feat: Add DevSecOps-4088 demo page with GHAS vulnerability showcase#139

Draft

Copilot wants to merge 2 commits intomainfrom

copilot/featuredevsecops-demo-12345-another-one

Copilot AI commented Feb 10, 2026 •

edited

Loading

Adds new demo page demonstrating GitHub Advanced Security detection capabilities through intentional vulnerability injection.

Changes

New page: DevSecOps-4088.cshtml with latest GHAS news content and interactive vulnerability demonstrations
Backend: DevSecOps-4088.cshtml.cs with ILogger implementation and multiple vulnerability categories:
- Log forging (CWE-117): Unsanitized user input in log statements
- ReDoS patterns (CWE-1333): ^(a+)+b$ and nested quantifiers without timeout
- Hardcoded credentials (CWE-798): Database connection strings and API keys in constants
- SQL injection (CWE-89): String concatenation in query construction
- Insecure deserialization (CWE-502): TypeNameHandling.All with Newtonsoft.Json
Package downgrade: Newtonsoft.Json 13.0.1 → 12.0.2 to trigger NU1903 vulnerability warnings
Navigation: Added link from Index.cshtml to new demo page

Example Vulnerabilities

// Log forging - user input directly in logs
_logger.LogInformation($"User input test executed by: {username}");

// ReDoS - exponential time complexity without timeout
private static readonly Regex ExponentialRegex = new Regex(@"^(a+)+b$", RegexOptions.Compiled);

// SQL injection - string concatenation
string query = $"SELECT * FROM Users WHERE Username = '{searchTerm}'";

All vulnerabilities are clearly marked with // SECURITY VULNERABILITY: comments for educational purposes.

Original prompt

This section details on the original issue you should resolve

<issue_title>feat: DevSecOps (03)</issue_title>
<issue_description>- Use the gh-advsec-devsecops repository from the workspace

Create me a new unique branch name under feature/devsecops-demo-[randon-number]

Create a new DevSecOps-[random-number].cshtml page and reference it into the Index page.

Add some content to it with some latest news about GitHub Advanced Security.

Implemented the ILogger for the backend code of the page.

For demo purpose, generate some C# insecure code, like log forging or regex exposure

Add package System.Text.Json --version 8.0.4

Add package Microsoft.Data.SqlClient --version 5.0.2

Add package newtonsoft.json --version 12.0.2

Build the webapp to make sure there are not build errors.

Prepare for committing the changes.</issue_description>

<agent_instructions>Implement this feature</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes feat: DevSecOps (03) #121

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.


          Initial plan

615abf7

Copilot AI assigned Copilot and CalinL

Copilot started work on behalf of CalinL

February 10, 2026 23:24


          feat: Add DevSecOps-4088 demo page with GHAS vulnerabilities and upda…

30ae494

…ted packages

Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add DevSecOps demo page with GitHub Advanced Security news~~ feat: Add DevSecOps-4088 demo page with GHAS vulnerability showcase

Copilot AI requested a review from CalinL

February 10, 2026 23:30

Copilot finished work on behalf of CalinL

February 10, 2026 23:30

github-code-quality bot found potential problems

View reviewed changes

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

+                              _logger.LogInformation($"Regex evaluation completed in {duration}ms for pattern: {pattern}");
+                              TempData["DemoMessage"] = $"Pattern '{pattern}' evaluated. Match: {matchResult}. Duration: {duration}ms";
+                          }
+                          catch (RegexMatchTimeoutException ex)

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

+                              _logger.LogInformation($"Serialized {LatestNews.Count} news items using Newtonsoft.Json");
+                              // Deserialize back (potential vulnerability with untrusted input)
+                              var deserializedNews = JsonConvert.DeserializeObject<List<string>>(jsonData);

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

+                                  TypeNameHandling = TypeNameHandling.All
+                              };
+                              string vulnerable = JsonConvert.SerializeObject(sampleData, settings);

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

+                          catch (Exception ex)
+                          {
+                              // SECURITY VULNERABILITY: Logging full exception with potentially sensitive data
+                              _logger.LogError($"JSON processing failed: {ex.ToString()}");

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

+                          catch (Exception ex)
+                          {
+                              // SECURITY VULNERABILITY: Logging full exception
+                              _logger.LogError($"Regex test failed: {ex.ToString()}");

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

+                          }
+                          catch (Exception ex)
+                          {
+                              _logger.LogError($"Search operation failed: {ex.ToString()}");

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

+                          // SECURITY VULNERABILITY: Log forging - user input directly in logs without sanitization
+                          string userAgent = Request.Headers["User-Agent"].ToString();
+                          string ipAddress = Request.HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
+                          string userName = Request.Query.ContainsKey("user") ? Request.Query["user"].ToString() ?? "guest" : "guest";

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

Comment on lines +75 to +79

+                          catch (Exception ex)
+                          {
+                              // SECURITY VULNERABILITY: Logging full exception with potentially sensitive data
+                              _logger.LogError($"JSON processing failed: {ex.ToString()}");
+                          }

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

Comment on lines +93 to +96

+                          catch (Exception ex)
+                          {
+                              _logger.LogError($"Database configuration error: {ex.Message}");
+                          }

src/webapp01/Pages/DevSecOps-4088.cshtml.cs

Comment on lines +118 to +121

+                          catch (Exception ex)
+                          {
+                              _logger.LogError($"Serialization demo failed: {ex.Message}");
+                          }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet