web security updates ProfessionalCSharp#46

Author: christiannagel

02_Libs/Security/ASPNETCoreMVCSecurity/.bowerrc

@@ -1,18 +1,13 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
+    <TargetFramework>net5.0</TargetFramework>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.All" />
-    <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design">
-      <Version>2.1.7</Version>
-    </PackageReference>
-  </ItemGroup>
-
-  <ItemGroup>
-    <DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.4" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="2.1.2" />
+    <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="5.0.2" />
   </ItemGroup>
 
 </Project>

02_Libs/Security/ASPNETCoreMVCSecurity/ASPNETCoreMVCSecurity.csproj

@@ -1,55 +1,83 @@
-using System;
+using ASPNETCoreMVCSecurity.Models;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Data.SqlClient;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
+using System.Text;
 using System.Threading.Tasks;
-using Microsoft.AspNetCore.Mvc;
-using ASPNETCoreMVCSecurity.Models;
-using Microsoft.AspNetCore.Html;
-using System.Net.Http.Headers;
 
 namespace ASPNETCoreMVCSecurity.Controllers
 {
     public class HomeController : Controller
     {
-        public string Echo(string x) => x;
+        private readonly ILogger<HomeController> _logger;
+        private readonly IConfiguration _settings;
 
-        public IActionResult EchoUnencoded(string x) => Content(x, "text/html");
-
-        public IActionResult EchoWithView(string x)
+        public HomeController(ILogger<HomeController> logger, IConfiguration configuration)
         {
-            ViewBag.SampleData = x;
-            return View();
+            _logger = logger;
+            _settings = configuration;
         }
 
         public IActionResult Index()
         {
             return View();
         }
 
-        public IActionResult About()
+        public IActionResult Privacy()
         {
-            ViewData["Message"] = "Your application description page.";
-
             return View();
         }
 
-        public IActionResult Contact()
-        {
-            ViewData["Message"] = "Your contact page.";
+        public string Echo(string x) => x;
 
+        public IActionResult EchoUnencoded(string x) => Content(x, "text/html");
+
+        public IActionResult EchoWithView(string x)
+        {
+            ViewBag.SampleData = x;
             return View();
         }
 
-        public IActionResult Error()
+        public IActionResult SqlSample(string id)
         {
-            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
+            string connectionString = _settings.GetConnectionString("InjectionConnection");
+            SqlConnection sqlConnection = new(connectionString);
+            SqlCommand command = sqlConnection.CreateCommand();
+
+            // don't do this - string concatenation for SQL commands!
+            command.CommandText = "SELECT * FROM Customers WHERE City = " + id;
+            sqlConnection.Open();
+            using SqlDataReader reader = command.ExecuteReader(System.Data.CommandBehavior.CloseConnection);
+
+            StringBuilder sb = new();
+            while (reader.Read())
+            {
+                for (int i = 0; i < reader.FieldCount; i++)
+                {
+                    sb.Append(reader[i]);
+                }
+                sb.AppendLine();
+            }
+            ViewBag.Data = sb.ToString();
+
+            return View();
         }
 
         public IActionResult EditBook() => View();
 
         [HttpPost]
-        // [ValidateAntiForgeryToken]
         public IActionResult EditBook(Book book) => View("EditBookResult", book);
+
+
+        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
+        public IActionResult Error()
+        {
+            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
+        }
     }
 }

02_Libs/Security/ASPNETCoreMVCSecurity/Controllers/HomeController.cs

@@ -1,13 +1,5 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-
-namespace ASPNETCoreMVCSecurity.Models
+namespace ASPNETCoreMVCSecurity.Models
 {
-    public class Book
-    {
-        public string Title { get; set; }
-        public string Publisher { get; set; }
-    }
+    public record Book(string Title, string? Publisher);
+
 }

02_Libs/Security/ASPNETCoreMVCSecurity/Models/Book.cs

@@ -8,4 +8,4 @@ public class ErrorViewModel
 
         public bool ShowRequestId => !string.IsNullOrEmpty(RequestId);
     }
-}
+}

02_Libs/Security/ASPNETCoreMVCSecurity/Models/ErrorViewModel.cs

@@ -1,18 +1,20 @@
-using Microsoft.AspNetCore;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
 
 namespace ASPNETCoreMVCSecurity
 {
     public class Program
     {
         public static void Main(string[] args)
         {
-            BuildWebHost(args).Run();
+            CreateHostBuilder(args).Build().Run();
         }
 
