Add DevSecOps-4837 demo page with GHAS features and intentional vulnerabilities

Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com>

Author: Copilot

src/webapp01/Pages/DevSecOps-4837.cshtml

@@ -0,0 +1,192 @@
+@page
+@model DevSecOps4837Model
+@{
+    ViewData["Title"] = "DevSecOps Demo 4837 - GitHub Advanced Security Features";
+}
+
+<div class="container">
+    <div class="row">
+        <div class="col-12">
+            <h1 class="display-4 text-primary">@ViewData["Title"]</h1>
+            <p class="lead">Explore the latest GitHub Advanced Security (GHAS) features and capabilities</p>
+            <hr />
+        </div>
+    </div>
+
+    <!-- Latest GHAS News Section -->
+    <div class="row">
+        <div class="col-lg-8">
+            <div class="card mb-4 shadow">
+                <div class="card-header bg-success text-white">
+                    <h3 class="card-title mb-0">
+                        <i class="bi bi-newspaper"></i> Latest GitHub Advanced Security News
+                    </h3>
+                </div>
+                <div class="card-body">
+                    @if (Model.GHASNews.Any())
+                    {
+                        <div class="list-group list-group-flush">
+                            @foreach (var newsItem in Model.GHASNews)
+                            {
+                                <div class="list-group-item">
+                                    <div class="d-flex w-100 justify-content-between">
+                                        <h5 class="mb-1">
+                                            <span class="badge bg-primary">GHAS</span> @newsItem.Title
+                                        </h5>
+                                        <small class="text-muted">@newsItem.Date.ToString("MMM dd, yyyy")</small>
+                                    </div>
+                                    <p class="mb-1">@newsItem.Description</p>
+                                </div>
+                            }
+                        </div>
+                    }
+                    else
+                    {
+                        <p class="text-muted">Loading latest GHAS news...</p>
+                    }
+                </div>
+            </div>
+
+            <!-- Security Features Overview -->
+            <div class="card mb-4 shadow">
+                <div class="card-header bg-dark text-white">
+                    <h3 class="card-title mb-0">
+                        <i class="bi bi-shield-lock"></i> Core GHAS Capabilities
+                    </h3>
+                </div>
+                <div class="card-body">
+                    <div class="accordion" id="ghasFeatures">
+                        <div class="accordion-item">
+                            <h2 class="accordion-header" id="headingOne">
+                                <button class="accordion-button" type="button" data-bs-toggle="collapse" data-bs-target="#collapseOne" aria-expanded="true" aria-controls="collapseOne">
+                                    <strong>🔍 CodeQL Code Scanning</strong>
+                                </button>
+                            </h2>
+                            <div id="collapseOne" class="accordion-collapse collapse show" aria-labelledby="headingOne" data-bs-parent="#ghasFeatures">
+                                <div class="accordion-body">
+                                    Advanced semantic code analysis that identifies security vulnerabilities across 12+ languages including C#, Java, Python, JavaScript, and Go. CodeQL's deep program analysis goes beyond pattern matching to understand data flow and control flow.
+                                </div>
+                            </div>
+                        </div>
+                        <div class="accordion-item">
+                            <h2 class="accordion-header" id="headingTwo">
+                                <button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#collapseTwo" aria-expanded="false" aria-controls="collapseTwo">
+                                    <strong>🔑 Secret Scanning</strong>
+                                </button>
+                            </h2>
+                            <div id="collapseTwo" class="accordion-collapse collapse" aria-labelledby="headingTwo" data-bs-parent="#ghasFeatures">
+                                <div class="accordion-body">
+                                    Automatically detects exposed credentials and tokens for over 200+ service providers. Partner with providers for automatic token revocation and integrates with push protection to prevent secrets from entering repositories.
+                                </div>
+                            </div>
+                        </div>
+                        <div class="accordion-item">
+                            <h2 class="accordion-header" id="headingThree">
+                                <button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#collapseThree" aria-expanded="false" aria-controls="collapseThree">
+                                    <strong>📦 Dependency Review & Dependabot</strong>
+                                </button>
+                            </h2>
+                            <div id="collapseThree" class="accordion-collapse collapse" aria-labelledby="headingThree" data-bs-parent="#ghasFeatures">
+                                <div class="accordion-body">
+                                    Automated vulnerability detection in dependencies with pull request-level security impact analysis. Dependabot automatically creates PRs to update vulnerable dependencies with secure versions.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <!-- Sidebar with Security Demo -->
+        <div class="col-lg-4">
+            <div class="card mb-4 shadow border-warning">
+                <div class="card-header bg-warning text-dark">
+                    <h4 class="card-title mb-0">
+                        <i class="bi bi-exclamation-triangle-fill"></i> Security Demo Zone
+                    </h4>
+                </div>
+                <div class="card-body">
+                    <div class="alert alert-danger" role="alert">
+                        <strong>⚠️ Warning:</strong> This page contains intentionally vulnerable code for GHAS demonstration purposes.
+                    </div>
+                    
+                    <form method="post" asp-page-handler="ProcessInput">
+                        <div class="mb-3">
+                            <label for="userInput" class="form-label">Test Input (Log Forging Demo):</label>
+                            <input type="text" class="form-control" id="userInput" name="userInput" 
+                                   placeholder="Enter text to log">
+                            <small class="form-text text-muted">
+                                Input will be logged directly - vulnerable to log injection
+                            </small>
+                        </div>
+                        <button type="submit" class="btn btn-warning btn-sm w-100">
+                            <i class="bi bi-play-circle"></i> Submit Test
+                        </button>
+                    </form>
+
+                    <hr />
+
+                    <h6 class="text-danger">Detected Vulnerabilities:</h6>
+                    <ul class="small">
+                        <li>Log Forging/Injection</li>
+                        <li>ReDoS (Regular Expression DoS)</li>
+                        <li>Hardcoded Database Credentials</li>
+                        <li>SQL Injection Risk</li>
+                    </ul>
+                </div>
+            </div>
+
+            <!-- Resources Card -->
+            <div class="card shadow">
+                <div class="card-header bg-info text-white">
+                    <h5 class="card-title mb-0">
+                        <i class="bi bi-book"></i> Resources
+                    </h5>
+                </div>
+                <div class="card-body">
+                    <div class="d-grid gap-2">
+                        <a href="https://docs.github.com/en/code-security/code-scanning" class="btn btn-outline-primary btn-sm" target="_blank">
+                            Code Scanning Docs
+                        </a>
+                        <a href="https://codeql.github.com/" class="btn btn-outline-secondary btn-sm" target="_blank">
+                            CodeQL Documentation
+                        </a>
+                        <a href="https://github.com/security" class="btn btn-outline-success btn-sm" target="_blank">
+                            GitHub Security
+                        </a>
+                        <a asp-page="/Index" class="btn btn-outline-dark btn-sm">
+                            Back to Home
+                        </a>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- Footer with Pro Tips -->
+    <div class="row mt-4">
+        <div class="col-12">
+            <div class="alert alert-info" role="alert">
+                <h5 class="alert-heading">
+                    <i class="bi bi-lightbulb-fill"></i> DevSecOps Best Practices
+                </h5>
+                <hr>
+                <ul class="mb-0">
+                    <li><strong>Shift Left:</strong> Integrate security scanning early in the development lifecycle</li>
+                    <li><strong>Automate:</strong> Use GitHub Actions to automate security scans on every commit and PR</li>
+                    <li><strong>Remediate:</strong> Address high-severity vulnerabilities immediately with Dependabot and CodeQL suggestions</li>
+                    <li><strong>Monitor:</strong> Use Security Overview dashboard for organization-wide security posture</li>
+                </ul>
+            </div>
+        </div>
+    </div>
+</div>
+
+@section Scripts {
+    <script>
+        // Auto-refresh timestamp display
+        document.addEventListener('DOMContentLoaded', function() {
+            console.log('DevSecOps Demo Page 4837 Loaded');
+        });
+    </script>
+}

src/webapp01/Pages/DevSecOps-4837.cshtml.cs

@@ -0,0 +1,177 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using System.Text.RegularExpressions;
+using Microsoft.Data.SqlClient;
+using Newtonsoft.Json;
+using System.Text.Json;
+
+namespace webapp01.Pages
+{
+    /// <summary>
+    /// DevSecOps Demo Page Model - Contains intentional security vulnerabilities for GHAS demonstration
+    /// WARNING: This code is intentionally insecure for educational purposes only
+    /// </summary>
+    public class DevSecOps4837Model : PageModel
+    {
+        private readonly ILogger<DevSecOps4837Model> _logger;
+
+        // SECURITY ISSUE: Hardcoded database credentials - will be detected by GHAS Secret Scanning
+        private const string DB_CONNECTION_STRING = "Server=demo-sql.database.windows.net;Database=GHASDemo;User Id=demoadmin;Password=P@ssw0rd123!;";
+        
+        // SECURITY ISSUE: Vulnerable regex pattern susceptible to ReDoS (Regular Expression Denial of Service)
+        // This pattern has nested quantifiers which can cause exponential backtracking
+        private static readonly Regex VulnerableEmailRegex = new Regex(@"^([a-zA-Z0-9]+)*@([a-zA-Z0-9]+)*\.com$", RegexOptions.Compiled);
+
+        public DevSecOps4837Model(ILogger<DevSecOps4837Model> logger)
+        {
+            _logger = logger;
+            _logger.LogInformation("DevSecOps4837Model initialized");
+        }
+
+        public List<GHASNewsItem> GHASNews { get; set; } = new List<GHASNewsItem>();
+
+        public void OnGet()
+        {
+            // SECURITY ISSUE: Log Forging - Unsanitized user input directly in log statements
+            string userName = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous";
+            _logger.LogInformation($"User {userName} accessed DevSecOps-4837 page");
+
+            // SECURITY ISSUE: Another log forging example with query parameter
+            string action = Request.Query.ContainsKey("action") ? Request.Query["action"].ToString() ?? "view" : "view";
+            _logger.LogInformation($"Action performed: {action} by user {userName}");
+
+            // Load GHAS news with intentional vulnerabilities
+            LoadGHASNews();
+
+            // Demonstrate regex vulnerability
+            DemonstrateRegexVulnerability();
+
+            // Demonstrate SQL injection risk
+            DemonstrateSQLRisk();
+        }
+
+        private void LoadGHASNews()
+        {
+            _logger.LogInformation("Loading latest GitHub Advanced Security news");
+
+            GHASNews = new List<GHASNewsItem>
+            {
+                new GHASNewsItem
+                {
+                    Title = "CodeQL 2.20 Released with Enhanced Security Analysis",
+                    Description = "New CodeQL version includes improved support for C#, Java, and JavaScript with 50+ new security queries for OWASP Top 10 vulnerabilities.",
+                    Date = DateTime.Now.AddDays(-2)
+                },
+                new GHASNewsItem
+                {
+                    Title = "Secret Scanning Push Protection Now GA",
+                    Description = "Push protection prevents developers from accidentally committing secrets to repositories, with support for 200+ token patterns.",
+                    Date = DateTime.Now.AddDays(-5)
+                },
+                new GHASNewsItem
+                {
+                    Title = "Dependabot Security Updates Enhanced",
+                    Description = "Automated dependency updates now include intelligent PR grouping and compatibility scoring to reduce alert fatigue.",
+                    Date = DateTime.Now.AddDays(-7)
+                },
+                new GHASNewsItem
+                {
+                    Title = "AI-Powered Security Fix Suggestions",
+                    Description = "GitHub Copilot for Security now provides context-aware fix suggestions for code scanning alerts with one-click remediation.",
+                    Date = DateTime.Now.AddDays(-10)
+                },
+                new GHASNewsItem
+                {
+                    Title = "Custom CodeQL Query Suites",
+                    Description = "Organizations can now create and share custom CodeQL query suites across repositories for industry-specific compliance requirements.",
+                    Date = DateTime.Now.AddDays(-14)
+                },
+                new GHASNewsItem
+                {
+                    Title = "Security Overview Dashboard Updates",
+                    Description = "New metrics and visualizations for tracking security posture across enterprise organizations with improved filtering and export capabilities.",
+                    Date = DateTime.Now.AddDays(-18)
+                }
+            };
+
+            // SECURITY ISSUE: Unnecessary JSON serialization/deserialization that could introduce vulnerabilities
+            string jsonData = JsonConvert.SerializeObject(GHASNews);
+            var tempData = JsonConvert.DeserializeObject<List<GHASNewsItem>>(jsonData);
+            
+            _logger.LogInformation($"Loaded {GHASNews.Count} GHAS news items");
+        }
+
+        private void DemonstrateRegexVulnerability()
+        {
+            // SECURITY ISSUE: Testing vulnerable regex pattern that could cause ReDoS
+            string testEmail = Request.Query.ContainsKey("email") ? Request.Query["email"].ToString() ?? "test@example.com" : "test@example.com";
+            
+            try
+            {
+                // This vulnerable regex can cause exponential backtracking with inputs like "aaaaaaaaaaaaaaaaaaaaaaaaa@aaaaaaaaaaaaaaa"
+                bool isValidEmail = VulnerableEmailRegex.IsMatch(testEmail);
+                _logger.LogInformation($"Email validation result for {testEmail}: {isValidEmail}");
+            }
+            catch (Exception ex)
+            {
+                // SECURITY ISSUE: Logging full exception details which might contain sensitive information
+                _logger.LogError($"Regex validation failed for email: {testEmail}. Exception: {ex}");
+            }
+        }
+
+        private void DemonstrateSQLRisk()
+        {
+            // SECURITY ISSUE: Using hardcoded connection string
+            try
+            {
+                using var connection = new SqlConnection(DB_CONNECTION_STRING);
+                _logger.LogInformation("Database connection configured with demo credentials");
+                
+                // SECURITY ISSUE: Potential SQL injection if this were to accept user input
+                string userId = Request.Query.ContainsKey("userId") ? Request.Query["userId"].ToString() ?? "1" : "1";
+                string unsafeQuery = $"SELECT * FROM Users WHERE UserId = {userId}"; // SQL INJECTION RISK
+                
+                // Log the unsafe query (for demonstration - not actually executing)
+                _logger.LogWarning($"Unsafe SQL query constructed: {unsafeQuery}");
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError($"Database operation failed: {ex.Message}");
+            }
+        }
+
+        public IActionResult OnPostProcessInput(string userInput)
+        {
+            if (string.IsNullOrEmpty(userInput))
+            {
+                _logger.LogWarning("Empty input received in ProcessInput handler");
+                return Page();
+            }
+
+            // SECURITY ISSUE: Log Forging - User input directly in logs without sanitization
+            _logger.LogInformation($"Processing user input: {userInput}");
+            
+            // SECURITY ISSUE: User input could contain newlines or control characters
+            _logger.LogInformation($"Input length: {userInput.Length}, Content: {userInput}");
+
+            // Demonstrate potential command injection risk (not actually executing)
+            if (userInput.Contains(";") || userInput.Contains("|"))
+            {
+                _logger.LogWarning($"Suspicious input detected with special characters: {userInput}");
+            }
+
+            TempData["Message"] = $"Input processed: {userInput}";
+            return RedirectToPage();
+        }
+    }
+
+    /// <summary>
+    /// Model for GHAS news items
+    /// </summary>
+    public class GHASNewsItem
+    {
+        public string Title { get; set; } = string.Empty;
+        public string Description { get; set; } = string.Empty;
+        public DateTime Date { get; set; }
+    }
+}

src/webapp01/Pages/Index.cshtml

@@ -13,5 +13,9 @@
             <strong>New!</strong> Check out our <a asp-page="/DevSecOps" class="btn btn-primary btn-sm">DevSecOps Demo</a> 
             page to see the latest GHAS features and security demonstrations.
         </p>
+        <p class="card-text">
+            <strong>Latest!</strong> View our newest <a asp-page="/DevSecOps-4837" class="btn btn-success btn-sm">DevSecOps Demo 4837</a> 
+            with the most recent GitHub Advanced Security updates and features.
+        </p>
     </div>
 </div>

src/webapp01/webapp01.csproj

@@ -13,7 +13,7 @@
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.0.2" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
     <PackageReference Include="System.Text.Json" Version="8.0.4" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
   </ItemGroup>
 
 </Project>