diff --git a/.env b/.env deleted file mode 100644 index 7ff07d0..0000000 --- a/.env +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: This file contains intentionally exposed secrets for GitHub Advanced Security demo -# DO NOT USE THESE IN PRODUCTION - -# Stripe API Keys (fake but realistic pattern) -NEXT_PUBLIC_API_KEY=sk_live_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0 -STRIPE_SECRET_KEY=sk_test_4eC39HqLyjWDarjtT1zdp7dc - -# Azure Connection String (fake but realistic pattern) -AZURE_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=storageaccount;AccountKey=AKIAIOSFODNN7EXAMPLE;EndpointSuffix=core.windows.net - -# AWS Access Keys (fake but realistic pattern) -AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE -AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - -# GitHub Personal Access Token (fake but realistic pattern) -GITHUB_TOKEN=ghp_1234567890abcdefghijklmnopqrstuvwxyz12 - -# Database credentials (intentionally insecure for demo) -DB_HOST=localhost -DB_USER=admin -DB_PASSWORD=SuperSecretPassword123! -DATABASE_URL=postgresql://admin:SuperSecretPassword123!@localhost:5432/mydb diff --git a/.eslintrc.json b/.eslintrc.json deleted file mode 100644 index bffb357..0000000 --- a/.eslintrc.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "extends": "next/core-web-vitals" -} diff --git a/.gitignore b/.gitignore index 4ff3ff4..45c1abc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,36 @@ +# See https://help.github.com/articles/ignoring-files/ for more about ignoring files. + # dependencies /node_modules /.pnp .pnp.js +# testing +/coverage + +# next.js +/.next/ +/out/ + +# production +/build + +# misc +.DS_Store +*.pem + +# debug +npm-debug.log* +yarn-debug.log* +yarn-error.log* + # local env files -# WARNING: .env is not ignored for GitHub Advanced Security demo purposes -# In production, you should ALWAYS ignore .env files .env*.local -# .env +.env + +# vercel +.vercel +# typescript +*.tsbuildinfo +next-env.d.ts diff --git a/README.md b/README.md index 011a484..b8f631b 100644 --- a/README.md +++ b/README.md @@ -1,146 +1,2 @@ -# Gitfolio - GitHub Advanced Security Demo - -Minimal and modern developer portfolio template built with Next.js - **intentionally vulnerable for educational purposes**. - -## ⚠️ Important Security Notice - -**THIS REPOSITORY CONTAINS INTENTIONAL SECURITY VULNERABILITIES** - -This is a demonstration repository for teaching GitHub Advanced Security features. It includes: -- Exposed secrets and API keys -- Vulnerable dependencies -- Insecure code patterns - -**DO NOT USE THIS CODE IN PRODUCTION** - -## 🎯 Demo Scenarios - -### 1. Secret Scanning Demo 🔐 - -**Files to review:** -- [.env](.env) - Environment variables with exposed secrets -- [config.js](config.js) - Hardcoded API keys and credentials - -**What will be detected:** -- Stripe API keys -- AWS credentials -- Azure connection strings -- GitHub tokens -- Database passwords - -**Expected behavior:** GitHub Secret Scanning will automatically detect these patterns and create alerts in the Security tab. - -### 2. Dependabot Demo 📦 - -**Files to review:** -- [package.json](package.json) - -**Vulnerable dependencies included:** -- `axios@0.21.1` - Known CVE for Server-Side Request Forgery -- `lodash@4.17.19` - Multiple security vulnerabilities -- `express@4.17.1` - Potential security issues -- `next@12.0.0` - Outdated version -- `react@17.0.2` - Outdated version - -**Expected behavior:** Dependabot will: -1. Scan dependencies on push -2. Create alerts for known vulnerabilities -3. Automatically open pull requests with suggested updates - -### 3. CodeQL Analysis Demo 🔍 - -**Vulnerable API endpoints:** - -#### Command Injection -- **File:** [pages/api/user-search.js](pages/api/user-search.js) -- **Vulnerability:** User input directly concatenated into shell command -- **Attack example:** `username=admin; rm -rf /` - -#### SQL Injection -- **File:** [lib/db.js](lib/db.js) -- **Vulnerability:** Unsanitized user input in SQL queries -- **Attack example:** `username=admin' OR '1'='1` - -#### Path Traversal -- **File:** [pages/api/download.js](pages/api/download.js) -- **Vulnerability:** Unrestricted file path access -- **Attack example:** `filename=../../../../etc/passwd` - -#### Cross-Site Scripting (XSS) -- **File:** [pages/api/display-message.js](pages/api/display-message.js) -- **Vulnerability:** Unsanitized user input rendered in HTML -- **Attack example:** `message=` - -**Expected behavior:** CodeQL will trace data flow from user inputs to dangerous sinks and create security alerts. - -## 🚀 Setup Instructions - -### Prerequisites -- Node.js 14+ installed -- GitHub account with Advanced Security enabled -- Git configured locally - -### Quick Start - -### Enable GitHub Advanced Security - -1. **Push code to GitHub:** -```bash -git add . -git commit -m "Add security demo scenarios" -git push origin security-for-beginners -``` -2. **Enable Advanced Security features:** - - Go to repository Settings → Security & analysis - - Enable Dependency graph - - Enable Dependabot alerts - - Enable Dependabot security updates - - Enable Secret scanning - - Enable Code scanning (CodeQL analysis) - -3. **View security alerts:** - - Navigate to Security tab - - Check "Code scanning" for CodeQL alerts - - Check "Secret scanning" for exposed credentials - - Check "Dependabot" for vulnerable dependencies - -## 🛡️ Remediation Examples - -### Fix Secret Scanning Issues: -1. Remove hardcoded secrets from code -2. Use environment variables properly -3. Add `.env` to `.gitignore` -4. Rotate exposed credentials -5. Use GitHub Secrets for CI/CD - -### Fix Dependabot Issues: -1. Review Dependabot PRs -2. Test updated dependencies -3. Merge security updates -4. Configure