Merge pull request #91 from pappyangel/SQLInjection

Sql injection

Author: timrobertsusa

.github/workflows/BuildDeploy-API.yaml

@@ -31,6 +31,7 @@ jobs:
       uses: Azure/[email protected]
       with:
         publish-profile: ${{ secrets.COCKTAIL_API_MCAPS_F25_PUBLISH_PROFILE }}
+        clean: true
         # Enter an existing Slot other than the Production slot
         #slot-name: # optional, default is production
         # Applies to Web App only: Path to package or folder. *.zip, *.war, *.jar or a folder to deploy

.github/workflows/BuildDeploy-Frontend.yaml

@@ -1,5 +1,8 @@
 name: BuildDeploy FrontEnd
 
+env:  
+  APP_FOLDER_PATH: frontend
+
 on:    
   push:
     branches: main
@@ -15,14 +18,31 @@ jobs:
 
     steps:
     - name: Check out source code
-      uses: actions/checkout@v4    
+      uses: actions/checkout@v4  
+      
+    - name: Get DateTime 
+      run:  echo "RUN_DT=$(TZ='America/New_York' date +'%m/%d/%Y %I:%M %p')" >> $GITHUB_ENV
+       
+    - name: Print vars        
+      run: |                 
+       echo ${{env.APP_FOLDER_PATH}}
+       echo "The date time for this run was: ${{env.RUN_DT}}"
+         
+    - name: update build number from GH Action 
+      uses: TomaszKandula/[email protected]
+      with:
+          files: '${{env.APP_FOLDER_PATH}}/appsettings.json'
+      env:
+          DeploymentDate: ${{env.RUN_DT}}
+          
+      
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
       with:
         dotnet-version: 8.0.x
     - name: Restore, Build, Test, Publish  
       run: |
-        cd frontend
+        cd ${{env.APP_FOLDER_PATH}}
         dotnet restore   
         dotnet build --no-restore
         dotnet test --no-build --verbosity normal
@@ -32,7 +52,8 @@ jobs:
       uses: Azure/[email protected]
       with:       
         #app-name: 'Cocktail-Frontend'
-        publish-profile: ${{ secrets.COCKTAIL_FRONTEND_MCAPS_F25_PUBLISH_PROFILE }}        
+        publish-profile: ${{ secrets.COCKTAIL_FRONTEND_MCAPS_F25_PUBLISH_PROFILE }} 
+        clean: true
         # Enter an existing Slot other than the Production slot
         #slot-name: prod2
         # Applies to Web App only: Path to package or folder. *.zip, *.war, *.jar or a folder to deploy

.vscode/launch.json

@@ -9,7 +9,7 @@
             "type": "coreclr",
             "request": "launch",
             "preLaunchTask": "build Frontend",
-            "program": "${workspaceFolder}/frontend/bin/Debug/net7.0/frontend.dll",
+            "program": "${workspaceFolder}/frontend/bin/Debug/net8.0/frontend.dll",
             "args": [],
             "cwd": "${workspaceFolder}/frontend",
             "stopAtEntry": false,

README.md

@@ -1,3 +1,9 @@
+# dev branch notes for SQL Injection protection 8-2024
+- updated Index page to display for new environment and date information
+- Update & Insert SQL to use parameterized values 
+- updated config to use AppSettingsDevelopment so when in dev, dev config is auto used, when in prod, prod config auto used
+- Added clean: true to workflow
+
 
 # dev branch notes for MCAPS Deployment 7-2024
 Added default NoImage.jpg to ddl in Database items table

frontend/Pages/EditCocktail.cshtml

@@ -4,21 +4,21 @@
     ViewData["Title"] = "Edit Cocktails Page";   
 
     var srcContent ="~/images/";
+    var userImageName = "";
 
