Add vulnerable dependencies demo project with multiple projects and examples of security vulnerabilities

felickz · felickz · commit 93486b95048a · 2025-08-26T13:49:08.000-04:00
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -0,0 +1,8 @@
+<Project>
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>latest</LangVersion>
+  </PropertyGroup>
+</Project>
diff --git a/Directory.Build.targets b/Directory.Build.targets
@@ -0,0 +1,5 @@
+<Project>
+  <Target Name="OverridePackageVersions" BeforeTargets="CollectPackageReferences">
+    <Message Text="Using centrally defined package versions for this solution" Importance="High" />
+  </Target>
+</Project>
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -0,0 +1,32 @@
+<Project>
+  <PropertyGroup>
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
+  </PropertyGroup>
+  
+  <ItemGroup>
+    <!-- Common packages -->
+    <PackageVersion Include="Microsoft.Extensions.Logging" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="9.0.0" />
+    
+    <!-- Vulnerable direct dependencies (examples) -->
+    <PackageVersion Include="Newtonsoft.Json" Version="12.0.3" />  <!-- Has known vulnerabilities -->
+    <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.0" /> <!-- Known regex vulnerability -->
+    <PackageVersion Include="System.Net.Http" Version="4.3.0" /> <!-- Contains security vulnerabilities -->
+    
+    <!-- API dependencies -->
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.0" /> <!-- Intentionally older version -->
+    <PackageVersion Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="7.0.0" /> <!-- Older version -->
+    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="9.0.8" />
+    <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.2.3" /> <!-- Outdated version -->
+    
+    <!-- Library dependencies with transitive vulnerabilities -->
+    <PackageVersion Include="Microsoft.AspNet.WebApi.Client" Version="5.2.7" /> <!-- Has vulnerable dependencies -->
+    <PackageVersion Include="Microsoft.Data.OData" Version="5.8.4" /> <!-- Contains vulnerable dependency chain -->
+    
+    <!-- Utility dependencies -->
+    <PackageVersion Include="log4net" Version="2.0.12" /> <!-- Has known vulnerabilities -->
+    <PackageVersion Include="SharpZipLib" Version="1.3.1" /> <!-- Contains security issues -->
+  </ItemGroup>
+</Project>
diff --git a/README.md b/README.md
@@ -1,2 +1,61 @@
-# vulnerable-dependencies
-Simulates a repository with multiple projects, CPM, and vulnerable direct and transitive dependencies
+# Vulnerable Dependencies Demo
+
+This repository demonstrates a .NET 9 solution with multiple projects that contain vulnerable direct and transitive dependencies. It uses Central Package Management (CPM) to manage these dependencies.
+
+## Project Structure
+
+- **VulnerableApi**: A .NET 9 Web API project with vulnerable dependencies
+  - Uses vulnerable Newtonsoft.Json settings
+  - Contains SSRF vulnerability through user-controlled HTTP requests
+  - Uses vulnerable JWT authentication configuration
+
+- **VulnerableLibrary**: A class library with vulnerable dependencies
+  - Uses vulnerable regex patterns (potential ReDoS)
+  - Contains outdated SharpZipLib reference
+  - Uses vulnerable versions of System.Net.Http
+
+- **VulnerableConsole**: A console application that uses both direct and transitive dependencies
+  - Uses vulnerable log4net version
+  - Demonstrates vulnerable JSON serialization
+  - References the VulnerableLibrary with its transitive dependencies
+
+## Vulnerability Examples
+
+This repository contains examples of:
+
+1. **Direct dependencies with known vulnerabilities**:
+   - Newtonsoft.Json 12.0.3 (CVE-2020-0605)
+   - System.Text.RegularExpressions 4.3.0 (CVE-2019-0820)
+   - System.Net.Http 4.3.0 (CVE-2018-8292)
+
+2. **Transitive dependencies with vulnerabilities**:
+   - Dependencies coming through Microsoft.AspNet.WebApi.Client
+   - Dependencies coming through Microsoft.Data.OData
+
+3. **Vulnerable code patterns**:
+   - TypeNameHandling.All in Newtonsoft.Json (CVE-2017-9785)
+   - Regex patterns vulnerable to ReDoS
+   - SSRF through unvalidated user input
+
+## Central Package Management
+
+The project uses Central Package Management (CPM) via the Directory.Packages.props file to define all package versions in a central location.
+
+## Running the Sample
+
+```powershell
+dotnet restore
+dotnet build
+```
+
+## Security Analysis
+
+You can use various tools to detect the vulnerabilities in this sample:
+
+- NuGet Package Vulnerability Detection
+- Static Code Analysis tools
+- Dependency scanning tools
+
+## Note
+
+This is a demonstration repository used to illustrate vulnerable dependencies. Do not use any of this code in a production environment.
