Skip to content

Feature/devsecops demo 03 #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Feature/devsecops demo 03 #65

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd2abce
feat: Implement DevSecOps page and add logger
CalinL May 9, 2025
f68abda
feat: Enhance DevSecOps page logging and structure
CalinL May 9, 2025
6216c4e
Add files
CalinL May 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions src/webapp01/Pages/DevSecOps.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
@page
@model DevSecOpsModel
@{
ViewData["Title"] = "DevSecOps";
}

<h1>@ViewData["Title"]</h1>

<p>Stay up-to-date with the latest advancements in GitHub Advanced Security.</p>

<h2>Latest News</h2>
<div class="card-deck">
<div class="card">
<div class="card-body">
<h5 class="card-title">GitHub Universe 2025 Highlights</h5>
<p class="card-text">Discover the key announcements from GitHub Universe 2025, including new features for Advanced Security that help you build more secure applications.</p>
<a href="#" class="btn btn-primary">Read More</a>
</div>
<div class="card-footer">
<small class="text-muted">Posted on May 8, 2025</small>
</div>
</div>
<div class="card">
<div class="card-body">
<h5 class="card-title">Secret Scanning Enhancements</h5>
<p class="card-text">Learn about the latest improvements to secret scanning, including expanded partner patterns and new detection capabilities to keep your secrets safe.</p>
<a href="#" class="btn btn-primary">Read More</a>
</div>
<div class="card-footer">
<small class="text-muted">Posted on April 25, 2025</small>
</div>
</div>
<div class="card">
<div class="card-body">
<h5 class="card-title">CodeQL Gets Faster and Smarter</h5>
<p class="card-text">Explore the performance and intelligence upgrades to CodeQL, enabling faster and more accurate security analysis of your codebases.</p>
<a href="#" class="btn btn-primary">Read More</a>
</div>
<div class="card-footer">
<small class="text-muted">Posted on April 10, 2025</small>
</div>
</div>
</div>
35 changes: 35 additions & 0 deletions src/webapp01/Pages/DevSecOps.cshtml.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Extensions.Logging;

public class DevSecOpsModel : PageModel
{
private readonly ILogger<DevSecOpsModel> _logger;

string adminUserName = "demouser@example.com";

Check notice

Code scanning / CodeQL

Missed 'readonly' opportunity Note

Field 'adminUserName' can be 'readonly'.

Copilot Autofix

AI 8 days ago

To fix the issue, we will add the readonly modifier to the adminUserName field. This ensures that the field cannot be reassigned after its initial value is set during declaration. The change will be made directly in the declaration of the field on line 9.

Suggested changeset 1
src/webapp01/Pages/DevSecOps.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
--- a/src/webapp01/Pages/DevSecOps.cshtml.cs
+++ b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -8,3 +8,3 @@
 
-    	string adminUserName = "demouser@example.com";
+    	private readonly string adminUserName = "demouser@example.com";
 
EOF
@@ -8,3 +8,3 @@

string adminUserName = "demouser@example.com";
private readonly string adminUserName = "demouser@example.com";

Copilot is powered by AI and may make mistakes. Always verify output.

// TODO: Don't use this in production
public const string DEFAULT_PASSWORD_NEW = "Pass@word1";

// TODO: Change this to an environment variable
public const string JWT_SECRET_KEY = "SecretKeyOfDoomThatMustBeAMinimumNumberOfBytes";


public DevSecOpsModel(ILogger<DevSecOpsModel> logger)
{
_logger = logger;
}

public void OnGet()
{
string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";

Check warning on line 25 in src/webapp01/Pages/DevSecOps.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Possible null reference assignment.

Check warning on line 25 in src/webapp01/Pages/DevSecOps.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Converting null literal or possible null value to non-nullable type.

Check warning on line 25 in src/webapp01/Pages/DevSecOps.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Possible null reference assignment.

