From 67536eb38191a0dbaf6690758e178e6b2276effd Mon Sep 17 00:00:00 2001
From: Calin Lupas <lupas_calin@yahoo.com>
Date: Thu, 29 May 2025 10:03:08 -0400
Subject: [PATCH] feat: Add DevSecOps demo page with GHAS features and
 intentional vulnerabilities

- Added new DevSecOps.cshtml page with latest GitHub Advanced Security news
- Implemented ILogger for backend logging in DevSecOpsModel
- Added intentional security vulnerabilities for GHAS demo:
  * Log forging vulnerability with user input injection
  * Vulnerable regex pattern susceptible to ReDoS attacks
  * Hardcoded database credentials
  * Potential JSON deserialization issues
- Updated package dependencies to specific versions with known vulnerabilities:
  * Microsoft.Data.SqlClient v5.0.2 (has known high severity vulnerability)
  * System.Text.Json v8.0.4 (has known high severity vulnerability)
  * Added Newtonsoft.Json v12.0.2 (has known high severity vulnerability)
- Added navigation links to DevSecOps page in main layout and index page
- Enhanced index page with prominent link to new DevSecOps demo

This implementation demonstrates various security issues that GitHub Advanced Security
tools should detect, including code scanning alerts for vulnerable patterns,
secret scanning for hardcoded credentials, and dependency alerts for vulnerable packages.
---
 src/webapp01/Pages/DevSecOps.cshtml      | 181 +++++++++++++++++++++++
 src/webapp01/Pages/DevSecOps.cshtml.cs   | 105 +++++++++++++
 src/webapp01/Pages/Index.cshtml          |   4 +
 src/webapp01/Pages/Shared/_Layout.cshtml |   6 +-
 src/webapp01/webapp01.csproj             |   6 +-
 5 files changed, 297 insertions(+), 5 deletions(-)
 create mode 100644 src/webapp01/Pages/DevSecOps.cshtml
 create mode 100644 src/webapp01/Pages/DevSecOps.cshtml.cs

diff --git a/src/webapp01/Pages/DevSecOps.cshtml b/src/webapp01/Pages/DevSecOps.cshtml
new file mode 100644
index 0000000..19f5d71
--- /dev/null
+++ b/src/webapp01/Pages/DevSecOps.cshtml
@@ -0,0 +1,181 @@
+@page
+@model DevSecOpsModel
+@{
+    ViewData["Title"] = "DevSecOps with GitHub Advanced Security";
+}
+
+<div class="container">
+    <div class="row">
+        <div class="col-12">
+            <h1 class="display-4 text-primary">@ViewData["Title"]</h1>
+            <p class="lead">Discover the latest features and capabilities of GitHub Advanced Security (GHAS)</p>
+            <hr />
+        </div>
+    </div>
+
+    <!-- Alert for TempData messages -->
+    @if (TempData["RegexResult"] != null)
+    {
+        <div class="alert alert-info alert-dismissible fade show" role="alert">
+            @TempData["RegexResult"]
+            <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+        </div>
+    }
+
+    @if (TempData["RegexError"] != null)
+    {
+        <div class="alert alert-danger alert-dismissible fade show" role="alert">
+            @TempData["RegexError"]
+            <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+        </div>
+    }
+
+    <div class="row">
+        <!-- Latest GHAS News Section -->
+        <div class="col-lg-8">
+            <div class="card mb-4">
+                <div class="card-header bg-dark text-white">
+                    <h3 class="card-title mb-0">
+                        <i class="bi bi-shield-check"></i> Latest GitHub Advanced Security News
+                    </h3>
+                </div>
+                <div class="card-body">
+                    @if (Model.LatestNews.Any())
+                    {
+                        <div class="list-group list-group-flush">
+                            @foreach (var newsItem in Model.LatestNews)
+                            {
+                                <div class="list-group-item d-flex align-items-start">
+                                    <span class="badge bg-success rounded-pill me-3 mt-1">NEW</span>
+                                    <div>
+                                        <p class="mb-1">@newsItem</p>
+                                        <small class="text-muted">Updated: @DateTime.Now.ToString("MMM dd, yyyy")</small>
+                                    </div>
+                                </div>
+                            }
+                        </div>
+                    }
+                    else
+                    {
+                        <p class="text-muted">No news available at this time.</p>
+                    }
+                </div>
+            </div>
+
+            <!-- GHAS Features Overview -->
+            <div class="card mb-4">
+                <div class="card-header bg-primary text-white">
+                    <h3 class="card-title mb-0">Core GHAS Features</h3>
+                </div>
