Add DevSecOps-10309 demo page with intentional vulnerabilities for GHAS scanning#143

Draft

Copilot wants to merge 2 commits intomainfrom

copilot/featuredevsecops-demo-12345-yet-again

Copilot AI commented Feb 12, 2026 •

edited

Loading

New demo page showcasing GitHub Advanced Security capabilities through intentional security vulnerabilities and 2026 GHAS feature updates.

New Files

DevSecOps-10309.cshtml - Razor page with GHAS news, interactive vulnerability demos (ReDoS, SQL injection testing)
DevSecOps-10309.cshtml.cs - Code-behind with ILogger and intentional security flaws

Intentional Vulnerabilities

Implements patterns that GHAS code scanning should detect:

// Log forging - unsanitized user input
_logger.LogInformation($"User accessed page: {userInput}");

// ReDoS - nested quantifiers
private static readonly Regex VulnerableRegex = new Regex(@"^(a+)+$");

// SQL injection - string concatenation
string query = "SELECT * FROM Users WHERE UserId = " + userId;

// Hardcoded credentials
private const string CONNECTION_STRING = "Server=prod-sql;User Id=sa;Password=P@ssw0rd123!;";

// Insecure deserialization
JsonConvert.DeserializeObject<List<string>>(jsonData, new JsonSerializerSettings {
    TypeNameHandling = TypeNameHandling.Auto
});

Package Changes

Downgraded to vulnerable versions for demonstration:

Newtonsoft.Json: 13.0.1 → 12.0.2 (GHSA-5crp-9r3c-p9vr)
System.Text.Json: 8.0.4 (GHSA-8g4q-xg66-9fp4)
Microsoft.Data.SqlClient: 5.0.2 (GHSA-98g6-xh36-x2p7)

UI Updates

Added navigation link in Index.cshtml to new demo page.

Original prompt

This section details on the original issue you should resolve

<issue_title>feat: DevSecOps (04)</issue_title>
<issue_description>- Use the gh-advsec-devsecops repository from the workspace

Create me a new unique branch name under feature/devsecops-demo-[randon-number]

Create a new DevSecOps-[random-number].cshtml page and reference it into the Index page.

Add some content to it with some latest news about GitHub Advanced Security.

Implemented the ILogger for the backend code of the page.

For demo purpose, generate some C# insecure code, like log forging or regex exposure

Add package System.Text.Json --version 8.0.4

Add package Microsoft.Data.SqlClient --version 5.0.2

Add package newtonsoft.json --version 12.0.2

Build the webapp to make sure there are not build errors.

Prepare for committing the changes.</issue_description>

<agent_instructions>implement this</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes feat: DevSecOps (04) #122

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.


          Initial plan

3f15da6

Copilot AI assigned Copilot and CalinL

Copilot started work on behalf of CalinL

February 12, 2026 21:32


          feat: Add DevSecOps-10309 demo page with GHAS vulnerabilities and upd…

e8273a2

…ate packages

Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add DevSecOps page with news and logging issues~~ Add DevSecOps-10309 demo page with intentional vulnerabilities for GHAS scanning

Copilot AI requested a review from CalinL

February 12, 2026 21:37

Copilot finished work on behalf of CalinL

February 12, 2026 21:37

github-code-quality bot found potential problems

View reviewed changes

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

Comment on lines +100 to +103

+                          var deserializedData = JsonConvert.DeserializeObject<List<string>>(jsonData, new JsonSerializerSettings
+                          {
+                              TypeNameHandling = TypeNameHandling.Auto // VULNERABILITY: Insecure setting
+                          });

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

+                      public void OnGet()
+                      {
+                          // VULNERABILITY: Log forging - user input directly in logs without sanitization
+                          string userInput = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "anonymous" : "anonymous";

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

+                          LoadLatestGHASNews();
+                          // Demonstrate ReDoS vulnerability
+                          string testPattern = Request.Query.ContainsKey("pattern") ? Request.Query["pattern"].ToString() ?? "aaa" : "aaa";

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

Comment on lines +54 to +58

+                          catch (Exception ex)
+                          {
+                              // VULNERABILITY: Logging full exception details including stack trace
+                              _logger.LogError($"Regex evaluation failed for pattern: {testPattern}. Error: {ex.ToString()}");
+                          }

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

Comment on lines +67 to +70

+                          catch (Exception ex)
+                          {
+                              _logger.LogError($"Database connection failed: {ex.Message}");
+                          }

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

Comment on lines +132 to +137

+                          catch (Exception ex)
+                          {
+                              // VULNERABILITY: Logging sensitive information and full stack trace
+                              _logger.LogError($"Regex test failed for pattern: {pattern}. Exception: {ex.ToString()}");
+                              TempData["RegexError"] = "Pattern evaluation failed - potential ReDoS attack detected";
+                          }

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

Comment on lines +170 to +175

+                          catch (Exception ex)
+                          {
+                              // VULNERABILITY: Logging detailed error information
+                              _logger.LogError($"SQL execution failed for userId: {userId}. Error: {ex.ToString()}");
+                              TempData["RegexError"] = "SQL query failed";
+                          }

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

+                          catch (Exception ex)
+                          {
+                              // VULNERABILITY: Logging full exception details including stack trace
+                              _logger.LogError($"Regex evaluation failed for pattern: {testPattern}. Error: {ex.ToString()}");

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

+                          catch (Exception ex)
+                          {
+                              // VULNERABILITY: Logging sensitive information and full stack trace
+                              _logger.LogError($"Regex test failed for pattern: {pattern}. Exception: {ex.ToString()}");

src/webapp01/Pages/DevSecOps-10309.cshtml.cs

+                          catch (Exception ex)
+                          {
+                              // VULNERABILITY: Logging detailed error information
+                              _logger.LogError($"SQL execution failed for userId: {userId}. Error: {ex.ToString()}");

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet