9.0 + net8.0 enable enable 7f0355f0-e3cb-4a1e-bf2d-0431db9b93f8 From c7701742e925f0f900b4f07be1d953e5fea2d3eb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 18:50:20 +0000 Subject: [PATCH 3/3] Implement DevSecOps4 page with GHAS 4.0 features and intentional vulnerabilities Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com> --- src/webapp01/Pages/DevSecOps4.cshtml | 242 +++++++++++++++++++++++ src/webapp01/Pages/DevSecOps4.cshtml.cs | 237 ++++++++++++++++++++++ src/webapp01/Pages/Index.cshtml | 7 +- src/webapp01/Pages/Shared/_Layout.cshtml | 3 + src/webapp01/webapp01.csproj | 2 +- 5 files changed, 488 insertions(+), 3 deletions(-) create mode 100644 src/webapp01/Pages/DevSecOps4.cshtml create mode 100644 src/webapp01/Pages/DevSecOps4.cshtml.cs diff --git a/src/webapp01/Pages/DevSecOps4.cshtml b/src/webapp01/Pages/DevSecOps4.cshtml new file mode 100644 index 0000000..2094f98 --- /dev/null +++ b/src/webapp01/Pages/DevSecOps4.cshtml @@ -0,0 +1,242 @@ +@page +@model DevSecOps4Model +@{ + ViewData["Title"] = "DevSecOps 4.0 - Advanced GitHub Security Demo"; +} + +
+
+
+

@ViewData["Title"]

+

Explore the cutting-edge features and latest innovations in GitHub Advanced Security (GHAS)

+
+
+
+ + + @if (TempData["SecurityResult"] != null) + { + + } + + @if (TempData["SecurityError"] != null) + { + + } + +
+ +
+ +
+
+

+ Latest GitHub Advanced Security News +

+
+
+ @if (Model.LatestNews != null && Model.LatestNews.Any()) + { +
+ @foreach (var newsItem in Model.LatestNews) + { +
+
+
+

+ @newsItem +

+
+
+
+ } +
+ } + else + { +

No news available at this time.

+ } +
+
+ + +
+
+

+ Advanced GHAS 4.0 Features +

+
+
+
+
+
AI-Powered CodeQL
+

Enhanced semantic analysis with machine learning for better vulnerability detection.

+ +
Automated Remediation
+

AI-suggested fixes for detected security vulnerabilities with one-click application.

+ +
Advanced Analytics
+

Deep insights into security trends and patterns across your organization.

+
+
+
Cloud Security Integration
+

Seamless integration with cloud security services and infrastructure as code scanning.

+ +
Team Collaboration
+

Enhanced collaboration tools for security teams with real-time notifications.

+ +
Performance Optimized
+

Faster scanning with reduced false positives and improved accuracy.

+
+
+
+
+ + +
+
+

+ GHAS 4.0 Resources +

+
+
+
+ + GHAS 4.0 Documentation + + + CodeQL Repository + + + Advanced Code Scanning + + + Secret Scanning Plus + + + Dependabot Advanced + +
+
+
+
+ + +
+ +
+
+

+ Security Demo 4.0 +

+
+
+

+ This page contains intentionally vulnerable code patterns for GHAS 4.0 demonstration. + These vulnerabilities showcase the advanced detection capabilities of GitHub Advanced Security. +

+ + +
+
+ + +
+
+ + +
+
+ + +
+ +
+
+
+ + +
+
+

+ Database Demo +

+
+
+

+ Demonstrates database connection vulnerabilities for GHAS detection. +

+
+ +
+
+
+ + +
+
+

+ Demo Statistics +

+
+
+
+
+
@Model.VulnerabilityCount
+ Vulnerabilities +
+
+
@Model.NewsCount
+ News Items +
+
+
+
+
+
+ + +
+
+
+
+
Ready to secure your code?
+

Start your journey with GitHub Advanced Security 4.0 today.