Check warning on line 25 in src/webapp01/Pages/DevSecOps.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Converting null literal or possible null value to non-nullable type.

Check notice

Code scanning / CodeQL

Inefficient use of ContainsKey Note

Inefficient use of 'ContainsKey' and
indexer
Loading
.

Copilot Autofix

AI 8 days ago

To fix the issue, replace the Request.Query.ContainsKey("drive") check and subsequent access to Request.Query["drive"] with a single call to Request.Query.TryGetValue. This approach combines the key existence check and value retrieval into one operation, improving efficiency and readability.

Specifically:

  1. Replace the conditional expression on line 25 with a call to Request.Query.TryGetValue.
  2. Use the out parameter of TryGetValue to retrieve the value of the "drive" key if it exists, or assign the default value "C" if it does not.
Suggested changeset 1
src/webapp01/Pages/DevSecOps.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
--- a/src/webapp01/Pages/DevSecOps.cshtml.cs
+++ b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -24,3 +24,3 @@
     {
-        string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
+        string drive = Request.Query.TryGetValue("drive", out var driveValue) ? driveValue : "C";
         var str = $"/C fsutil volume diskfree {drive}:";
EOF
@@ -24,3 +24,3 @@
{
string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
string drive = Request.Query.TryGetValue("drive", out var driveValue) ? driveValue : "C";
var str = $"/C fsutil volume diskfree {drive}:";
Copilot is powered by AI and may make mistakes. Always verify output.
var str = $"/C fsutil volume diskfree {drive}:";

_logger.LogInformation($"Executing command: {str}");

Check failure

Code scanning / CodeQL

Log entries created from user input High

This log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI 8 days ago

To fix the issue, the user-provided input (drive) should be sanitized before being included in the log entry. Since the log entry is plain text, we can remove newline characters and other potentially problematic characters from the drive parameter. This can be achieved using String.Replace or a similar method to ensure that the log entry cannot be manipulated by malicious input.

Specifically:

  1. Sanitize the drive variable by removing newline characters (\n, \r) and any other characters that could interfere with log formatting.
  2. Use the sanitized drive variable when constructing the str variable and logging the message.
Suggested changeset 1
src/webapp01/Pages/DevSecOps.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
--- a/src/webapp01/Pages/DevSecOps.cshtml.cs
+++ b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -25,2 +25,3 @@
         string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
+        drive = drive.Replace("\n", "").Replace("\r", ""); // Sanitize user input
         var str = $"/C fsutil volume diskfree {drive}:";
EOF
@@ -25,2 +25,3 @@
string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
drive = drive.Replace("\n", "").Replace("\r", ""); // Sanitize user input
var str = $"/C fsutil volume diskfree {drive}:";
Copilot is powered by AI and may make mistakes. Always verify output.
_logger.LogInformation($"User: {User.Identity?.Name}");
_logger.LogInformation($"Admin: {User.IsInRole("Admin")}");
_logger.LogInformation("Admin" + adminUserName);

_logger.LogInformation("DevSecOps page visited at {Time}", System.DateTime.UtcNow);
}
}
8 changes: 8 additions & 0 deletions src/webapp01/Pages/Index.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,11 @@
<p class="card-text">Visit our <a asp-page="/About">About GHAS</a> page to learn about GitHub Advanced Security features.</p>
</div>
</div>

<div class="row">
<div class="col-md-4">
<h2>DevSecOps</h2>
<p>Learn about the latest in DevSecOps and GitHub Advanced Security.</p>
<p><a class="btn btn-secondary" asp-page="/DevSecOps">Explore DevSecOps &raquo;</a></p>
</div>
</div>
1 change: 1 addition & 0 deletions src/webapp01/webapp01.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
<PackageReference Include="Azure.Identity" Version="1.13.2" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
<PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
<PackageReference Include="System.Text.Json" Version="9.0.4" />
</ItemGroup>

Expand Down
Loading