Merge pull request #3 from github-samples/security-for-beginners

Security for beginners

Author: KyFaSt

.env

@@ -0,0 +1,22 @@
+# WARNING: This file contains intentionally exposed secrets for GitHub Advanced Security demo
+# DO NOT USE THESE IN PRODUCTION
+
+# Stripe API Keys (fake but realistic pattern)
+NEXT_PUBLIC_API_KEY=sk_live_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0
+STRIPE_SECRET_KEY=sk_test_4eC39HqLyjWDarjtT1zdp7dc
+
+# Azure Connection String (fake but realistic pattern)
+AZURE_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=storageaccount;AccountKey=AKIAIOSFODNN7EXAMPLE;EndpointSuffix=core.windows.net
+
+# AWS Access Keys (fake but realistic pattern)
+AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+
+# GitHub Personal Access Token (fake but realistic pattern)
+GITHUB_TOKEN=ghp_1234567890abcdefghijklmnopqrstuvwxyz12
+
+# Database credentials (intentionally insecure for demo)
+DB_HOST=localhost
+DB_USER=admin
+DB_PASSWORD=SuperSecretPassword123!
+DATABASE_URL=postgresql://admin:SuperSecretPassword123!@localhost:5432/mydb

.eslintrc.json

@@ -0,0 +1,3 @@
+{
+  "extends": "next/core-web-vitals"
+}

.gitignore

@@ -1,36 +1,11 @@
-# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
-
 # dependencies
 /node_modules
 /.pnp
 .pnp.js
 
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-
 # local env files
+# WARNING: .env is not ignored for GitHub Advanced Security demo purposes
+# In production, you should ALWAYS ignore .env files
 .env*.local
-.env
-
-# vercel
-.vercel
+# .env
 