     @* + (Model.cocktailToEdit.ImagePath ?? "NoImage.jpg");     *@
 
     if (Model.cocktailToEdit.ImagePath is null)
-        srcContent = srcContent + "NoImage.jpg";
+        srcContent = srcContent + "NoImageSelected.png";
     else
     if (Model.cocktailToEdit.ImagePath == "")
-        srcContent = srcContent + "NoImage.jpg";
+        srcContent = srcContent + "NoImageSelected.png";
     else
+    {
         srcContent = srcContent + Model.cocktailToEdit.ImagePath;
-
-
-
-
-
+        userImageName = Model.cocktailToEdit.ImagePath.Substring(37);
+    }
+    
 }
 
 
@@ -34,11 +34,15 @@
         we need when we submit the form*@
     @* <input hidden asp-for="cocktailToEdit.Id" /> *@
     @* <input readonly asp-for="cocktailToEdit.Id" /> *@
+
+    
+    <input type="hidden" readonly asp-for="cocktailToEdit.ImagePath" class="form-control">
+
     <div class="form-group row">
         <label asp-for="cocktailToEdit.Id" class="col-sm-2 col-form-label">
         </label>
         <div class="col-sm-10">
-            <input readonly asp-for="cocktailToEdit.Id" class="form-control" placeholder="Bobo">
+            <input readonly asp-for="cocktailToEdit.Id" class="form-control" >
         </div>
     </div>
 
@@ -71,7 +75,8 @@
                 @*Photo property type is IFormFile, so ASP.NET Core
                     automatically creates a FileUpload control  *@
                 <input asp-for="ctImage" class="custom-file-input form-control">
-                <label class="custom-file-label">Click here to change image</label>
+                @* <label class="custom-file-label">Click here to change image</label> *@
+                <label class="custom-file-label">@userImageName</label>
             </div>
         </div>
     </div>

frontend/Pages/Index.cshtml

@@ -5,19 +5,21 @@
 }
 
 <div class="text-center">
-    <h1 class="display-4">Cocktails Application</h1>
-        <p>Production Release</p>
-        <p>July 2024</p>
+    <h1 class="display-4">Cocktails Application</h1>    
+    <p>
+        <environment include="Development">
+            <div>Development Environment</div>
+        </environment>
+
+        <environment exclude="Development">
+            <div>Production Environment</div>
+        </environment>
+    </p>
+    <p>Deployment Date: @Model.envDeploymentDate</p>
     <p><a href="https://cocktail-api.azurewebsites.net/cocktails">Hit the API directly!</a></p>
 </div>
 
-<environment include="Development">
-    <div>Environment is Development</div>    
-</environment>
 
-<environment exclude="Development">
-    <div>Environment is NOT Development</div>    
-</environment>
 
 @* <div> Environment: @Model.envEnvironment </div>
-<div> API Url: @Model.envAPIProductionUrl </div> *@
+<div> API Url: @Model.envDeploymentDate </div> *@

frontend/Pages/Index.cshtml.cs

@@ -14,7 +14,7 @@ public class IndexModel : PageModel
         private readonly ILogger<IndexModel> _logger;
         private readonly IConfiguration _config;
         public  string envEnvironment  { get; set; }
-        public string envAPIProductionUrl { get; set; }
+        public string envDeploymentDate { get; set; }
 
         public IndexModel(ILogger<IndexModel> logger, IConfiguration config)
         {
@@ -25,7 +25,7 @@ public IndexModel(ILogger<IndexModel> logger, IConfiguration config)
         public void OnGet()
         {
             envEnvironment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
-            envAPIProductionUrl = _config["APIProductionUrl"];
+            envDeploymentDate = _config["DeploymentDate"];
 
         }
     }

frontend/appsettings.json

@@ -9,5 +9,6 @@
   "AllowedHosts": "*",
   "APIProductionUrl":"https://cocktail-api.azurewebsites.net/cocktails",
   "FY25-APIProductionUrl": "https://cocktail-api.azurewebsites.net/cocktails",
-  "Dev-APIUrl": "http://127.0.0.1:5000/cocktails"
+  "Dev-APIUrl": "http://127.0.0.1:5000/cocktails",
+  "DeploymentDate": "08/10/2024 10:24 AM"
 }