+                <div class="card-body">
+                    <div class="row">
+                        <div class="col-md-6">
+                            <h5><i class="bi bi-search"></i> Code Scanning</h5>
+                            <p>Automated vulnerability detection using CodeQL semantic analysis engine.</p>
+                            
+                            <h5><i class="bi bi-key"></i> Secret Scanning</h5>
+                            <p>Detect and prevent secrets from being committed to repositories.</p>
+                        </div>
+                        <div class="col-md-6">
+                            <h5><i class="bi bi-layers"></i> Dependency Review</h5>
+                            <p>Understand security impact of dependency changes in pull requests.</p>
+                            
+                            <h5><i class="bi bi-graph-up"></i> Security Overview</h5>
+                            <p>Organization-wide security posture visibility and compliance tracking.</p>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <!-- Sidebar with Demo Tools -->
+        <div class="col-lg-4">
+            <!-- Security Demo Section -->
+            <div class="card mb-4">
+                <div class="card-header bg-warning text-dark">
+                    <h4 class="card-title mb-0">
+                        <i class="bi bi-exclamation-triangle"></i> Security Demo
+                    </h4>
+                </div>
+                <div class="card-body">
+                    <p class="text-muted small">
+                        This page contains intentionally vulnerable code for demonstration purposes.
+                        These vulnerabilities should be detected by GHAS code scanning.
+                    </p>
+                    
+                    <!-- Regex Testing Form -->
+                    <form method="post" asp-page-handler="TestRegex" class="mt-3">
+                        <div class="mb-3">
+                            <label for="pattern" class="form-label">Test Regex Pattern:</label>
+                            <input type="text" class="form-control" id="pattern" name="pattern" 
+                                   placeholder="Enter pattern (e.g., aaa)" value="aaa">
+                            <div class="form-text">
+                                ⚠️ This uses a vulnerable regex pattern susceptible to ReDoS attacks.
+                            </div>
+                        </div>
+                        <button type="submit" class="btn btn-warning btn-sm">
+                            <i class="bi bi-play"></i> Test Pattern
+                        </button>
+                    </form>
+                </div>
+            </div>
+
+            <!-- Quick Links -->
+            <div class="card">
+                <div class="card-header bg-info text-white">
+                    <h4 class="card-title mb-0">Quick Links</h4>
+                </div>
+                <div class="card-body">
+                    <div class="d-grid gap-2">
+                        <a href="https://docs.github.com/en/code-security" class="btn btn-outline-primary btn-sm" target="_blank">
+                            <i class="bi bi-book"></i> GHAS Documentation
+                        </a>
+                        <a href="https://github.com/github/codeql" class="btn btn-outline-secondary btn-sm" target="_blank">
+                            <i class="bi bi-github"></i> CodeQL Repository
+                        </a>
+                        <a href="https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning" class="btn btn-outline-success btn-sm" target="_blank">
+                            <i class="bi bi-shield-check"></i> Code Scanning Guide
+                        </a>
+                        <a href="https://docs.github.com/en/code-security/secret-scanning" class="btn btn-outline-warning btn-sm" target="_blank">
+                            <i class="bi bi-key"></i> Secret Scanning
+                        </a>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- Footer Section -->
+    <div class="row mt-5">
+        <div class="col-12">
+            <div class="alert alert-light" role="alert">
+                <h5 class="alert-heading">
+                    <i class="bi bi-lightbulb"></i> Pro Tip: 
+                </h5>
+                <p>
+                    Enable GitHub Advanced Security on your repositories to automatically detect the 
+                    security vulnerabilities demonstrated in this page's source code. GHAS will identify 
+                    issues like hardcoded credentials, vulnerable regex patterns, and potential log injection attacks.
