Skip to content

Demo-Code02 - Add demo files with intentional security vulnerabilities for GitHub A… #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
CalinL wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Demo-Code02 - Add demo files with intentional security vulnerabilities for GitHub A… #138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions devsecops-demo/Dockerfile-01
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
FROM alpine:3.14.0
RUN echo "testuser:x:10999:10999:,,,:/home/testuser:/bin/bash" >> /etc/passwd && echo "testuser::18761:0:99999:7:::" >> /etc/shadow
129 changes: 129 additions & 0 deletions devsecops-demo/Pipfile.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

189 changes: 189 additions & 0 deletions devsecops-demo/example-02.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,189 @@
resource "azurerm_resource_group" "myresourcegroup" {
name = "${var.prefix}-workshop"
location = var.location

tags = {
environment = "Production"
}
}

resource "azurerm_virtual_network" "vnet" {
name = "${var.prefix}-vnet"
location = azurerm_resource_group.myresourcegroup.location
address_space = [var.address_space]
resource_group_name = azurerm_resource_group.myresourcegroup.name
}

resource "azurerm_subnet" "subnet" {
name = "${var.prefix}-subnet"
virtual_network_name = azurerm_virtual_network.vnet.name
resource_group_name = azurerm_resource_group.myresourcegroup.name
address_prefixes = [var.subnet_prefix]
}

resource "azurerm_network_security_group" "catapp-sg" {
name = "${var.prefix}-sg"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name

security_rule {
name = "HTTP"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}

security_rule {
name = "HTTPS"
priority = 102
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}

security_rule {
name = "SSH"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}

Check failure

Code scanning / checkov

Ensure that SSH access is restricted from the internet Error

Ensure that SSH access is restricted from the internet

Check failure

Code scanning / checkov

Ensure that HTTP (port 80) access is restricted from the internet Error

Ensure that HTTP (port 80) access is restricted from the internet
Comment on lines +24 to +64

Check failure

Code scanning / defsec

An inbound network security rule allows traffic from /0. Error

Security group rule allows ingress from public internet.
Comment on lines +24 to +64

Check failure

Code scanning / defsec

An inbound network security rule allows traffic from /0. Error

Security group rule allows ingress from public internet.
Comment on lines +24 to +64

Check failure

Code scanning / defsec

An inbound network security rule allows traffic from /0. Error

Security group rule allows ingress from public internet.
Comment on lines +24 to +64

Check failure

Code scanning / defsec

SSH access should not be accessible from the Internet, should be blocked on port 22 Error

Security group rule allows ingress to SSH port from multiple public internet addresses.

resource "azurerm_network_interface" "catapp-nic" {
name = "${var.prefix}-catapp-nic"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name

ip_configuration {
name = "${var.prefix}ipconfig"
subnet_id = azurerm_subnet.subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.catapp-pip.id
}
}

Check notice

Code scanning / checkov

Ensure that Network Interfaces don't use public IPs Note

Ensure that Network Interfaces don't use public IPs

resource "azurerm_network_interface_security_group_association" "catapp-nic-sg-ass" {
network_interface_id = azurerm_network_interface.catapp-nic.id
network_security_group_id = azurerm_network_security_group.catapp-sg.id
}

resource "azurerm_public_ip" "catapp-pip" {
name = "${var.prefix}-ip"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
allocation_method = "Dynamic"
domain_name_label = "${var.prefix}-meow"
}

resource "azurerm_virtual_machine" "catapp" {
name = "${var.prefix}-meow"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
vm_size = var.vm_size

network_interface_ids = [azurerm_network_interface.catapp-nic.id]
delete_os_disk_on_termination = "true"

storage_image_reference {
publisher = var.image_publisher
offer = var.image_offer
sku = var.image_sku
version = var.image_version
}

storage_os_disk {
name = "${var.prefix}-osdisk"
managed_disk_type = "Standard_LRS"
caching = "ReadWrite"
create_option = "FromImage"
}

os_profile {
computer_name = var.prefix
admin_username = var.admin_username
admin_password = var.admin_password
}

os_profile_linux_config {
disable_password_authentication = false
}

tags = {}

# Added to allow destroy to work correctly.
depends_on = [azurerm_network_interface_security_group_association.catapp-nic-sg-ass]
}

Check notice

Code scanning / checkov

Ensure that virtual machines are backed up using Azure Backup Note

Ensure that virtual machines are backed up using Azure Backup

Check notice

Code scanning / checkov

Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines Note

Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines

Check notice

Code scanning / checkov

Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) Note

Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)
Comment on lines +92 to +129

Check failure

Code scanning / defsec

Password authentication should be disabled on Azure virtual machines Error

Linux virtual machine allows password authentication.

# We're using a little trick here so we can run the provisioner without
# destroying the VM. Do not do this in production.

# If you need ongoing management (Day N) of your virtual machines a tool such
# as Chef or Puppet is a better choice. These tools track the state of
# individual files and can keep them in the correct configuration.