-        public static IWebHost BuildWebHost(string[] args) =>
-            WebHost.CreateDefaultBuilder(args)
-                .UseStartup<Startup>()
-                .Build();
+        public static IHostBuilder CreateHostBuilder(string[] args) =>
+            Host.CreateDefaultBuilder(args)
+                .ConfigureWebHostDefaults(webBuilder =>
+                {
+                    webBuilder.UseStartup<Startup>();
+                });
     }
 }

02_Libs/Security/ASPNETCoreMVCSecurity/Program.cs

@@ -1,10 +1,10 @@
-{
+{
   "iisSettings": {
     "windowsAuthentication": false,
     "anonymousAuthentication": true,
     "iisExpress": {
-      "applicationUrl": "http://localhost:48985/",
-      "sslPort": 0
+      "applicationUrl": "http://localhost:60555",
+      "sslPort": 44391
     }
   },
   "profiles": {
@@ -17,11 +17,12 @@
     },
     "ASPNETCoreMVCSecurity": {
       "commandName": "Project",
+      "dotnetRunMessages": "true",
       "launchBrowser": true,
+      "applicationUrl": "https://localhost:5001;http://localhost:5000",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
-      },
-      "applicationUrl": "http://localhost:48989/"
+      }
     }
   }
-}
+}

02_Libs/Security/ASPNETCoreMVCSecurity/Properties/launchSettings.json

@@ -1,8 +1,9 @@
-using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
 using System.Text.Encodings.Web;
 
 namespace ASPNETCoreMVCSecurity
@@ -19,47 +20,46 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddMvc();
+            services.AddControllersWithViews();
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         {
             if (env.IsDevelopment())
             {
                 app.UseDeveloperExceptionPage();
-                app.UseBrowserLink();
             }
             else
             {
                 app.UseExceptionHandler("/Home/Error");
+                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+                app.UseHsts();
             }
-
+            app.UseHttpsRedirection();
             app.UseStaticFiles();
 
-            app.Map("/echo", app1 =>
+            app.UseRouting();
+
+            app.UseAuthorization();
+
+            app.UseEndpoints(endpoints =>
             {
-                app1.Run(async context =>
+                endpoints.Map("/echo", async context =>
                 {
                     string data = context.Request.Query["x"];
                     await context.Response.WriteAsync(data);
                 });
-            });
 
-            app.Map("/echoenc", app1 =>
-            {
-                app1.Run(async context =>
+                endpoints.Map("/echoenc", async context =>
                 {
                     string data = context.Request.Query["x"];
                     await context.Response.WriteAsync(HtmlEncoder.Default.Encode(data));
                 });
-            });
 
-            app.UseMvc(routes =>
-            {
-                routes.MapRoute(
+                endpoints.MapControllerRoute(
                     name: "default",
-                    template: "{controller=Home}/{action=Index}/{id?}");
+                    pattern: "{controller=Home}/{action=Index}/{id?}");
             });
         }
     }

02_Libs/Security/ASPNETCoreMVCSecurity/Startup.cs

@@ -1,32 +1,16 @@
-@using Microsoft.AspNetCore.Html;
+
 @{
-    Layout = null;
+    string data = ViewBag.SampleData;
 }
+<h3>
+    This is encoded
+</h3>
+<div>@data</div>
 
-<!DOCTYPE html>
-
-<html>
-<head>
-    <meta name="viewport" content="width=device-width" />
-    <title>EchoWithView</title>
-</head>
-<body>
-    @{ 
-        string data = ViewBag.SampleData;
-    }
-    <div>
-        this is encoded
-    </div>
-    <div>@data</div>
-
-    <br />
-    <div>
-        This is not encoded
-    </div>
-    <div>
-        @Html.Raw(@data)
-    </div>
-
-
-</body>
-</html>
+<br />
+<h3>
+    This is not encoded
+</h3>
+<div>
+    @Html.Raw(@data)
+</div>

02_Libs/Security/ASPNETCoreMVCSecurity/Views/Home/About.cshtml

@@ -2,12 +2,10 @@
 @{
     ViewData["Title"] = "EditBook";
 }
-<h2>Edit Book</h2>
 
+<h1>EditBook</h1>
 
 <form asp-controller="Home" asp-action="EditBook" method="post">
- //   @Html.AntiForgeryToken()
-
     <label for="title">Title:</label>
     <input type="text" id="title" name="title" />
     <br />
@@ -16,3 +14,5 @@
     <br />
     <input type="submit" value="Submit" />
 </form>
+
+