feat: Implement DevSecOps demo page for GHAS features #73
+296
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add new DevSecOps.cshtml page with GHAS latest news and features - Implement ILogger for backend logging and security demonstrations - Add intentionally vulnerable code patterns for GHAS demo: * Log forging vulnerabilities * SQL injection patterns * Regex DoS vulnerabilities * Hard-coded credentials - Update package dependencies: * System.Text.Json 8.0.4 (vulnerable version for demo) * Microsoft.Data.SqlClient 5.0.2 (vulnerable version for demo) * Newtonsoft.Json 12.0.2 (vulnerable version for demo) - Add navigation menu link to DevSecOps demo page - Update Index page with links to new DevSecOps features - Build verified without compilation errors Implements issue #72 - DevSecOps demo for GitHub Advanced Security
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Vulnerabilitiessrc/webapp01/webapp01.csprojOnly included vulnerabilities with severity moderate or higher. OpenSSF Scorecard
Scanned Files
|
1 similar comment
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Vulnerabilitiessrc/webapp01/webapp01.csprojOnly included vulnerabilities with severity moderate or higher. OpenSSF Scorecard
Scanned Files
|
|
|
||
| // Insecure: Log user data without sanitization for demo purposes | ||
| string userAgent = Request.Headers["User-Agent"].ToString(); | ||
| _logger.LogInformation("User accessed DevSecOps page with User-Agent: " + userAgent); |
Check failure
Code scanning / CodeQL
Log entries created from user input High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
To fix the issue, the user-provided User-Agent header should be sanitized before being logged. Since the logs are likely stored as plain text, newline characters should be removed from the User-Agent string to prevent log forging. This can be achieved using String.Replace to replace newline characters (\n and \r) with an empty string. Additionally, the input should be clearly marked in the log entry to avoid confusion.
Changes will be made to line 36 in the OnGet method to sanitize the userAgent value before logging it.
Suggested changeset
1
src/webapp01/Pages/DevSecOps.cshtml.cs
| @@ -35,3 +35,4 @@ | ||
| string userAgent = Request.Headers["User-Agent"].ToString(); | ||
| _logger.LogInformation("User accessed DevSecOps page with User-Agent: " + userAgent); | ||
| string sanitizedUserAgent = userAgent.Replace("\n", "").Replace("\r", ""); | ||
| _logger.LogInformation("User accessed DevSecOps page with sanitized User-Agent: " + sanitizedUserAgent); | ||
| } |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+55
to
+58
| catch (Exception ex) | ||
| { | ||
| _logger.LogError("Database error: " + ex.Message); | ||
| } |
Check notice
Code scanning / CodeQL
Generic catch clause Note
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
To fix the problem, replace the generic catch clause catch (Exception ex) with specific exception types that are relevant to the database operation. For SQL-related errors, the SqlException class should be caught. If additional exceptions need to be handled, they can be added as separate catch blocks. This approach ensures that only relevant exceptions are caught, improving error diagnosis and handling.
Steps to implement the fix:
- Replace the generic
catch (Exception ex)block with a specificcatch (SqlException ex)block. - Optionally, add additional catch blocks for other specific exceptions if necessary.
- Ensure that the logging remains intact to provide diagnostic information.
Suggested changeset
1
src/webapp01/Pages/DevSecOps.cshtml.cs
| @@ -54,5 +54,5 @@ | ||
| } | ||
| catch (Exception ex) | ||
| catch (SqlException ex) | ||
| { | ||
| _logger.LogError("Database error: " + ex.Message); | ||
| _logger.LogError("SQL error: " + ex.Message); | ||
| } |
Copilot is powered by AI and may make mistakes. Always verify output.
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new DevSecOps demo page showcasing GitHub Advanced Security features, intentionally includes vulnerable code patterns for demonstration, and updates navigation and dependencies accordingly.
- Downgrade package versions to known vulnerable releases and add Newtonsoft.Json for demo purposes
- Add navigation link, index page cards, and a new Razor page with accompanying PageModel
- Implement ILogger usage and include demo security vulnerabilities (SQL injection, regex DoS, log forging, hard-coded credentials)
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/webapp01/webapp01.csproj | Downgraded Microsoft.Data.SqlClient & System.Text.Json; added Newtonsoft.Json v12.0.2 |
| src/webapp01/Pages/Shared/_Layout.cshtml | Inserted "DevSecOps Demo" link into navbar |
| src/webapp01/Pages/Index.cshtml | Added DevSecOps cards and buttons to the home page |
| src/webapp01/Pages/DevSecOps.cshtml.cs | Introduced DevSecOpsModel with OnGet/OnPost and demo vulnerabilities |
| src/webapp01/Pages/DevSecOps.cshtml | Created demo page layout, news list, form, and animations |
Comments suppressed due to low confidence (2)
src/webapp01/Pages/DevSecOps.cshtml.cs:1
- The new
DevSecOpsModelmethods (OnGet, OnPost) implement key demonstration scenarios but lack unit or integration tests. Consider adding tests to cover these handlers and verify expected behaviors.
using Microsoft.AspNetCore.Mvc;
src/webapp01/Pages/Shared/_Layout.cshtml:20
- The closing tag and the start tag are on the same line, which hurts readability. Split them onto separate lines with proper indentation for cleaner HTML structure.
</button> <div class="navbar-collapse collapse d-sm-inline-flex justify-content-between">
| using Microsoft.AspNetCore.Mvc; | ||
| using Microsoft.AspNetCore.Mvc.RazorPages; | ||
| using System.Text.RegularExpressions; | ||
| using System.Data.SqlClient; |
There was a problem hiding this comment.
The System.Data.SqlClient namespace is not used in this file (you’re using Microsoft.Data.SqlClient). You can remove this unused using directive to keep imports clean.
Suggested change
| using System.Data.SqlClient; |
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements issue #72 - DevSecOps demo for GitHub Advanced Security