# Here we do the following steps:
# Sync everything in files/ to the remote VM.
# Set up some environment variables for our script.
# Add execute permissions to our scripts.
# Run the deploy_app.sh script.
resource "null_resource" "configure-cat-app" {
depends_on = [
azurerm_virtual_machine.catapp,
]

# Terraform 0.11
# triggers {
# build_number = "${timestamp()}"
# }

# Terraform 0.12
triggers = {
build_number = timestamp()
}

provisioner "file" {
source = "files/"
destination = "/home/${var.admin_username}/"

connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.catapp-pip.fqdn
}
}

provisioner "remote-exec" {
inline = [
"sudo apt -y update",
"sleep 15",
"sudo apt -y update",
"sudo apt -y install apache2",
"sudo systemctl start apache2",
"sudo chown -R ${var.admin_username}:${var.admin_username} /var/www/html",
"chmod +x *.sh",
"PLACEHOLDER=${var.placeholder} WIDTH=${var.width} HEIGHT=${var.height} PREFIX=${var.prefix} ./deploy_app.sh",
]

connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.catapp-pip.fqdn
}
}
}
2 changes: 2 additions & 0 deletions devsecops-demo/insecure-01.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
let injection = "Hello, security vulnerabilities!";
eval(`console.log(\"${injection}\");`);
26 changes: 26 additions & 0 deletions devsecops-demo/insecure-01.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#Commented out sample to pass scanning

import hashlib
print("I am very insecure. Bandit thinks so too.")
#B110
xs=[1,2,3,4,5,6,7,8]
try:
print(xs[7])
print(xs[8])
except: pass

Check notice

Code scanning / CodeQL

Except block handles 'BaseException' Note

Except block directly handles BaseException.

Copilot Autofix

AI 3 days ago

In general, the fix is to stop catching BaseException via a bare except: and instead catch only the specific exception types that are expected, or at least Exception, so that KeyboardInterrupt and SystemExit can still propagate. When ignoring errors, it is still better to be explicit about which kinds of problems you are discarding.

For the block at lines 7–10, the only plausible runtime error is an IndexError from accessing xs[7] or xs[8]. If we want to preserve the behavior “ignore out-of-range index errors,” we can change except: to except IndexError:. That will no longer swallow KeyboardInterrupt or SystemExit, but will still ignore the indexing error exactly as before. No additional imports or helper functions are needed; IndexError is a built-in exception. The other bare except: on line 16 is not the one CodeQL highlighted in the prompt, and per instructions we only change the snippet directly associated with the reported issue, so we leave it unchanged.

Concretely, in devsecops-demo/insecure-01.py, replace line 10:

10: except: pass

with:

10: except IndexError: pass

leaving the rest of the file intact.

Suggested changeset 1
devsecops-demo/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/devsecops-demo/insecure-01.py b/devsecops-demo/insecure-01.py
--- a/devsecops-demo/insecure-01.py
+++ b/devsecops-demo/insecure-01.py
@@ -7,7 +7,7 @@
 try:
     print(xs[7])
     print(xs[8])
-except: pass
+except IndexError: pass
 
 ys=[1, 2, None, None]
 for y in ys:
EOF
@@ -7,7 +7,7 @@
try:
print(xs[7])
print(xs[8])
except: pass
except IndexError: pass

ys=[1, 2, None, None]
for y in ys:
Copilot is powered by AI and may make mistakes. Always verify output.

Check notice

Code scanning / CodeQL

Empty except Note

'except' clause does nothing but pass and there is no explanatory comment.

Copilot Autofix

AI 3 days ago

In general, to fix an empty except block you should either (1) remove the try/except entirely if you don’t need it, (2) catch only the specific exception types you expect, and/or (3) add real handling such as logging, cleanup, or re‑raising. You should avoid bare except: and avoid silently ignoring exceptions.

For this snippet, the minimal, behavior‑preserving fix is:

  • Replace the bare except: with an except IndexError as e: (the expected error from xs[8]).
  • Replace the pass with a small, explicit handling action that still keeps the program running but no longer silently hides the issue, e.g. printing an explanatory message that includes the exception text.

This keeps the program structure and visible side effects close to the original intent (demonstration code that continues after an out‑of‑range access) while satisfying the static analysis rule and improving debuggability. Only devsecops-demo/insecure-01.py needs edits, and no new imports or helper functions are required.

Suggested changeset 1
devsecops-demo/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/devsecops-demo/insecure-01.py b/devsecops-demo/insecure-01.py
--- a/devsecops-demo/insecure-01.py
+++ b/devsecops-demo/insecure-01.py
@@ -7,7 +7,8 @@
 try:
     print(xs[7])
     print(xs[8])
-except: pass
+except IndexError as e:
+    print(f"Index error while accessing xs: {e}")
 
 ys=[1, 2, None, None]
 for y in ys:
EOF
@@ -7,7 +7,8 @@
try:
print(xs[7])
print(xs[8])
except: pass
except IndexError as e:
print(f"Index error while accessing xs: {e}")

ys=[1, 2, None, None]
for y in ys:
Copilot is powered by AI and may make mistakes. Always verify output.