Dependabot settings - -### Fix CodeQL Issues: -1. **Command Injection:** Use parameterized commands or allowlists -2. **SQL Injection:** Use prepared statements/parameterized queries -3. **Path Traversal:** Validate and sanitize file paths -4. **XSS:** Sanitize user input, use React's built-in escaping - -## 📚 Educational Resources - -- [GitHub Advanced Security Documentation](https://docs.github.com/en/code-security) -- [CodeQL Documentation](https://codeql.github.com/docs/) -- [Secret Scanning Patterns](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns) -- [Dependabot Documentation](https://docs.github.com/en/code-security/dependabot) - -## 🎓 Learning Objectives - -After working through this demo, you should understand: -1. How GitHub automatically detects security vulnerabilities -2. The difference between Secret Scanning, Dependabot, and CodeQL -3. How to interpret and remediate security alerts -4. Best practices for secure coding -5. How to configure security policies for your repositories - ---- - -**Remember:** This repository is for educational purposes only. Never deploy vulnerable code to production! +# gitfolio +Minimal and modern developer portfolio template built with Next.js and Tailwind CSS. diff --git a/config.js b/config.js deleted file mode 100644 index ca80589..0000000 --- a/config.js +++ /dev/null @@ -1,23 +0,0 @@ -// WARNING: This config file contains hardcoded secrets for demo purposes -// DO NOT USE IN PRODUCTION - -const config = { - stripe: { - // Hardcoded Stripe secret key (vulnerability for Secret Scanning demo) - secretKey: 'sk_live_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0', - publishableKey: 'pk_live_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0' - }, - - database: { - // Hardcoded database password (vulnerability for Secret Scanning demo) - connectionString: 'postgresql://dbuser:P@ssw0rd123!@localhost:5432/portfolio' - }, - - api: { - // Hardcoded API key (vulnerability for Secret Scanning demo) - key: 'AIzaSyD-1234567890abcdefghijklmnopqrstuv', - endpoint: 'https://api.example.com' - } -}; - -module.exports = config; diff --git a/lib/db.js b/lib/db.js deleted file mode 100644 index 789ad77..0000000 --- a/lib/db.js +++ /dev/null @@ -1,53 +0,0 @@ -// WARNING: VULNERABLE CODE - SQL Injection Demo -// DO NOT USE IN PRODUCTION -// This module demonstrates SQL injection vulnerabilities for CodeQL detection - -import { createConnection } from 'mysql2/promise'; - -// Mock database connection for demo purposes -const dbConfig = { - host: 'localhost', - user: 'root', - password: 'password', - database: 'gitfolio' -}; - -// VULNERABILITY: SQL Injection - Direct string concatenation -export async function getUserByName(username) { - const connection = await createConnection(dbConfig); - - // User input concatenated directly into SQL query - // An attacker could use input like: "admin' OR '1'='1" - const query = `SELECT * FROM users WHERE username = '${username}'`; - - const [rows] = await connection.execute(query); - await connection.end(); - - return rows; -} - -// VULNERABILITY: SQL Injection in search function -export async function searchUsers(searchTerm) { - const connection = await createConnection(dbConfig); - - // Another example of SQL injection - const query = `SELECT id, username, email FROM users WHERE username LIKE '%${searchTerm}%' OR email LIKE '%${searchTerm}%'`; - - const [rows] = await connection.execute(query); - await connection.end(); - - return rows; -} - -// VULNERABILITY: SQL Injection in delete operation -export async function deleteUser(userId) { - const connection = await createConnection(dbConfig); - - // Direct concatenation in DELETE statement - const query = `DELETE FROM users WHERE id = ${userId}`; - - await connection.execute(query); - await connection.end(); - - return { success: true }; -} diff --git a/next.config.js b/next.config.js deleted file mode 100644 index ae88795..0000000 --- a/next.config.js +++ /dev/null @@ -1,7 +0,0 @@ -/** @type {import('next').NextConfig} */ -const nextConfig = { - reactStrictMode: true, - swcMinify: true, -} - -module.exports = nextConfig diff --git a/package.json b/package.json deleted file mode 100644 index 3065e25..0000000 --- a/package.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "name": "gitfolio", - "version": "1.0.0", - "description": "Minimal and modern developer portfolio template built with Next.js and Tailwind CSS", - "scripts": { - "dev": "next dev", - "build": "next build", - "start": "next start", - "lint": "next lint" - }, - "dependencies": { - "next": "12.0.0", - "react": "17.0.2", - "react-dom": "17.0.2", - "axios": "0.21.1", - "lodash": "4.17.19", - "express": "4.17.1" - }, - "devDependencies": { - "eslint": "8.0.0", - "eslint-config-next": "12.0.0" - } -} diff --git a/pages/_app.js b/pages/_app.js deleted file mode 100644 index 1e1cec9..0000000 --- a/pages/_app.js +++ /dev/null @@ -1,7 +0,0 @@ -import '../styles/globals.css' - -function MyApp({ Component, pageProps }) { - return -} - -export default MyApp diff --git a/pages/api/display-message.js b/pages/api/display-message.js deleted file mode 100644 index 0342215..0000000 --- a/pages/api/display-message.js +++ /dev/null @@ -1,30 +0,0 @@ -// WARNING: VULNERABLE CODE - XSS (Cross-Site Scripting) Demo -// DO NOT USE IN PRODUCTION -// This API endpoint demonstrates XSS vulnerabilities for CodeQL detection - -export default function handler(req, res) { - const { message } = req.query; - - if (!message) { - return res.status(400).json({ error: 'Message is required' }); - } - - // VULNERABILITY: Reflected XSS - // User input is directly embedded into HTML response without sanitization - // An attacker could inject: "" - const html = ` - - - - Message Display - - -

