gh-advsec-devsecops/src/webapp01/Pages/DevSecOps.cshtml.cs at c577d5fbc01bbf419f24f0438fa3028fbc96dd6a · githubabcs-devops/gh-advsec-devsecops · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Extensions.Logging;
using System.Text.RegularExpressions;

namespace webapp01.Pages
{
    public class DevSecOpsModel : PageModel
    {
        private readonly ILogger<DevSecOpsModel> _logger;
        public string InsecureLogExample { get; private set; }
        public string InsecureRegexExample { get; private set; }

        public DevSecOpsModel(ILogger<DevSecOpsModel> logger)
        {
            _logger = logger;
        }

        public void OnGet()
        {
            // Insecure log forging example
            string userInput = "attacker\nInjectedLogEntry";
            _logger.LogInformation("User input: {UserInput}", userInput);
            InsecureLogExample = $"_logger.LogInformation(\"User input: {{UserInput}}\", \"{userInput}\");";

            // Insecure regex example (ReDoS)
            string evilInput = new string('a', 10000) + "!";
            string pattern = "(a+)+!";
            try
            {
                Regex.Match(evilInput, pattern);
                InsecureRegexExample = $"Regex.Match(evilInput, \"{pattern}\"); // Potential ReDoS";
            }
            catch { }
        }
    }
}