Add DevSecOps page with security news and examples; update project dependencies

CalinL · CalinL · commit c577d5fbc01b · 2025-05-12T14:49:35.000Z
diff --git a/src/webapp01/Pages/DevSecOps.cshtml b/src/webapp01/Pages/DevSecOps.cshtml
@@ -0,0 +1,19 @@
+@page
+@model webapp01.Pages.DevSecOpsModel
+@{
+    ViewData["Title"] = "DevSecOps";
+}
+
+<h2>DevSecOps & GitHub Advanced Security News</h2>
+<div>
+    <ul>
+        <li><strong>May 2025:</strong> GitHub Advanced Security now supports secret scanning for custom patterns.</li>
+        <li><strong>April 2025:</strong> Code scanning with CodeQL adds new C# queries for insecure deserialization.</li>
+        <li><strong>March 2025:</strong> Push protection for credentials is now enabled by default for all repos.</li>
+    </ul>
+</div>
+<p>Below is a demonstration of insecure C# code for educational purposes only.</p>
+<pre>
+@Model.InsecureLogExample
+@Model.InsecureRegexExample
+</pre>
diff --git a/src/webapp01/Pages/DevSecOps.cshtml.cs b/src/webapp01/Pages/DevSecOps.cshtml.cs
@@ -0,0 +1,36 @@
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.Extensions.Logging;
+using System.Text.RegularExpressions;
+
+namespace webapp01.Pages
+{
+    public class DevSecOpsModel : PageModel
+    {
+        private readonly ILogger<DevSecOpsModel> _logger;
+        public string InsecureLogExample { get; private set; }
+        public string InsecureRegexExample { get; private set; }
+
+        public DevSecOpsModel(ILogger<DevSecOpsModel> logger)
+        {
+            _logger = logger;
+        }
+
+        public void OnGet()
+        {
+            // Insecure log forging example
+            string userInput = "attacker\nInjectedLogEntry";
+            _logger.LogInformation("User input: {UserInput}", userInput);
+            InsecureLogExample = $"_logger.LogInformation(\"User input: {{UserInput}}\", \"{userInput}\");";
+
+            // Insecure regex example (ReDoS)
+            string evilInput = new string('a', 10000) + "!";
+            string pattern = "(a+)+!";
+            try
+            {
+                Regex.Match(evilInput, pattern);
+                InsecureRegexExample = $"Regex.Match(evilInput, \"{pattern}\"); // Potential ReDoS";
+            }
+            catch { }
+        }
+    }
+}
diff --git a/src/webapp01/Pages/Index.cshtml b/src/webapp01/Pages/Index.cshtml
@@ -9,5 +9,6 @@
         <h5 class="card-title">.NET 💜 Azure v4</h5>
         <p class="card-text">Learn about <a href="https://learn.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
         <p class="card-text">Visit our <a asp-page="/About">About GHAS</a> page to learn about GitHub Advanced Security features.</p>
+        <p class="card-text">Check out the <a asp-page="/DevSecOps">DevSecOps</a> page for the latest security news and a demo.</p>
     </div>
 </div>
diff --git a/src/webapp01/webapp01.csproj b/src/webapp01/webapp01.csproj
@@ -11,9 +11,10 @@
 
   <ItemGroup>
     <PackageReference Include="Azure.Identity" Version="1.13.2" />
-    <PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.2" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="5.0.2" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
-    <PackageReference Include="System.Text.Json" Version="9.0.4" />
+    <PackageReference Include="Newtonsoft.Json" Version="12.0.2" />
+    <PackageReference Include="System.Text.Json" Version="8.0.4" />
   </ItemGroup>
 
 </Project>
