Skip to content

Add admin user logging and default password in PrivacyModel #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
CalinL wants to merge 1 commit into from
Closed

Add admin user logging and default password in PrivacyModel #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/webapp01/Pages/Privacy.cshtml.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,24 @@
{
private readonly ILogger<PrivacyModel> _logger;

string adminUserName = "demouser@example.com";

Check notice

Code scanning / CodeQL

Missed 'readonly' opportunity Note

Field 'adminUserName' can be 'readonly'.

Copilot Autofix

AI 9 months ago

To fix the issue, we will add the readonly modifier to the adminUserName field. This ensures that the field cannot be reassigned after its initial value is set during declaration. The change will be made directly in the declaration of the field on line 10.

Suggested changeset 1
src/webapp01/Pages/Privacy.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/Privacy.cshtml.cs b/src/webapp01/Pages/Privacy.cshtml.cs
--- a/src/webapp01/Pages/Privacy.cshtml.cs
+++ b/src/webapp01/Pages/Privacy.cshtml.cs
@@ -9,3 +9,3 @@
 
-    string adminUserName = "demouser@example.com";
+    private readonly string adminUserName = "demouser@example.com";
 
EOF
@@ -9,3 +9,3 @@

string adminUserName = "demouser@example.com";
private readonly string adminUserName = "demouser@example.com";

Copilot is powered by AI and may make mistakes. Always verify output.

// TODO: Don't use this in production
public const string DEFAULT_PASSWORD = "Pass@word1";

public PrivacyModel(ILogger<PrivacyModel> logger)
{
_logger = logger;
}

public void OnGet()
{
string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";

Check warning on line 22 in src/webapp01/Pages/Privacy.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Possible null reference assignment.

Check warning on line 22 in src/webapp01/Pages/Privacy.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Converting null literal or possible null value to non-nullable type.

Check warning on line 22 in src/webapp01/Pages/Privacy.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Possible null reference assignment.

Check warning on line 22 in src/webapp01/Pages/Privacy.cshtml.cs

View workflow job for this annotation

GitHub Actions / Build Web App 

Converting null literal or possible null value to non-nullable type.

Check notice

Code scanning / CodeQL

Inefficient use of ContainsKey Note

Inefficient use of 'ContainsKey' and
indexer
Loading
.

Copilot Autofix

AI 9 months ago

To fix the issue, replace the ContainsKey check and subsequent indexer access with a single call to TryGetValue. This method attempts to retrieve the value associated with the specified key and returns a boolean indicating whether the key exists. If the key exists, the value is stored in an out parameter; otherwise, a default value can be used.

In this case:

  1. Replace the Request.Query.ContainsKey("drive") check and Request.Query["drive"] access with a call to Request.Query.TryGetValue("drive", out var driveValue).
  2. Use the driveValue variable if the key exists; otherwise, default to "C".
Suggested changeset 1
src/webapp01/Pages/Privacy.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/Privacy.cshtml.cs b/src/webapp01/Pages/Privacy.cshtml.cs
--- a/src/webapp01/Pages/Privacy.cshtml.cs
+++ b/src/webapp01/Pages/Privacy.cshtml.cs
@@ -21,3 +21,3 @@
     {
-        string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
+        string drive = Request.Query.TryGetValue("drive", out var driveValue) ? driveValue : "C";
         var str = $"/C fsutil volume diskfree {drive}:";
EOF
@@ -21,3 +21,3 @@
{
string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
string drive = Request.Query.TryGetValue("drive", out var driveValue) ? driveValue : "C";
var str = $"/C fsutil volume diskfree {drive}:";
Copilot is powered by AI and may make mistakes. Always verify output.
var str = $"/C fsutil volume diskfree {drive}:";
_logger.LogInformation($"Command str: {str}");

Check failure

Code scanning / CodeQL

Log entries created from user input High

This log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI 9 months ago

To fix the issue, the user-provided input (drive) should be sanitized before being included in the log entry. Since the log entry is plain text, we should remove any newline characters or other potentially harmful characters from the input. This can be achieved using String.Replace or a similar method to ensure that the input is safe for logging.

Specifically:

  1. Sanitize the drive variable by removing newline characters and other potentially harmful characters.
  2. Use the sanitized version of drive when constructing the str variable and logging it.
Suggested changeset 1
src/webapp01/Pages/Privacy.cshtml.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webapp01/Pages/Privacy.cshtml.cs b/src/webapp01/Pages/Privacy.cshtml.cs
--- a/src/webapp01/Pages/Privacy.cshtml.cs
+++ b/src/webapp01/Pages/Privacy.cshtml.cs
@@ -22,2 +22,3 @@
         string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
+        drive = drive.Replace("\n", "").Replace("\r", ""); // Sanitize user input
         var str = $"/C fsutil volume diskfree {drive}:";
EOF
@@ -22,2 +22,3 @@
string drive = Request.Query.ContainsKey("drive") ? Request.Query["drive"] : "C";
drive = drive.Replace("\n", "").Replace("\r", ""); // Sanitize user input
var str = $"/C fsutil volume diskfree {drive}:";
Copilot is powered by AI and may make mistakes. Always verify output.
_logger.LogInformation("Admin" + adminUserName);
_logger.LogInformation($"User: {User.Identity?.Name}");
_logger.LogInformation($"Admin: {User.IsInRole("Admin")}");
}
}

2 changes: 1 addition & 1 deletion src/webapp01/webapp01.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@

<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.13.2" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.3" />
<PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.2" />
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
<PackageReference Include="System.Text.Json" Version="8.0.4" />
</ItemGroup>
Expand Down
Loading