Check warning

Code scanning / Bandit

Try, Except, Pass detected. Warning

Try, Except, Pass detected.

ys=[1, 2, None, None]
for y in ys:
try:
print(str(y+3)) #TypeErrors ahead
except: continue #not how to handle them

Check notice

Code scanning / CodeQL

Except block handles 'BaseException' Note

Except block directly handles BaseException.

Copilot Autofix

AI 3 days ago

In general, this problem is fixed by never using a bare except: (which is equivalent to except BaseException:). Instead, catch specific exception types such as Exception or, even better, the concrete error you expect (here TypeError), and let KeyboardInterrupt/SystemExit propagate naturally.

In this particular snippet, the loop over ys is intentionally causing TypeError when adding 3 to None. The current behavior is: on any exception, skip to the next y. To preserve functionality while avoiding catching KeyboardInterrupt and SystemExit, we should change except: on line 16 to catch TypeError specifically (or at least Exception). That way, only the expected error from y + 3 is handled, and the loop still continues on those errors. No additional imports or helper methods are needed. The change is confined to devsecops-demo/insecure-01.py, lines 13–16, where we replace except: continue with except TypeError: continue.

Suggested changeset 1
devsecops-demo/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/devsecops-demo/insecure-01.py b/devsecops-demo/insecure-01.py
--- a/devsecops-demo/insecure-01.py
+++ b/devsecops-demo/insecure-01.py
@@ -13,7 +13,8 @@
 for y in ys:
     try:
         print(str(y+3)) #TypeErrors ahead
-    except: continue #not how to handle them
+    except TypeError:  # not how to handle them
+        continue
 
 #some imports
 import telnetlib
EOF
@@ -13,7 +13,8 @@
for y in ys:
try:
print(str(y+3)) #TypeErrors ahead
except: continue #not how to handle them
except TypeError: # not how to handle them
continue

#some imports
import telnetlib
Copilot is powered by AI and may make mistakes. Always verify output.

Check warning

Code scanning / Bandit

Try, Except, Continue detected. Warning

Try, Except, Continue detected.

#some imports
import telnetlib

Check notice

Code scanning / CodeQL

Unused import Note

Import of 'telnetlib' is not used.

Copilot Autofix

AI 3 days ago

To fix an unused import, the general approach is to remove the import statement for any module that is never referenced in the file. This eliminates unnecessary dependencies and slightly reduces load time and mental overhead.

In this file (devsecops-demo/insecure-01.py), the best fix is to delete the import telnetlib line at line 19, leaving the import ftplib line intact because we have not been asked to address it and it may be used or intentionally present for demonstration purposes. No additional methods, imports, or definitions are needed; we are only removing a redundant import.

Suggested changeset 1
devsecops-demo/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/devsecops-demo/insecure-01.py b/devsecops-demo/insecure-01.py
--- a/devsecops-demo/insecure-01.py
+++ b/devsecops-demo/insecure-01.py
@@ -16,7 +16,6 @@
     except: continue #not how to handle them
 
 #some imports
-import telnetlib
 import ftplib
 
 #B303 and B324
EOF
@@ -16,7 +16,6 @@
except: continue #not how to handle them

#some imports
import telnetlib
import ftplib

#B303 and B324
Copilot is powered by AI and may make mistakes. Always verify output.
import ftplib

Check notice

Code scanning / CodeQL

Unused import Note

Import of 'ftplib' is not used.

Copilot Autofix

AI 3 days ago

To fix the problem, remove the unused ftplib import so that all imports in the file correspond to code that is actually used. This reduces unnecessary dependencies and improves readability without affecting functionality, since ftplib is never referenced.

Concretely, in devsecops-demo/insecure-01.py, delete the line import ftplib at line 20, leaving the telnetlib and hashlib imports intact. No additional methods, imports, or definitions are required, as the rest of the code already runs without ftplib.

Suggested changeset 1
devsecops-demo/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/devsecops-demo/insecure-01.py b/devsecops-demo/insecure-01.py
--- a/devsecops-demo/insecure-01.py
+++ b/devsecops-demo/insecure-01.py
@@ -17,7 +17,6 @@
 
 #some imports
 import telnetlib
-import ftplib
 
 #B303 and B324
 s = b"I am a string"
EOF
@@ -17,7 +17,6 @@

#some imports
import telnetlib
import ftplib

#B303 and B324
s = b"I am a string"
Copilot is powered by AI and may make mistakes. Always verify output.

#B303 and B324
s = b"I am a string"
print("MD5: " +hashlib.md5(s).hexdigest())

Check warning

Code scanning / Bandit

Use of weak MD5 hash for security. Consider usedforsecurity=False Warning

Use of weak MD5 hash for security. Consider usedforsecurity=False
print("SHA1: " +hashlib.sha1(s).hexdigest())

Check warning

Code scanning / Bandit

Use of weak SHA1 hash for security. Consider usedforsecurity=False Warning

Use of weak SHA1 hash for security. Consider usedforsecurity=False
print("SHA256: " +hashlib.sha256(s).hexdigest())
Loading
Loading