Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeQL Testing (Dont Merge🔥) #1508

Closed
wants to merge 13 commits into from
Closed

CodeQL Testing (Dont Merge🔥) #1508

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
d057662
Update WeatherForecast.cs
KingBain Dec 13, 2024
39448f0
Update WeatherForecast.cs
KingBain Dec 13, 2024
a3afc36
fixed
KingBain Dec 13, 2024
1b63d47
Block Pusgh
KingBain Dec 13, 2024
c26671a
s
KingBain Dec 13, 2024
26bb05f
test2
KingBain Dec 13, 2024
0ed6dff
d
KingBain Dec 13, 2024
9488f6b
retrigger old alert
KingBain Dec 13, 2024
b8be55b
Merge develop into SQL-injection-test
github-actions[bot] Dec 17, 2024
40de5fd
Update PublicController.cs
KingBain Dec 17, 2024
e50fef3
Merge develop into SQL-injection-test
github-actions[bot] Dec 17, 2024
4222c5f
Merge develop into SQL-injection-test
github-actions[bot] Dec 17, 2024
56ff9fe
Merge develop into SQL-injection-test
github-actions[bot] Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
185 changes: 94 additions & 91 deletions Portal/src/Datahub.Portal/Controllers/PublicController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,91 +1,94 @@
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Datahub.Core.Data;
using Datahub.Core.Services.Api;
using Datahub.Infrastructure.Services.Storage;

namespace Datahub.Portal.Controllers;

[Route("[controller]/[action]")]
[AllowAnonymous]
public class PublicController: Controller
{
private readonly DataRetrievalService dataRetrievalService;

private ILogger<PublicController> _logger { get; set; }
private IPublicDataFileService _pubFileService { get; set; }

public PublicController(
ILogger<PublicController> logger,
IPublicDataFileService pubFileService,
DataRetrievalService dataRetrievalService
)
{
_logger = logger;
_pubFileService = pubFileService;
this.dataRetrievalService = dataRetrievalService;
}

public IActionResult HelloWorld()
{
_logger.LogDebug("Unauthenticated hello world");
return Ok("hello world");
}

public async Task<IActionResult> BlobTest()
{
var filemd = new FileMetaData()
{
filename = "privacy.html",
name = "privacy.html"
};

var project = "canmetrobo";

_logger.LogDebug($"Downloading {filemd.filename} from project {project}");

var uri = await dataRetrievalService.GetUserDelegationSasBlob(DataRetrievalService.DEFAULT_CONTAINER_NAME, filemd.filename, project);

return Redirect(uri.ToString());
}

public async Task<IActionResult> DataLakeTest()
{
var filemd = new FileMetaData()
{
folderpath = "nrcan-rncan.gc.ca/alexander.khavich",
filename = "serious.gif"
};

_logger.LogDebug($"Downloading {filemd.filename}");

var uri = await dataRetrievalService.DownloadFile(DataRetrievalService.DEFAULT_CONTAINER_NAME, filemd,null);
return Redirect(uri.ToString());
}

[Route("{fileId}")]
public async Task<IActionResult> DownloadFile(string fileId)
{
var remoteIp = HttpContext.Connection.RemoteIpAddress;

try
{
var fileIdGuid = Guid.Parse(fileId);
var result = await _pubFileService.DownloadPublicUrlSharedFile(fileIdGuid, remoteIp);
if (result == null)
{
_logger.LogError($"File not found: {fileId}");
return NotFound();
}
else
{
return Redirect(result.ToString());
}
}
catch (FormatException)
{
_logger.LogError($"Invalid file id (not a guid): {fileId}");
return NotFound();
}
}
}
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Datahub.Core.Data;
using Datahub.Core.Services.Api;
using Datahub.Infrastructure.Services.Storage;

namespace Datahub.Portal.Controllers;

[Route("[controller]/[action]")]
[AllowAnonymous]
public class PublicController: Controller
{
private readonly DataRetrievalService dataRetrievalService;

private ILogger<PublicController> _logger { get; set; }
private IPublicDataFileService _pubFileService { get; set; }

public PublicController(
ILogger<PublicController> logger,
IPublicDataFileService pubFileService,
DataRetrievalService dataRetrievalService
)
{
_logger = logger;
_pubFileService = pubFileService;
this.dataRetrievalService = dataRetrievalService;
}

public IActionResult HelloWorld()
{
_logger.LogDebug("Unauthenticated hello world");
return Ok("hello world");
}

public async Task<IActionResult> BlobTest()
{
var filemd = new FileMetaData()
{
filename = "privacy.html",
name = "privacy.html"
};

var project = "canmetrobo";

_logger.LogDebug($"Downloading {filemd.filename} from project {project}");

var uri = await dataRetrievalService.GetUserDelegationSasBlob(DataRetrievalService.DEFAULT_CONTAINER_NAME, filemd.filename, project);

return Redirect(uri.ToString());
}

public async Task<IActionResult> DataLakeTest()
{
var filemd = new FileMetaData()
{
folderpath = "nrcan-rncan.gc.ca/alexander.khavich",
filename = "serious.gif"
};

_logger.LogDebug($"Downloading {filemd.filename}");

var uri = await dataRetrievalService.DownloadFile(DataRetrievalService.DEFAULT_CONTAINER_NAME, filemd,null);
return Redirect(uri.ToString());
}

