Skip to content

feat: Implement DevSecOps demo page #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Implement DevSecOps demo page #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions src/webapp01/Pages/DevSecOps.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
@page
@model webapp01.Pages.DevSecOpsModel
@{
ViewData["Title"] = "DevSecOps Demonstration";
}

<div class="text-center">
<h1 class="display-4">@ViewData["Title"]</h1>
</div>

<div>
<h2>GitHub Advanced Security (GHAS)</h2>
<p>
GitHub Advanced Security provides a suite of tools to help you secure your software development lifecycle directly within your GitHub workflow.
It helps you find and fix vulnerabilities earlier, automate security processes, and maintain compliance.
</p>
<p>Key features include:</p>
<ul>
<li><strong>Code scanning:</strong> Automatically analyzes your code for security vulnerabilities and coding errors. It supports a wide range of languages and frameworks. Results are displayed directly in pull requests.</li>
<li><strong>Secret scanning:</strong> Detects secrets, such as tokens and private keys, that have been accidentally committed to your repository. It can prevent fraudulent use of compromised credentials.</li>
<li><strong>Dependency review:</strong> Shows the full impact of changes to dependencies and displays details of any vulnerable versions before you merge a pull request.</li>
</ul>

<h3>Demonstrating Insecure Code Patterns</h3>
<p>This page's backend includes examples of insecure code patterns for educational purposes. These are things GHAS can help identify.</p>

<h4>Log Forging Example</h4>
<p>Try adding <code>?userInput=test%0AINFO: Fake log entry</code> to the URL to see a log forging attempt.</p>
<form method="get">
<div class="form-group">
<label for="userInputLog">User Input for Log:</label>
<input type="text" class="form-control" id="userInputLog" name="userInput" value="test">
</div>
<button type="submit" class="btn btn-primary mt-2">Test Log Forging</button>
</form>
@if (!string.IsNullOrEmpty(Model.LogForgingTestResult))
{
<div class="alert alert-info mt-2">@Model.LogForgingTestResult</div>
}

<h4>Regex Exposure (ReDoS) Example</h4>
<p>The backend has a regex pattern <code>(a+)+$</code> which is vulnerable to ReDoS. Test with inputs like "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!" (many 'a's followed by an exclamation mark).</p>
<form method="post">
<div class="form-group">
<label for="regexInput">Input for Regex Check:</label>
<input type="text" class="form-control" id="regexInput" asp-for="RegexInput">
</div>
<button type="submit" class="btn btn-primary mt-2" asp-page-handler="CheckRegex">Test Regex</button>
</form>
@if (!string.IsNullOrEmpty(Model.RegexTestResult))
{
<div class="alert alert-info mt-2">@Model.RegexTestResult</div>
}

</div>
84 changes: 84 additions & 0 deletions src/webapp01/Pages/DevSecOps.cshtml.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Extensions.Logging;
using System;
using System.Text.RegularExpressions;

namespace webapp01.Pages
{
public class DevSecOpsModel : PageModel
{
private readonly ILogger<DevSecOpsModel> _logger;

[BindProperty(SupportsGet = true)]
public string? UserInput { get; set; }

[BindProperty]
public string? RegexInput { get; set; }

public string? LogForgingTestResult { get; private set; }
public string? RegexTestResult { get; private set; }

public DevSecOpsModel(ILogger<DevSecOpsModel> logger)
{
_logger = logger;
}

public void OnGet()
{
_logger.LogInformation("DevSecOps page visited at {Time}", DateTime.UtcNow);

if (!string.IsNullOrEmpty(UserInput))
{
// Insecure Log Forging: UserInput is directly logged.
// A malicious user could inject newline characters and fake log entries.
// Example: userInput = "test%0AINFO:+User+logged+out"
_logger.LogInformation("User input from query: " + UserInput);
Copy link
Preview

Copilot AI May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This direct concatenation of user input is intentionally insecure for demonstration of log forging; consider adding a clearer comment or a TODO indicating that this should never be used in production.

Suggested change
_logger.LogInformation("User input from query: " + UserInput);
_logger.LogInformation("User input from query: {UserInput}", UserInput);

Copilot uses AI. Check for mistakes.

