feat: Add DevSecOps demo page with GHAS features and intentional vulnerabilities

[CalinL]

• Added new DevSecOps.cshtml page with latest GitHub Advanced Security news
• Implemented ILogger for backend logging in DevSecOpsModel
• Added intentional security vulnerabilities for GHAS demo:
  • Log forging vulnerability with user input injection
  • Vulnerable regex pattern susceptible to ReDoS attacks
  • Hardcoded database credentials
  • Potential JSON deserialization issues
• Updated package dependencies to specific versions with known vulnerabilities:
  • Microsoft.Data.SqlClient v5.0.2 (has known high severity vulnerability)
  • System.Text.Json v8.0.4 (has known high severity vulnerability)
  • Added Newtonsoft.Json v12.0.2 (has known high severity vulnerability)
• Added navigation links to DevSecOps page in main layout and index page
• Enhanced index page with prominent link to new DevSecOps demo

This implementation demonstrates various security issues that GitHub Advanced Security
tools should detect, including code scanning alerts for vulnerable patterns,
secret scanning for hardcoded credentials, and dependency alerts for vulnerable packages.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 3 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 67536eb.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

src/webapp01/webapp01.csproj

Name	Version	Vulnerability	Severity
Microsoft.Data.SqlClient	5.0.2	Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass	high
Newtonsoft.Json	12.0.2	Improper Handling of Exceptional Conditions in Newtonsoft.Json	high
System.Text.Json	8.0.4	Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerability	high

Only included vulnerabilities with severity moderate or higher.

OpenSSF Scorecard

Package	Version	Score	Details
nuget/Microsoft.Data.SqlClient	5.0.2	🟢 6.7	Details Check Score Reason Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 Dangerous-Workflow ⚠️ -1 no workflows found Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during GetBranch(release/5.2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Newtonsoft.Json	12.0.2	🟢 4.7	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST 🟢 7 SAST tool detected but not run on all commits
nuget/System.Text.Json	8.0.4	🟢 5.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 8 2 existing vulnerabilities detected Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2

Scanned Files

• src/webapp01/webapp01.csproj

To fix the issue, replace the ContainsKey check and subsequent dictionary access with a single call to TryGetValue. This will combine the key existence check and value retrieval into one operation, improving efficiency. Specifically:

• Replace Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous" with a TryGetValue call that retrieves the value if the key exists or defaults to "anonymous" otherwise.

---

To fix the issue, sanitize the userInput variable before logging it. Since the logs are plain text, remove newline characters and other potentially harmful characters from the user input using String.Replace or similar methods. This ensures that malicious input cannot forge log entries or cause confusion.

The fix involves:

1. Replacing newline characters (\r\n, \n, \r) in userInput with an empty string.
2. Optionally, encoding or escaping other special characters to further reduce the risk of log manipulation.

To fix the issue, replace the ContainsKey check and subsequent indexer access with a single call to the TryGetValue method. This will combine the key existence check and value retrieval into one operation, improving efficiency. Specifically, on line 35, replace the Request.Query.ContainsKey("pattern") check with a TryGetValue call, and handle the result accordingly.

---

To address the vulnerability, we will modify the regex operation to include a timeout. This ensures that the regex evaluation is canceled if it exceeds a specified duration, preventing the application from hanging indefinitely. The timeout will be set using the Regex constructor that accepts a TimeSpan parameter.

Additionally, we will replace the vulnerable regex pattern ^(a+)+$ with a safer alternative that avoids exponential worst-case complexity. If a safer alternative is not feasible, the timeout will serve as a fallback mitigation.

Changes will be made to:

1. The definition of VulnerableRegex to include a timeout.
2. The regex operations in both the OnGet and OnPostTestRegex methods to use the updated regex.

To fix the issue, the user-provided input (testPattern) should be sanitized before being logged. Since the log is likely stored as plain text, newline characters and other control characters should be removed from the input. This can be achieved using String.Replace or a similar method. Additionally, the sanitized input should be clearly marked in the log message to prevent confusion.

The fix involves:

1. Sanitizing the testPattern variable by removing newline characters and other control characters.
2. Updating the log message on line 39 to use the sanitized version of testPattern.

---

To fix the issue, we will replace the generic catch (Exception ex) block with specific exception types that are relevant to the regex operation. The most appropriate exception to catch here is RegexMatchTimeoutException, which occurs when a regex operation exceeds its timeout. This ensures that only anticipated exceptions are handled, and other unexpected exceptions are allowed to propagate.

Additionally, we will update the log message to avoid exposing sensitive information unnecessarily.

---

To fix the issue, the user-provided input (testPattern) should be sanitized before being included in the log message. Since the logs are plain text, we can remove newline characters and other potentially problematic characters from the input using String.Replace or similar methods. This ensures that the log entry cannot be manipulated by malicious input.

