Fix for bug MSRC97007 #5206
Open
Fix for bug MSRC97007 #5206
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/azp run |
Supported commands
See additional documentation. |
|
Azure Pipelines successfully started running 1 pipeline(s). |
tarunramsinghani
requested changes
May 13, 2025
tarunramsinghani
requested changes
May 13, 2025
…contains vso commands
rajmishra1997
force-pushed
the
users/rajmishra/FixMSRC97007
branch
from
b21b4b4 to
07a7a23
Compare
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix for issue https://portal.microsofticm.com/imp/v5/incidents/details/31000000353897/summary , which describes a vulnerability in Azure Pipelines where malicious input can be injected through Git metadata, not necessarily through built-in pipeline variables.
For example, in the following YAML pipeline code:
$authorEmail = git log -1 --pretty=format:"%ae" Write-Host "Email address of the author is $authorEmail"Git user email could be updated such as :
git config user.email "##vso[task.setvariable variable=downloadUrl]https://www.evil.com"This would inject a VSO command into the pipeline runtime and update the Url variable.
As fix:
The code has been updated to include a condition that checks whether the Git author name, email address, or commit message contains any VSO commands, preventing unintended command execution. Also built-in variables 'Build.RequestedForEmail, Release.ReleaseDeploymentRequestedForEmail, Release.ReleaseRequestedForEmail' are included as 'VariablesVulnerableToExecution'
Explain the context or motivation behind this PR. Include links to any related Azure DevOps Work Items or GitHub issues. Fixes AB#2277633
📌 How to link to ADO Work Items
Risk Assessment (Low / Medium / High) : Low
Assess the risk level and justify your assessment. For example: code path sensitivity, usage scope, or backward compatibility concerns.
Unit Tests Added or Updated (Yes / No) : Yes
Indicate whether unit tests were added or modified to reflect the changes.
Additional Testing Performed : Changes tested locally
List manual or automated tests performed beyond unit tests (e.g., integration, scenario, regression).