+                </p>
+                <hr>
+                <p class="mb-0">
+                    Learn more about implementing a comprehensive DevSecOps strategy with 
+                    <a href="https://github.com/features/security" target="_blank">GitHub Advanced Security</a>.
+                </p>
+            </div>
+        </div>
+    </div>
+</div>
+
+@section Scripts {
+    <script>
+        // Simple script to auto-dismiss alerts after 5 seconds
+        setTimeout(function() {
+            const alerts = document.querySelectorAll('.alert-dismissible');
+            alerts.forEach(alert => {
+                const bsAlert = new bootstrap.Alert(alert);
+                bsAlert.close();
+            });
+        }, 5000);
+    </script>
+}
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
new file mode 100644
index 0000000..acff4fc
--- /dev/null
+++ b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -0,0 +1,105 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using System.Text.RegularExpressions;
+using Microsoft.Data.SqlClient;
+using Newtonsoft.Json;
+using System.Text.Json;
+
+namespace webapp01.Pages
+{
+    public class DevSecOpsModel : PageModel
+    {
+        private readonly ILogger<DevSecOpsModel> _logger;
+
+        // Hardcoded credentials for demo purposes - INSECURE
+        private const string CONNECTION_STRING = "Server=localhost;Database=TestDB;User Id=admin;Password=SecretPassword123!;";
+        
+        // Weak regex pattern - vulnerable to ReDoS
+        private static readonly Regex VulnerableRegex = new Regex(@"^(a+)+$", RegexOptions.Compiled);
+
+        public DevSecOpsModel(ILogger<DevSecOpsModel> logger)
+        {
+            _logger = logger;
+        }
+
+        public List<string> LatestNews { get; set; } = new();        public void OnGet()
+        {
+            // Log forging vulnerability - user input directly in logs
+            string userInput = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous";
+            _logger.LogInformation($"User accessed DevSecOps page: {userInput}");
+
+            // Simulate getting latest news about GitHub Advanced Security
+            LoadLatestGHASNews();
+
+            // Demonstrate potential ReDoS vulnerability
+            string testPattern = Request.Query.ContainsKey("pattern") ? Request.Query["pattern"].ToString() ?? "aaa" : "aaa";
+            try
+            {
+                bool isMatch = VulnerableRegex.IsMatch(testPattern);
+                _logger.LogInformation($"Regex pattern match result: {isMatch} for input: {testPattern}");
+            }
+            catch (Exception ex)
+            {
+                // Log forging in exception handling
+                _logger.LogError($"Regex evaluation failed for pattern: {testPattern}. Error: {ex.Message}");
+            }
+
+            // Simulate database connection with hardcoded credentials
+            try
+            {
+                using var connection = new SqlConnection(CONNECTION_STRING);
+                _logger.LogInformation("Attempting database connection...");
+                // Don't actually open connection for demo purposes
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError($"Database connection failed: {ex.Message}");
+            }
+        }
+
+        private void LoadLatestGHASNews()
+        {
+            LatestNews = new List<string>
+            {
+                "GitHub Advanced Security now supports enhanced code scanning with CodeQL 2.20",
+                "New secret scanning patterns added for over 200 service providers",
+                "Dependency review alerts now include detailed remediation guidance",
+                "Security advisories integration improved for better vulnerability management",
+                "Custom CodeQL queries can now be shared across organizations",
+                "AI-powered security suggestions available in GitHub Copilot for Security",
+                "New compliance frameworks supported in security overview dashboard",
+                "Enhanced SARIF support for third-party security tools integration"
+            };
+
+            // Potential JSON deserialization vulnerability