-# typescript
-*.tsbuildinfo
-next-env.d.ts

README.md

@@ -1,2 +1,146 @@
-# gitfolio
-Minimal and modern developer portfolio template built with Next.js and Tailwind CSS.
+# Gitfolio - GitHub Advanced Security Demo
+
+Minimal and modern developer portfolio template built with Next.js - **intentionally vulnerable for educational purposes**.
+
+## ⚠️ Important Security Notice
+
+**THIS REPOSITORY CONTAINS INTENTIONAL SECURITY VULNERABILITIES**
+
+This is a demonstration repository for teaching GitHub Advanced Security features. It includes:
+- Exposed secrets and API keys
+- Vulnerable dependencies
+- Insecure code patterns
+
+**DO NOT USE THIS CODE IN PRODUCTION**
+
+## 🎯 Demo Scenarios
+
+### 1. Secret Scanning Demo 🔐
+
+**Files to review:**
+- [.env](.env) - Environment variables with exposed secrets
+- [config.js](config.js) - Hardcoded API keys and credentials
+
+**What will be detected:**
+- Stripe API keys
+- AWS credentials
+- Azure connection strings
+- GitHub tokens
+- Database passwords
+
+**Expected behavior:** GitHub Secret Scanning will automatically detect these patterns and create alerts in the Security tab.
+
+### 2. Dependabot Demo 📦
+
+**Files to review:**
+- [package.json](package.json)
+
+**Vulnerable dependencies included:**
+- `axios@0.21.1` - Known CVE for Server-Side Request Forgery
+- `lodash@4.17.19` - Multiple security vulnerabilities
+- `express@4.17.1` - Potential security issues
+- `next@12.0.0` - Outdated version
+- `react@17.0.2` - Outdated version
+
+**Expected behavior:** Dependabot will:
+1. Scan dependencies on push
+2. Create alerts for known vulnerabilities
+3. Automatically open pull requests with suggested updates
+
+### 3. CodeQL Analysis Demo 🔍
+
+**Vulnerable API endpoints:**
+
+#### Command Injection
+- **File:** [pages/api/user-search.js](pages/api/user-search.js)
+- **Vulnerability:** User input directly concatenated into shell command
+- **Attack example:** `username=admin; rm -rf /`
+
+#### SQL Injection
+- **File:** [lib/db.js](lib/db.js)
+- **Vulnerability:** Unsanitized user input in SQL queries
+- **Attack example:** `username=admin' OR '1'='1`
+
+#### Path Traversal
+- **File:** [pages/api/download.js](pages/api/download.js)
+- **Vulnerability:** Unrestricted file path access
+- **Attack example:** `filename=../../../../etc/passwd`
+
+#### Cross-Site Scripting (XSS)
+- **File:** [pages/api/display-message.js](pages/api/display-message.js)
+- **Vulnerability:** Unsanitized user input rendered in HTML
+- **Attack example:** `message=<script>alert('XSS')</script>`
+
+**Expected behavior:** CodeQL will trace data flow from user inputs to dangerous sinks and create security alerts.
+
+## 🚀 Setup Instructions
+
+### Prerequisites
+- Node.js 14+ installed
+- GitHub account with Advanced Security enabled
+- Git configured locally
+
+### Quick Start
+
+### Enable GitHub Advanced Security
+
+1. **Push code to GitHub:**
+```bash
+git add .
+git commit -m "Add security demo scenarios"
+git push origin security-for-beginners
+```
+2. **Enable Advanced Security features:**
+   - Go to repository Settings → Security & analysis
+   - Enable Dependency graph
+   - Enable Dependabot alerts
+   - Enable Dependabot security updates
+   - Enable Secret scanning
+   - Enable Code scanning (CodeQL analysis)
+
+3. **View security alerts:**
+   - Navigate to Security tab
+   - Check "Code scanning" for CodeQL alerts
+   - Check "Secret scanning" for exposed credentials
+   - Check "Dependabot" for vulnerable dependencies
+
+## 🛡️ Remediation Examples
+
+### Fix Secret Scanning Issues:
+1. Remove hardcoded secrets from code
+2. Use environment variables properly
+3. Add `.env` to `.gitignore`
+4. Rotate exposed credentials
+5. Use GitHub Secrets for CI/CD
+
+### Fix Dependabot Issues:
+1. Review Dependabot PRs
+2. Test updated dependencies
+3. Merge security updates
+4. Configure Dependabot settings
+
+### Fix CodeQL Issues:
+1. **Command Injection:** Use parameterized commands or allowlists
+2. **SQL Injection:** Use prepared statements/parameterized queries
+3. **Path Traversal:** Validate and sanitize file paths
+4. **XSS:** Sanitize user input, use React's built-in escaping
+
+## 📚 Educational Resources
+
+- [GitHub Advanced Security Documentation](https://docs.github.com/en/code-security)
+- [CodeQL Documentation](https://codeql.github.com/docs/)
+- [Secret Scanning Patterns](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns)
+- [Dependabot Documentation](https://docs.github.com/en/code-security/dependabot)
+
+## 🎓 Learning Objectives
+
+After working through this demo, you should understand:
+1. How GitHub automatically detects security vulnerabilities
+2. The difference between Secret Scanning, Dependabot, and CodeQL
+3. How to interpret and remediate security alerts
+4. Best practices for secure coding
+5. How to configure security policies for your repositories
+
+---
+
+**Remember:** This repository is for educational purposes only. Never deploy vulnerable code to production!

config.js

@@ -0,0 +1,23 @@
+// WARNING: This config file contains hardcoded secrets for demo purposes
+// DO NOT USE IN PRODUCTION
+
+const config = {
+  stripe: {
+    // Hardcoded Stripe secret key (vulnerability for Secret Scanning demo)
+    secretKey: 'sk_live_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0',
+    publishableKey: 'pk_live_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0'
+  },
+  
+  database: {
+    // Hardcoded database password (vulnerability for Secret Scanning demo)
+    connectionString: 'postgresql://dbuser:P@ssw0rd123!@localhost:5432/portfolio'
+  },
+  
+  api: {
+    // Hardcoded API key (vulnerability for Secret Scanning demo)
+    key: 'AIzaSyD-1234567890abcdefghijklmnopqrstuv',
+    endpoint: 'https://api.example.com'
+  }
+};
+
+module.exports = config;