The fix involves:

1. Sanitizing testPattern before it is used in the log message on line 44.
2. Applying the same sanitization to other log messages that use testPattern (e.g., line 39).

To fix the issue, replace the generic catch clause catch (Exception ex) with a specific catch clause for SqlException, which is the most relevant exception type for database connection errors. This ensures that only database-related exceptions are caught and logged, while other exceptions are allowed to propagate. Additionally, if there is a need to handle other specific exceptions, they can be added as separate catch blocks.

Steps to implement the fix:

1. Replace the generic catch (Exception ex) block with catch (SqlException ex).
2. Ensure that the logging logic remains unchanged to log the details of the SqlException.

---

To fix the issue, the assignment to deserializedData on line 76 should be removed entirely, as the variable is not used anywhere in the code. This will eliminate the unnecessary assignment and improve code clarity. The deserialization operation itself can also be removed unless it serves a purpose beyond assigning a value to deserializedData.

---

To fix the issue, the generic catch (Exception ex) clause should be replaced with specific exception types that are relevant to the regex operation. In this case, the RegexMatchTimeoutException is the most appropriate exception to catch, as it is specifically related to regex evaluation timeouts. This ensures that only expected exceptions are handled, while other unexpected exceptions propagate up the call stack for proper handling elsewhere.

Additionally, sensitive information from the exception object should not be logged directly. Instead, a generic error message should be logged to avoid exposing internal details.

---

[CalinL]

All great :)

[Copilot]

Pull Request Overview

This PR introduces a new DevSecOps demo page that showcases various intentional security vulnerabilities for demonstration purposes while also integrating GitHub Advanced Security (GHAS) features and updated backend logging.

• Updated project file to reference specific vulnerable dependency versions
• Added DevSecOps demo page with intentional security flaws including hardcoded credentials, a vulnerable regex, and log forging
• Enhanced layout and index pages with navigation links to the new demo page

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/webapp01/webapp01.csproj	Downgraded and added package references to simulate vulnerable dependencies
src/webapp01/Pages/Shared/_Layout.cshtml	Added navigation link for the DevSecOps demo page
src/webapp01/Pages/Index.cshtml	Enhanced index page with a prominent link to the DevSecOps demo
src/webapp01/Pages/DevSecOps.cshtml.cs	Introduced the demo page logic with intentional security vulnerabilities
src/webapp01/Pages/DevSecOps.cshtml	Created a new UI for the DevSecOps demo page featuring GHAS news and tools

Comments suppressed due to low confidence (1)

src/webapp01/Pages/DevSecOps.cshtml.cs:15

• Hardcoded database credentials are used intentionally for demonstration; ensure these are replaced or secured in production environments.

private const string CONNECTION_STRING = "Server=localhost;Database=TestDB;User Id=admin;Password=SecretPassword123!";

[Copilot]

The dependency version with known vulnerabilities is intentionally used for the demo; ensure that such versions are isolated to non-production environments.

Suggested change

	<PackageReference Include="Microsoft.Data.SqlClient" Version="5.0.2" />
	<PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.0" />

[Copilot]

Ensure this downgraded version is confined to demo use, as it has a known high severity vulnerability.

Suggested change

	<PackageReference Include="System.Text.Json" Version="8.0.4" />
	<PackageReference Include="System.Text.Json" Version="8.0.5" />

[Copilot]

The addition of this package version with known vulnerabilities should be clearly limited to demo scenarios to prevent production misuse.

Suggested change

	<PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
	<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />

[Copilot]

The regex pattern is vulnerable to ReDoS attacks; confirm that this insecure implementation remains only in demo environments.

Suggested change

	private static readonly Regex VulnerableRegex = new Regex(@"^(a+)+$", RegexOptions.Compiled);
	private static readonly Regex SecureRegex = new Regex(@"^a+$", RegexOptions.Compiled);

[Copilot]

Logging user input directly may lead to log forging; ensure that this practice is strictly confined to the controlled demo context.

Suggested change

	_logger.LogInformation($"User accessed DevSecOps page: {userInput}");
	string sanitizedUserInput = System.Text.Encodings.Web.JavaScriptEncoder.Default.Encode(userInput);
	_logger.LogInformation($"User accessed DevSecOps page: {sanitizedUserInput}");

[Copilot]

Although used for demo purposes, consider validating JSON serialization/deserialization to prevent potential security issues in less controlled environments.

[Copilot]

Logging detailed exception data alongside user input might expose sensitive information; consider masking details in production logs.

Suggested change

	// Logging sensitive information
	_logger.LogError($"Regex test failed for pattern: {pattern}. Exception: {ex}");
	// Log a generic error message without exposing sensitive details
	_logger.LogError("Regex test failed due to an unexpected error.");