fix(security): harden upload path validation and trigger filter script integrity

[Copilot]

Summary

This addresses two medium-severity audit findings: newline-based VSO logging-command injection via upload safe-output file_path, and unverified scripts.zip delivery for trigger filters. The PR tightens path validation at the shared validator level and adds release checksum verification for the gate evaluator bundle.

• Path validation hardening (upload safe outputs)

  • Reject \n and \r in is_safe_path_segment, which is used by upload path component validation.
  • Add explicit newline/carriage-return rejection in upload-workitem-attachment validation.
  • Add regression tests across:
    • upload-pipeline-artifact
    • upload-build-attachment
    • upload-workitem-attachment
    • shared validator tests in validate.rs

• Trigger filter scripts supply-chain hardening

  • Update trigger filter setup step to download checksums.txt and verify scripts.zip with sha256sum -c -.
  • Restrict extraction to the required file only:
    • unzip -jo scripts.zip gate-eval.py
  • Extend extension tests to assert checksum verification and scoped extraction are present.

curl -fsSL ".../checksums.txt" -o /tmp/ado-aw-scripts/checksums.txt
curl -fsSL ".../scripts.zip"   -o /tmp/ado-aw-scripts/scripts.zip
cd /tmp/ado-aw-scripts && grep "scripts.zip" checksums.txt | sha256sum -c -
cd /tmp/ado-aw-scripts && unzip -jo scripts.zip gate-eval.py

Test plan

• Unit tests were added/updated for newline/carriage-return rejection and trigger-filter setup step content.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• spsprodeus21.vssps.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0cznlf/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.1gcrj6vw6nwuqtj05xtwy95fb.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0i01kz/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.1rfiho3un8q8x6o0bgh17pqtu.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0ojjh8/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.1rknjctmryus5j31dx1ektv42.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0oxb15/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.240j6z25xaklgufqezy8qu0ni.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0pz1bg/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.2cp5ph3lj8fi4mip7c7tpotda.0csz81n.rcgu.o 9zr90iqhe9nxn0rm5kc8ln.1wmn5h5.rcgu.o yuxzbv8kivyqxa4c5rx03k.1wmn5h5.rcgu.o 2fdnboyl9sntb9oglwp43h.1wmn5h5.rcgu.o fss034yc3krbkofwljtthm.1wmn5h5.rcgu.o lkkmauvurcrmhoi5o5xq1j.1wmn5h5.rcgu.o i4brrslolypinr9odkx7dz.1wmn5h5.rcgu.o hl6mbs5yodqyo5gmqx8dvq.1wmn5h5.rcgu.o xv2aldjkgquhz0v6nt25fg.1wmn5h5.rcgu.o 4eig2haup2ji5refodkvnq.1wmn5h5.rcgu.o 68z636s6wqiy5gr1gtqaav.1wmn5h5.rcgu.o ms6oewjfh2au0u8cln9pu3.1wmn5h5.rcgu.o nwvyw39e80bjskaef4x5xs.1wmn5h5.rcgu.o 7wia2srj9bmeuwpesnmm6n.1wmn5h5.rcgu.o 2lqnpnljhg3h5ul7gwebcu.1wmn5h5.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc --check-cfg cfg(docsrs,test) --check-cfg targ�� target/debug/dep--error-format=json 769ohanse9kaubwkr9a.1egrrhe.rcgu.o nfhvcqqdj7ss7gp1uh8.1egrrhe.rcgu.o bfqwy8plijt7omphxag.1egrrhe.rcgu.o wpti9yg633jd59jdpot.1egrrhe.rcgu.o sxkdac6vetzzp6punz3.1egrrhe.rcgu.o r3q5v77tamvwsrc7o97.1egrrhe.rcgu.o jn8ar03dnda5kwfhs5i.1egrrhe.rcgu.o veo695su4q5xfu94q1f.1egrrhe.rcgu.o y0xcbydx12w1n24t9hr.1egrrhe.rcgu.o fhozwiwaznju4ss0qp9.1egrrhe.rcgu.o ablc4tqmgibc87e5k2v.1egrrhe.rcgu.o 9rg01gpzhvaakbqxwez.1egrrhe.rcgu.o 2n7uptc6taqtrwwpx5z.1egrrhe.rcgu.o sz4gcidp7m2djqolhzk.1egrrhe.rcgu.o (dns block)
• spsprodweu4.vssps.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0cznlf/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.1gcrj6vw6nwuqtj05xtwy95fb.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0i01kz/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.1rfiho3un8q8x6o0bgh17pqtu.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0ojjh8/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.1rknjctmryus5j31dx1ektv42.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0oxb15/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.240j6z25xaklgufqezy8qu0ni.0csz81n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-db9ebe80b9191ab1.0pz1bg/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-e0799db0c30078b6.2cp5ph3lj8fi4mip7c7tpotda.0csz81n.rcgu.o 9zr90iqhe9nxn0rm5kc8ln.1wmn5h5.rcgu.o yuxzbv8kivyqxa4c5rx03k.1wmn5h5.rcgu.o 2fdnboyl9sntb9oglwp43h.1wmn5h5.rcgu.o fss034yc3krbkofwljtthm.1wmn5h5.rcgu.o lkkmauvurcrmhoi5o5xq1j.1wmn5h5.rcgu.o i4brrslolypinr9odkx7dz.1wmn5h5.rcgu.o hl6mbs5yodqyo5gmqx8dvq.1wmn5h5.rcgu.o xv2aldjkgquhz0v6nt25fg.1wmn5h5.rcgu.o 4eig2haup2ji5refodkvnq.1wmn5h5.rcgu.o 68z636s6wqiy5gr1gtqaav.1wmn5h5.rcgu.o ms6oewjfh2au0u8cln9pu3.1wmn5h5.rcgu.o nwvyw39e80bjskaef4x5xs.1wmn5h5.rcgu.o 7wia2srj9bmeuwpesnmm6n.1wmn5h5.rcgu.o 2lqnpnljhg3h5ul7gwebcu.1wmn5h5.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2ad15f64aad94bdc --check-cfg cfg(docsrs,test) --check-cfg targ�� target/debug/dep--error-format=json 769ohanse9kaubwkr9a.1egrrhe.rcgu.o nfhvcqqdj7ss7gp1uh8.1egrrhe.rcgu.o bfqwy8plijt7omphxag.1egrrhe.rcgu.o wpti9yg633jd59jdpot.1egrrhe.rcgu.o sxkdac6vetzzp6punz3.1egrrhe.rcgu.o r3q5v77tamvwsrc7o97.1egrrhe.rcgu.o jn8ar03dnda5kwfhs5i.1egrrhe.rcgu.o veo695su4q5xfu94q1f.1egrrhe.rcgu.o y0xcbydx12w1n24t9hr.1egrrhe.rcgu.o fhozwiwaznju4ss0qp9.1egrrhe.rcgu.o ablc4tqmgibc87e5k2v.1egrrhe.rcgu.o 9rg01gpzhvaakbqxwez.1egrrhe.rcgu.o 2n7uptc6taqtrwwpx5z.1egrrhe.rcgu.o sz4gcidp7m2djqolhzk.1egrrhe.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)