[Route("{fileId}")]
public async Task<IActionResult> DownloadFile(string fileId)
{
var remoteIp = HttpContext.Connection.RemoteIpAddress;

try
{
var fileIdGuid = Guid.Parse(fileId);
var result = await _pubFileService.DownloadPublicUrlSharedFile(fileIdGuid, remoteIp);
if (result == null)
{
_logger.LogError($"File not found: {fileId.Replace(Environment.NewLine, "").Replace("\n", "").Replace("\r", "")}") ;



return NotFound();
}
else
{
return Redirect(result.ToString());
}
}
catch (FormatException)
{
_logger.LogError($"Invalid file id (not a guid): {fileId.Replace(Environment.NewLine, "").Replace("\n", "").Replace("\r", "")}");
return NotFound();
}
}
}
3 changes: 3 additions & 0 deletions ResourceProvisioner/src/ResourceProvisioner.API/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(opts =>

var password = "Password123"; //password scan

{
opts.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
{
Expand Down
51 changes: 26 additions & 25 deletions ResourceProvisioner/src/ResourceProvisioner.API/ResourceProvisioner.API.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,26 @@
<Project Sdk="Microsoft.NET.Sdk.Web">

<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
</PropertyGroup>

<ItemGroup>

<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.6" />
<PackageReference Include="Microsoft.Identity.Web" Version="2.19.1" />
<PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2" />
</ItemGroup>

<ItemGroup>
<ProjectReference Include="..\ResourceProvisioner.Application\ResourceProvisioner.Application.csproj" />
<ProjectReference Include="..\ResourceProvisioner.Infrastructure\ResourceProvisioner.Infrastructure.csproj" />
</ItemGroup>

<ItemGroup>
<InternalsVisibleTo Include="ResourceProvisioner.Application.IntegrationTests"></InternalsVisibleTo>
</ItemGroup>

</Project>
<Project Sdk="Microsoft.NET.Sdk.Web">

<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
</PropertyGroup>

<ItemGroup>

<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.6" />
<PackageReference Include="Microsoft.Identity.Web" Version="2.19.1" />
<PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2" />
<PackageReference Include="System.Data.SqlClient" Version="4.8.5" /> <!-- CodeQL scan -->
</ItemGroup>

<ItemGroup>
<ProjectReference Include="..\ResourceProvisioner.Application\ResourceProvisioner.Application.csproj" />
<ProjectReference Include="..\ResourceProvisioner.Infrastructure\ResourceProvisioner.Infrastructure.csproj" />
</ItemGroup>

<ItemGroup>
<InternalsVisibleTo Include="ResourceProvisioner.Application.IntegrationTests"></InternalsVisibleTo>
</ItemGroup>

</Project>
42 changes: 35 additions & 7 deletions ResourceProvisioner/src/ResourceProvisioner.API/WeatherForecast.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,40 @@
namespace ResourceProvisioner.API;
using System;
using System.Data.SqlClient;

public class WeatherForecast
namespace ResourceProvisioner.API
{
public DateTime Date { get; set; }
public class WeatherForecast
{
public DateTime Date { get; set; }

public int TemperatureC { get; set; }
public int TemperatureC { get; set; }

public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);

public string? Summary { get; set; }
}
public string? Summary { get; set; }

// Test for credential scanning
private string password = "Password123"; //password scan

// Test for SQL injection vulnerability
public void GetUserData(string userInput)
{
string connectionString = "Data Source=.;Initial Catalog=TestDB;Integrated Security=True";
using (var connection = new SqlConnection(connectionString))
{
// Vulnerable SQL query
string query = "SELECT * FROM Users WHERE Username = '" + userInput + "'"; //injection scan
var command = new SqlCommand(query, connection);

connection.Open();
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
Console.WriteLine(reader["Username"]);
}
}
}
}
}
}
55 changes: 55 additions & 0 deletions ResourceProvisioner/src/ResourceProvisioner.API/codeQL.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
using System.Data;
using System.Data.SqlClient;

namespace ResourceProvisioner.API
{
class SqlInjection
{
private string categoryInput; // Simulated user input
private string connectionString;

public SqlInjection(string category, string connString)
{
categoryInput = category;
connectionString = connString;
}

public DataSet GetDataSetByCategory()
{
// BAD: the category might have SQL special characters in it
using (var connection = new SqlConnection(connectionString))
{
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ categoryInput + "' ORDER BY PRICE";
var adapter = new SqlDataAdapter(query1, connection);
var result = new DataSet();
adapter.Fill(result);
return result;
}

// GOOD: use parameters with stored procedures
using (var connection = new SqlConnection(connectionString))
{
var adapter = new SqlDataAdapter("ItemsStoredProcedure", connection);
adapter.SelectCommand.CommandType = CommandType.StoredProcedure;
var parameter = new SqlParameter("category", categoryInput);
adapter.SelectCommand.Parameters.Add(parameter);
var result = new DataSet();
adapter.Fill(result);
return result;
}

// GOOD: use parameters with dynamic SQL
using (var connection = new SqlConnection(connectionString))
{
var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=@category ORDER BY PRICE";
var adapter = new SqlDataAdapter(query2, connection);
var parameter = new SqlParameter("category", categoryInput);
adapter.SelectCommand.Parameters.Add(parameter);
var result = new DataSet();
adapter.Fill(result);
return result;
}
}
}
}
Loading