diff --git a/VulnerableApi/Controllers/VulnerableController.cs b/VulnerableApi/Controllers/VulnerableController.cs
@@ -0,0 +1,63 @@
+using Microsoft.AspNetCore.Mvc;
+using Newtonsoft.Json;
+using System.Net.Http;
+using VulnerableLibrary;
+
+namespace VulnerableApi.Controllers
+{
+    [ApiController]
+    [Route("api/[controller]")]
+    public class VulnerableController : ControllerBase
+    {
+        private readonly HttpClient _httpClient;
+        private readonly DataProcessor _dataProcessor;
+
+        public VulnerableController(DataProcessor dataProcessor)
+        {
+            _httpClient = new HttpClient();
+            _dataProcessor = dataProcessor;
+        }
+
+        [HttpGet("unsafe-json")]
+        public ActionResult GetUnsafeJson(string input)
+        {
+            // Using vulnerable JSON deserialization
+            var settings = new JsonSerializerSettings
+            {
+                TypeNameHandling = TypeNameHandling.All // CVE-2017-9785 - Known security vulnerability
+            };
+
+            var result = JsonConvert.DeserializeObject(input, settings);
+            return Ok(result);
+        }
+
+        [HttpPost("process-data")]
+        public async Task<ActionResult> ProcessData([FromBody] DataRequest request)
+        {
+            try
+            {
+                var result = await _dataProcessor.ProcessData(request.Data);
+                return Ok(new { Success = true, Result = result });
+            }
+            catch (Exception ex)
+            {
+                return BadRequest(new { Error = ex.Message });
+            }
+        }
+
+        [HttpGet("unsafe-request")]
+        public async Task<ActionResult> UnsafeRequest(string url)
+        {
+            // Using vulnerable System.Net.Http version
+            // SSRF vulnerability - allowing the client to specify any URL
+            var response = await _httpClient.GetAsync(url);
+            var content = await response.Content.ReadAsStringAsync();
+            return Ok(content);
+        }
+    }
+
+    public class DataRequest
+    {
+        public string Data { get; set; } = string.Empty;
+    }
+}
diff --git a/VulnerableApi/Program.cs b/VulnerableApi/Program.cs
@@ -0,0 +1,56 @@
+var builder = WebApplication.CreateBuilder(args);
+
+// Add services to the container.
+builder.Services.AddEndpointsApiExplorer();
+builder.Services.AddSwaggerGen();
+builder.Services.AddControllers()
+    .AddNewtonsoftJson(); // Using vulnerable Newtonsoft.Json
+
+// Add JWT authentication with vulnerable version
+builder.Services.AddAuthentication()
+    .AddJwtBearer(options =>
+    {
+        options.Authority = "https://example.auth.server";
+        options.Audience = "api";
+        // Vulnerable: DisableTokenValidation = true would be insecure
+    });
+
+// Register the vulnerable library components
+builder.Services.AddTransient<VulnerableLibrary.DataProcessor>();
+
+var app = builder.Build();
+
+// Configure the HTTP request pipeline.
+if (app.Environment.IsDevelopment())
+{
+    app.UseSwagger();
+    app.UseSwaggerUI();
+}
+
+var summaries = new[]
+{
+    "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
+};
+
+app.MapControllers();
+
+app.MapGet("/weatherforecast", () =>
+{
+    var forecast =  Enumerable.Range(1, 5).Select(index =>
+        new WeatherForecast
+        (
+            DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
+            Random.Shared.Next(-20, 55),
+            summaries[Random.Shared.Next(summaries.Length)]
+        ))
+        .ToArray();
+    return forecast;
+})
+.WithName("GetWeatherForecast");
+
+app.Run();
+
+record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary)
+{
+    public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
+}
diff --git a/VulnerableApi/Properties/launchSettings.json b/VulnerableApi/Properties/launchSettings.json
@@ -0,0 +1,14 @@
+﻿{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": false,
+      "applicationUrl": "http://localhost:5184",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}
diff --git a/VulnerableApi/VulnerableApi.csproj b/VulnerableApi/VulnerableApi.csproj
@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" />
+    <PackageReference Include="Newtonsoft.Json" />
+    <PackageReference Include="Swashbuckle.AspNetCore" />
+    <PackageReference Include="System.Net.Http" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\VulnerableLibrary\VulnerableLibrary.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/VulnerableApi/VulnerableApi.http b/VulnerableApi/VulnerableApi.http
@@ -0,0 +1,6 @@
+@VulnerableApi_HostAddress = http://localhost:5184
+
+GET {{VulnerableApi_HostAddress}}/weatherforecast/
+Accept: application/json
+
+###
diff --git a/VulnerableApi/appsettings.Development.json b/VulnerableApi/appsettings.Development.json
@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}
diff --git a/VulnerableApi/appsettings.json b/VulnerableApi/appsettings.json
@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}
diff --git a/VulnerableConsole/Program.cs b/VulnerableConsole/Program.cs
@@ -0,0 +1,43 @@
+﻿using log4net;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Newtonsoft.Json;
+using VulnerableLibrary;
+
+// Configure services
+var services = new ServiceCollection();
+services.AddLogging(builder => 
+{
+    builder.AddConsole();
+});
+
+services.AddTransient<DataProcessor>();
+
+var serviceProvider = services.BuildServiceProvider();
+
+// Using vulnerable log4net version
+var log = LogManager.GetLogger(typeof(Program));
+log.Info("Application started");
+
+// Using vulnerable JSON library
+var jsonSettings = new JsonSerializerSettings
+{
+    TypeNameHandling = TypeNameHandling.All // Vulnerable setting
+};
+
+var data = JsonConvert.SerializeObject(new { Message = "Test" }, jsonSettings);
+Console.WriteLine($"Serialized data: {data}");
+
+// Using vulnerable library
+var processor = serviceProvider.GetRequiredService<DataProcessor>();
+try 
+{
+    await processor.ProcessData("test-data");
+}
+catch (Exception ex) 
+{
+    Console.WriteLine($"Error processing data: {ex.Message}");
+}
+
+Console.WriteLine("Press any key to exit...");
+Console.ReadKey();
diff --git a/VulnerableConsole/VulnerableConsole.csproj b/VulnerableConsole/VulnerableConsole.csproj
@@ -0,0 +1,21 @@
+﻿<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net9.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="log4net" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
+    <PackageReference Include="Newtonsoft.Json" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\VulnerableLibrary\VulnerableLibrary.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/VulnerableDependencies.sln b/VulnerableDependencies.sln
diff --git a/VulnerableLibrary/Class1.cs b/VulnerableLibrary/Class1.cs
diff --git a/VulnerableLibrary/VulnerableLibrary.csproj b/VulnerableLibrary/VulnerableLibrary.csproj