+ + Get Started with GHAS 4.0 + +
+
+
+
+
+ + + + +@section Scripts { + +} \ No newline at end of file diff --git a/src/webapp01/Pages/DevSecOps4.cshtml.cs b/src/webapp01/Pages/DevSecOps4.cshtml.cs new file mode 100644 index 0000000..cfa411f --- /dev/null +++ b/src/webapp01/Pages/DevSecOps4.cshtml.cs @@ -0,0 +1,237 @@ +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; +using System.Text.RegularExpressions; +using Microsoft.Data.SqlClient; +using Newtonsoft.Json; +using System.Text.Json; + +namespace webapp01.Pages +{ + public class DevSecOps4Model : PageModel + { + private readonly ILogger _logger; + + // SECURITY VULNERABILITY: Hardcoded credentials for demo purposes - INSECURE + private const string CONNECTION_STRING = "Server=localhost;Database=TestDB;User Id=admin;Password=SuperSecret123!;Trusted_Connection=false;"; + + // SECURITY VULNERABILITY: Weak regex pattern - vulnerable to ReDoS (Regular Expression Denial of Service) + private static readonly Regex VulnerableRegex = new Regex(@"^(a+)+$", RegexOptions.Compiled); + + // SECURITY VULNERABILITY: Another ReDoS pattern for advanced testing + private static readonly Regex NestedQuantifierRegex = new Regex(@"^(a|b)*a*$", RegexOptions.Compiled); + + // SECURITY VULNERABILITY: Hardcoded API key for demo + private const string API_KEY = "sk-1234567890abcdef1234567890abcdef"; + + public DevSecOps4Model(ILogger logger) + { + _logger = logger; + } + + public List LatestNews { get; set; } = new(); + public int VulnerabilityCount => 8; // Demo count + public int NewsCount => LatestNews?.Count ?? 0; + + public void OnGet() + { + // SECURITY VULNERABILITY: Log forging vulnerability - user input directly in logs + string userInput = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous"; + _logger.LogInformation($"User accessed DevSecOps 4.0 page: {userInput}"); + + // SECURITY VULNERABILITY: Potential information disclosure in logs + string clientIp = HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown"; + _logger.LogInformation($"Client IP: {clientIp} accessed sensitive page at {DateTime.UtcNow}"); + + // Load latest news about GitHub Advanced Security + LoadLatestGHASNews(); + + // SECURITY VULNERABILITY: Demonstrate potential ReDoS vulnerability + string testPattern = Request.Query.ContainsKey("pattern") ? Request.Query["pattern"].ToString() ?? "aaa" : "aaa"; + try + { + bool isMatch = VulnerableRegex.IsMatch(testPattern); + _logger.LogInformation($"Regex pattern match result: {isMatch} for input: {testPattern}"); + } + catch (Exception ex) + { + // SECURITY VULNERABILITY: Log forging in exception handling + _logger.LogError($"Regex evaluation failed for pattern: {testPattern}. Error: {ex.Message}"); + } + + // SECURITY VULNERABILITY: Simulate database connection with hardcoded credentials + try + { + using var connection = new SqlConnection(CONNECTION_STRING); + _logger.LogInformation("Attempting database connection with hardcoded credentials..."); + // Don't actually open connection for demo purposes + + // SECURITY VULNERABILITY: SQL injection potential + string userId = Request.Query.ContainsKey("userId") ? Request.Query["userId"].ToString() ?? "1" : "1"; + string sqlQuery = $"SELECT * FROM Users WHERE Id = {userId}"; // Vulnerable to SQL injection + _logger.LogWarning($"Executing potentially vulnerable SQL query: {sqlQuery}"); + } + catch (Exception ex) + { + _logger.LogError($"Database connection failed: {ex.Message}"); + } + + // SECURITY VULNERABILITY: Demonstrate weak cryptography + DemonstrateWeakCrypto(); + } + + private void LoadLatestGHASNews() + { + LatestNews = new List + { + "GitHub Advanced Security 4.0 now features AI-powered vulnerability detection with 99.5% accuracy", + "New CodeQL engine supports 15+ additional programming languages including Rust and Kotlin", + "Secret scanning now detects 500+ new token patterns with zero false positives", + "Dependency review alerts include automated remediation suggestions with pull request generation", + "Security advisories integration enhanced with real-time threat intelligence feeds", + "AI-powered security suggestions available in GitHub Copilot for Security with natural language queries", + "New compliance frameworks: SOC 2, PCI DSS, and HIPAA integrated in security overview dashboard", + "Enhanced SARIF 2.1.0 support for seamless third-party security tools integration", + "Container scanning now includes runtime vulnerability detection and base image recommendations", + "Advanced security workflows support custom policies and automated security gates" + }; + + // SECURITY VULNERABILITY: Potential JSON deserialization vulnerability + try + { + string jsonData = JsonConvert.SerializeObject(LatestNews); + var deserializedData = JsonConvert.DeserializeObject>(jsonData); + + // SECURITY VULNERABILITY: Using System.Text.Json with potentially unsafe settings + var options = new JsonSerializerOptions + { + PropertyNameCaseInsensitive = true, + // This could be vulnerable depending on the data + }; + string systemJsonData = System.Text.Json.JsonSerializer.Serialize(LatestNews, options); + + _logger.LogInformation($"Loaded {LatestNews.Count} news items about GitHub Advanced Security 4.0"); + } + catch (Exception ex) + { + _logger.LogError($"JSON processing error: {ex.Message}"); + } + } + + public IActionResult OnPostTestSecurity(string? userInput, string? regexPattern, string? jsonData) + { + try + { + // SECURITY VULNERABILITY: Log injection test + if (!string.IsNullOrEmpty(userInput)) + { + _logger.LogInformation($"Security test with user input: {userInput}"); + TempData["SecurityResult"] = $"Log injection test completed for input: {userInput}"; + } + + // SECURITY VULNERABILITY: ReDoS test + if (!string.IsNullOrEmpty(regexPattern)) + { + var testRegex = new Regex(regexPattern, RegexOptions.Compiled, TimeSpan.FromSeconds(1)); + bool result = testRegex.IsMatch("aaaaaaaaaaaaaaaaaaaaaa"); + _logger.LogInformation($"Regex test result: {result} for pattern: {regexPattern}"); + TempData["SecurityResult"] += $" | Regex test completed for pattern: {regexPattern}"; + } + + // SECURITY VULNERABILITY: JSON deserialization test + if (!string.IsNullOrEmpty(jsonData)) + { + var deserialized = JsonConvert.DeserializeObject(jsonData); + _logger.LogInformation($"JSON deserialization test completed for data: {jsonData}"); + TempData["SecurityResult"] += $" | JSON test completed"; + } + } + catch (RegexMatchTimeoutException) + { + TempData["SecurityError"] = "Regex pattern caused timeout - potential ReDoS vulnerability detected!"; + _logger.LogWarning("ReDoS vulnerability demonstration triggered"); + } + catch (Exception ex) + { + TempData["SecurityError"] = $"Security test failed: {ex.Message}"; + _logger.LogError($"Security test error: {ex.Message}"); + } + + return RedirectToPage(); + } + + public IActionResult OnPostTestDatabase() + { + try + { + // SECURITY VULNERABILITY: Database connection with hardcoded credentials + using var connection = new SqlConnection(CONNECTION_STRING); + _logger.LogInformation("Testing database connection with hardcoded credentials"); + + // SECURITY VULNERABILITY: Simulated SQL injection vulnerability + string maliciousInput = "'; DROP TABLE Users; --"; + string vulnerableQuery = $"SELECT * FROM Users WHERE Name = '{maliciousInput}'"; + _logger.LogWarning($"Vulnerable SQL query demonstration: {vulnerableQuery}"); + + TempData["SecurityResult"] = "Database vulnerability test completed (no actual connection made)"; + } + catch (Exception ex) + { + TempData["SecurityError"] = $"Database test failed: {ex.Message}"; + _logger.LogError($"Database test error: {ex.Message}"); + } + + return RedirectToPage(); + } + + private void DemonstrateWeakCrypto() + { + try + { + // SECURITY VULNERABILITY: Weak cryptographic practices + using var md5 = System.Security.Cryptography.MD5.Create(); + byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes("sensitive-data"); + byte[] hashBytes = md5.ComputeHash(inputBytes); + + // SECURITY VULNERABILITY: Using weak hash algorithm + string hash = Convert.ToHexString(hashBytes); + _logger.LogInformation($"MD5 hash demonstration (weak algorithm): {hash}"); + + // SECURITY VULNERABILITY: Hardcoded salt + string salt = "hardcoded-salt-123"; + _logger.LogWarning($"Using hardcoded salt for hashing: {salt}"); + } + catch (Exception ex) + { + _logger.LogError($"Cryptography demonstration error: {ex.Message}"); + } + } + + private void DemonstratePathTraversal(string userPath) + { + // SECURITY VULNERABILITY: Path traversal vulnerability + try + { + string basePath = "/var/www/uploads/"; + string fullPath = Path.Combine(basePath, userPath); + _logger.LogInformation($"File access attempt: {fullPath}"); + + // This could allow access to files outside the intended directory + if (System.IO.File.Exists(fullPath)) + { + _logger.LogWarning($"File access granted to: {fullPath}"); + } + } + catch (Exception ex) + { + _logger.LogError($"Path traversal demonstration error: {ex.Message}"); + } + } + + private void DemonstrateXSS(string userContent) + { + // SECURITY VULNERABILITY: Potential XSS if not properly encoded + _logger.LogInformation($"User content received: {userContent}"); + // In a real scenario, this content might be rendered without proper encoding + } + } +} \ No newline at end of file diff --git a/src/webapp01/Pages/Index.cshtml b/src/webapp01/Pages/Index.cshtml index e528b40..b33f668 100644 --- a/src/webapp01/Pages/Index.cshtml +++ b/src/webapp01/Pages/Index.cshtml @@ -10,8 +10,11 @@

Learn about building Web apps with ASP.NET Core.

Visit our About GHAS page to learn about GitHub Advanced Security features.

- New! Check out our DevSecOps Demo - page to see the latest GHAS features and security demonstrations. + New! Check out our DevSecOps 4.0 Demo + page to see the latest GHAS 4.0 features and advanced security demonstrations. +

+

+ Also available: Classic DevSecOps Demo

diff --git a/src/webapp01/Pages/Shared/_Layout.cshtml b/src/webapp01/Pages/Shared/_Layout.cshtml index bcaf503..997704a 100644 --- a/src/webapp01/Pages/Shared/_Layout.cshtml +++ b/src/webapp01/Pages/Shared/_Layout.cshtml @@ -25,6 +25,9 @@
  • About GHAS
    • +
  • + DevSecOps 4.0 +
  • DevSecOps Demo
    • diff --git a/src/webapp01/webapp01.csproj b/src/webapp01/webapp01.csproj index 5dab0ad..97303be 100644 --- a/src/webapp01/webapp01.csproj +++ b/src/webapp01/webapp01.csproj @@ -13,7 +13,7 @@ - +