Your Message:

-
${message}
- - - `; - - res.setHeader('Content-Type', 'text/html'); - res.status(200).send(html); -} diff --git a/pages/api/download.js b/pages/api/download.js deleted file mode 100644 index c6727b2..0000000 --- a/pages/api/download.js +++ /dev/null @@ -1,31 +0,0 @@ -// WARNING: VULNERABLE CODE - Path Traversal Demo -// DO NOT USE IN PRODUCTION -// This API endpoint demonstrates a path traversal vulnerability for CodeQL detection - -import fs from 'fs'; -import path from 'path'; - -export default function handler(req, res) { - const { filename } = req.query; - - if (!filename) { - return res.status(400).json({ error: 'Filename is required' }); - } - - // VULNERABILITY: Path Traversal - // User input is used directly to construct file paths - // An attacker could use input like: "../../../../etc/passwd" - const filePath = path.join(process.cwd(), 'uploads', filename); - - try { - // Reading file without proper validation - const fileContent = fs.readFileSync(filePath, 'utf8'); - - res.status(200).json({ - filename: filename, - content: fileContent - }); - } catch (error) { - res.status(500).json({ error: error.message }); - } -} diff --git a/pages/api/user-search.js b/pages/api/user-search.js deleted file mode 100644 index 16501f7..0000000 --- a/pages/api/user-search.js +++ /dev/null @@ -1,29 +0,0 @@ -// WARNING: VULNERABLE CODE - Command Injection Demo -// DO NOT USE IN PRODUCTION -// This API endpoint demonstrates a command injection vulnerability for CodeQL detection - -import { exec } from 'child_process'; - -export default function handler(req, res) { - const { username } = req.query; - - if (!username) { - return res.status(400).json({ error: 'Username is required' }); - } - - // VULNERABILITY: User input is directly concatenated into a shell command - // An attacker could inject malicious commands using input like: "user; rm -rf /" - const command = `grep ${username} /var/log/users.log`; - - exec(command, (error, stdout, stderr) => { - if (error) { - return res.status(500).json({ error: error.message }); - } - - if (stderr) { - return res.status(500).json({ error: stderr }); - } - - res.status(200).json({ result: stdout }); - }); -} diff --git a/pages/index.js b/pages/index.js deleted file mode 100644 index a076a2f..0000000 --- a/pages/index.js +++ /dev/null @@ -1,57 +0,0 @@ -export default function Home() { - return ( -
-