+            string jsonData = JsonConvert.SerializeObject(LatestNews);
+            var deserializedData = JsonConvert.DeserializeObject<List<string>>(jsonData);
+            
+            _logger.LogInformation($"Loaded {LatestNews.Count} news items about GitHub Advanced Security");
+        }
+
+        public IActionResult OnPostTestRegex(string pattern)
+        {
+            if (string.IsNullOrEmpty(pattern))
+                return BadRequest("Pattern cannot be empty");
+
+            // Log forging vulnerability in POST handler
+            _logger.LogInformation($"Testing regex pattern submitted by user: {pattern}");
+
+            try
+            {
+                // Vulnerable regex that could cause ReDoS
+                bool result = VulnerableRegex.IsMatch(pattern);
+                TempData["RegexResult"] = $"Pattern '{pattern}' match result: {result}";
+            }
+            catch (Exception ex)
+            {
+                // Logging sensitive information
+                _logger.LogError($"Regex test failed for pattern: {pattern}. Exception: {ex}");
+                TempData["RegexError"] = "Pattern evaluation failed";
+            }
+
+            return RedirectToPage();
+        }
+    }
+}
diff --git a/src/webapp01/Pages/Index.cshtml b/src/webapp01/Pages/Index.cshtml
index 394a289..e0db7f6 100644
--- a/src/webapp01/Pages/Index.cshtml
+++ b/src/webapp01/Pages/Index.cshtml
@@ -9,5 +9,9 @@
         <h5 class="card-title">.NET 💜 Azure v5</h5>
         <p class="card-text">Learn about <a href="https://learn.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
         <p class="card-text">Visit our <a asp-page="/About">About GHAS</a> page to learn about GitHub Advanced Security features.</p>
+        <p class="card-text">
+            <strong>New!</strong> Check out our <a asp-page="/DevSecOps" class="btn btn-primary btn-sm">DevSecOps Demo</a> 
+            page to see the latest GHAS features and security demonstrations.
+        </p>
     </div>
 </div>
diff --git a/src/webapp01/Pages/Shared/_Layout.cshtml b/src/webapp01/Pages/Shared/_Layout.cshtml
index f8bf480..bcaf503 100644
--- a/src/webapp01/Pages/Shared/_Layout.cshtml
+++ b/src/webapp01/Pages/Shared/_Layout.cshtml
@@ -18,14 +18,16 @@
                         aria-expanded="false" aria-label="Toggle navigation">
                     <span class="navbar-toggler-icon"></span>
                 </button>
-                <div class="navbar-collapse collapse d-sm-inline-flex justify-content-between">
-                    <ul class="navbar-nav flex-grow-1">
+                <div class="navbar-collapse collapse d-sm-inline-flex justify-content-between">                    <ul class="navbar-nav flex-grow-1">
                         <li class="nav-item">
                             <a class="nav-link text-dark" asp-area="" asp-page="/Index">Home</a>
                         </li>
                         <li class="nav-item">
                             <a class="nav-link text-dark" asp-area="" asp-page="/About">About GHAS</a>
                         </li>
+                        <li class="nav-item">
+                            <a class="nav-link text-dark" asp-area="" asp-page="/DevSecOps">DevSecOps Demo</a>
+                        </li>
                         <li class="nav-item">
                             <a class="nav-link text-dark" asp-area="" asp-page="/Privacy">Privacy</a>
                         </li>
diff --git a/src/webapp01/webapp01.csproj b/src/webapp01/webapp01.csproj
index 0fdd793..f3e9796 100644
--- a/src/webapp01/webapp01.csproj
+++ b/src/webapp01/webapp01.csproj
@@ -8,12 +8,12 @@
     <DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
     <DockerfileContext>.</DockerfileContext>
   </PropertyGroup>
-
   <ItemGroup>
     <PackageReference Include="Azure.Identity" Version="1.13.2" />
-    <PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="5.0.2" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
-    <PackageReference Include="System.Text.Json" Version="9.0.4" />
+    <PackageReference Include="System.Text.Json" Version="8.0.4" />
+    <PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
   </ItemGroup>
 
 </Project>