lib/db.js

@@ -0,0 +1,53 @@
+// WARNING: VULNERABLE CODE - SQL Injection Demo
+// DO NOT USE IN PRODUCTION
+// This module demonstrates SQL injection vulnerabilities for CodeQL detection
+
+import { createConnection } from 'mysql2/promise';
+
+// Mock database connection for demo purposes
+const dbConfig = {
+  host: 'localhost',
+  user: 'root',
+  password: 'password',
+  database: 'gitfolio'
+};
+
+// VULNERABILITY: SQL Injection - Direct string concatenation
+export async function getUserByName(username) {
+  const connection = await createConnection(dbConfig);
+  
+  // User input concatenated directly into SQL query
+  // An attacker could use input like: "admin' OR '1'='1"
+  const query = `SELECT * FROM users WHERE username = '${username}'`;
+  
+  const [rows] = await connection.execute(query);
+  await connection.end();
+  
+  return rows;
+}
+
+// VULNERABILITY: SQL Injection in search function
+export async function searchUsers(searchTerm) {
+  const connection = await createConnection(dbConfig);
+  
+  // Another example of SQL injection
+  const query = `SELECT id, username, email FROM users WHERE username LIKE '%${searchTerm}%' OR email LIKE '%${searchTerm}%'`;
+  
+  const [rows] = await connection.execute(query);
+  await connection.end();
+  
+  return rows;
+}
+
+// VULNERABILITY: SQL Injection in delete operation
+export async function deleteUser(userId) {
+  const connection = await createConnection(dbConfig);
+  
+  // Direct concatenation in DELETE statement
+  const query = `DELETE FROM users WHERE id = ${userId}`;
+  
+  await connection.execute(query);
+  await connection.end();
+  
+  return { success: true };
+}

next.config.js

@@ -0,0 +1,7 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  reactStrictMode: true,
+  swcMinify: true,
+}
+
+module.exports = nextConfig

package.json

@@ -0,0 +1,23 @@
+{
+  "name": "gitfolio",
+  "version": "1.0.0",
+  "description": "Minimal and modern developer portfolio template built with Next.js and Tailwind CSS",
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "next lint"
+  },
+  "dependencies": {
+    "next": "12.0.0",
+    "react": "17.0.2",
+    "react-dom": "17.0.2",
+    "axios": "0.21.1",
+    "lodash": "4.17.19",
+    "express": "4.17.1"
+  },
+  "devDependencies": {
+    "eslint": "8.0.0",
+    "eslint-config-next": "12.0.0"
+  }
+}

pages/_app.js

@@ -0,0 +1,7 @@
+import '../styles/globals.css'
+
+function MyApp({ Component, pageProps }) {
+  return <Component {...pageProps} />
+}
+
+export default MyApp

pages/api/display-message.js

@@ -0,0 +1,30 @@
+// WARNING: VULNERABLE CODE - XSS (Cross-Site Scripting) Demo
+// DO NOT USE IN PRODUCTION
+// This API endpoint demonstrates XSS vulnerabilities for CodeQL detection
+
+export default function handler(req, res) {
+  const { message } = req.query;
+  
+  if (!message) {
+    return res.status(400).json({ error: 'Message is required' });
+  }
+
+  // VULNERABILITY: Reflected XSS
+  // User input is directly embedded into HTML response without sanitization
+  // An attacker could inject: "<script>alert('XSS')</script>"
+  const html = `
+    <!DOCTYPE html>
+    <html>
+      <head>
+        <title>Message Display</title>
+      </head>
+      <body>
+        <h1>Your Message:</h1>
+        <div>${message}</div>
+      </body>
+    </html>
+  `;
+
+  res.setHeader('Content-Type', 'text/html');
+  res.status(200).send(html);
+}