Gitfolio - Developer Portfolio Demo

-

Welcome to the GitHub Advanced Security demo repository!

- -
-

⚠️ Security Demo Scenarios

-

This repository contains intentional security vulnerabilities for educational purposes:

- -
    -
  • - Secret Scanning: Check .env and config.js - for exposed API keys and credentials -
    • -
  • - Dependabot: Outdated dependencies with known vulnerabilities - in package.json -
    • -
  • - CodeQL: Vulnerable code patterns in API routes: -
      -
    • Command Injection: /api/user-search
      • -
    • SQL Injection: lib/db.js
      • -
    • Path Traversal: /api/download
      • -
    • XSS: /api/display-message
      • -
    -
    • -
- -
- ⚠️ WARNING: This code is intentionally insecure and should - NEVER be used in production. It is designed exclusively for demonstrating - GitHub Advanced Security features. -
-
- -
-

📚 Demo Instructions

-
    -
  1. Push this code to GitHub
    2. -
  2. Enable GitHub Advanced Security in repository settings
    3. -
  3. Navigate to Security → Code scanning alerts
    4. -
  4. Navigate to Security → Secret scanning alerts
    5. -
  5. Navigate to Security → Dependabot alerts
    6. -
  6. Review and remediate the alerts
    7. -
-
-
- ); -} diff --git a/styles/globals.css b/styles/globals.css deleted file mode 100644 index a4ea883..0000000 --- a/styles/globals.css +++ /dev/null @@ -1,25 +0,0 @@ -html, -body { - padding: 0; - margin: 0; - font-family: -apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Oxygen, - Ubuntu, Cantarell, Fira Sans, Droid Sans, Helvetica Neue, sans-serif; -} - -a { - color: inherit; - text-decoration: none; -} - -* { - box-sizing: border-box; -} - -code { - background: #fafafa; - border-radius: 5px; - padding: 0.2em 0.4em; - font-family: Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, - Bitstream Vera Sans Mono, Courier New, monospace; - font-size: 0.9em; -}