LogForgingTestResult = $"Logged: 'User input from query: {UserInput}'. Check the application logs.";
}
}

public IActionResult OnPostCheckRegex()
{
_logger.LogInformation("Checking regex pattern for input: {Input}", RegexInput);
RegexTestResult = PerformRegexCheck(RegexInput ?? string.Empty);
return Page();
}

private string PerformRegexCheck(string input)
{
// Insecure Regex (Potential ReDoS - Regular Expression Denial of Service)
// The pattern (a+)+$ is an example of an "evil regex".
// With inputs like "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!" (many 'a's followed by '!')
// it can cause catastrophic backtracking, leading to high CPU usage and denial of service.
// GHAS Code Scanning can often detect such vulnerable regex patterns.
Copy link
Preview

Copilot AI May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the regex pattern is known to be vulnerable to ReDoS, add a comment or a TODO note clarifying that this insecure regex is for demonstration purposes only.

Suggested change
// GHAS Code Scanning can often detect such vulnerable regex patterns.
// GHAS Code Scanning can often detect such vulnerable regex patterns.
// TODO: This regex pattern is insecure and vulnerable to ReDoS attacks.
// It is used here for demonstration purposes only and should not be used in production.

Copilot uses AI. Check for mistakes.

string pattern = @"(a+)+$";
string result;
try
{
// It's good practice to set a timeout for regex operations.
if (Regex.IsMatch(input, pattern, RegexOptions.None, TimeSpan.FromSeconds(2)))
{
result = "Regex pattern matched.";
_logger.LogInformation(result);
}
else
{
result = "Regex pattern did not match.";
_logger.LogInformation(result);
}
}
catch (RegexMatchTimeoutException ex)
{
result = $"Regex operation timed out for input: '{input}'. This indicates a potential ReDoS vulnerability. Exception: {ex.Message}";
_logger.LogWarning(result);
}
catch (Exception ex)
{
result = $"An error occurred during regex matching: {ex.Message}";
_logger.LogError(ex, result);
}
Comment on lines +76 to +80

Check notice

Code scanning / CodeQL

Generic catch clause Note

Generic catch clause.

Copilot Autofix

AI 7 days ago

To fix the issue, replace the generic catch (Exception ex) block with specific exception types that are relevant to the Regex.IsMatch operation. For example:

  • ArgumentException can be caught to handle invalid regex patterns.
  • Any other exceptions that are critical or unexpected should not be caught here and should propagate to higher levels.

This ensures that only anticipated errors are handled, while critical exceptions are not suppressed.

Suggested changeset 1
src/webapp01/Pages/DevSecOps.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
--- a/src/webapp01/Pages/DevSecOps.cshtml.cs
+++ b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -75,5 +75,5 @@
             }
-            catch (Exception ex)
+            catch (ArgumentException ex)
             {
-                result = $"An error occurred during regex matching: {ex.Message}";
+                result = $"An invalid regex pattern was provided: {ex.Message}";
                 _logger.LogError(ex, result);
EOF
@@ -75,5 +75,5 @@
}
catch (Exception ex)
catch (ArgumentException ex)
{
result = $"An error occurred during regex matching: {ex.Message}";
result = $"An invalid regex pattern was provided: {ex.Message}";
_logger.LogError(ex, result);
Copilot is powered by AI and may make mistakes. Always verify output.
return result;
}
}
}
1 change: 1 addition & 0 deletions src/webapp01/Pages/Index.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,6 @@
<h5 class="card-title">.NET 💜 Azure v4</h5>
<p class="card-text">Learn about <a href="https://learn.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
<p class="card-text">Visit our <a asp-page="/About">About GHAS</a> page to learn about GitHub Advanced Security features.</p>
<p class="card-text">Explore our <a asp-page="/DevSecOps">DevSecOps Demo</a> page.</p>
</div>
</div>
1 change: 1 addition & 0 deletions src/webapp01/webapp01.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
<PackageReference Include="Azure.Identity" Version="1.13.2" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
<PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
<PackageReference Include="System.Text.Json" Version="9.0.4" />
</ItemGroup>

Expand Down
Loading