Fix vso commands execution in vulnerable variables #3987

KonstantinTyukalov · 2022-10-10T22:41:43Z

Description:
*.DefinitionName and *.SourceVersionMessage may contain vso commands which will be executed if it will be specified in script as output
We want to prevent this behavior by deactivating commands in this variables

Changelog:

Added DeactivateVsoCommands util which disables all vso commands in line
Added Scrubbing of vso commands from job message variables which may be echoed in customer's pipelines
Added unit tests

…exec

src/Agent.Worker/Variables.cs

src/Test/L0/Worker/WorkerL0.cs

…exec

KonstantinTyukalov · 2022-10-27T08:21:15Z

not added trace events to debug potential problems, will do

…-agent into users/KonstantinTyukalov/Fix_vso_commands_exec

KonstantinTyukalov added 5 commits October 10, 2022 20:14

Add util for scrubbing of vso commands from line

d7f0d75

Reuse scrubbing util in process invoker

8050cc2

Add list with vulnerable variables

e1d2ce5

Scrub vso commands from variables in job message

2df8f5f

Update vso command regex

18e72ff

KonstantinTyukalov added the bug label Oct 13, 2022

KonstantinTyukalov added 7 commits October 13, 2022 22:04

Add ScrubVsoCommandsFromString test

5a01235

Add message variables to constants

113fa9c

Replace strings to constants in list

2b0e671

Move ScrubVsoCommandsFromJobMessageVariables to WorkerUtilities

94ef8a0

Add case ignore comparer

0121f38

Add worker tests

757c3c5

Add new constants to ReadOnly list

bcdb20e

KonstantinTyukalov marked this pull request as ready for review October 14, 2022 16:03

KonstantinTyukalov requested review from a team as code owners October 14, 2022 16:03

Merge branch 'master' into users/KonstantinTyukalov/Fix_vso_commands_…

f7cc79f

…exec

Roman-Shchukin reviewed Oct 17, 2022

View reviewed changes

src/Agent.Worker/Variables.cs Outdated Show resolved Hide resolved

src/Test/L0/Worker/WorkerL0.cs Show resolved Hide resolved

Fixed review points

e5f4e07

Roman-Shchukin approved these changes Oct 17, 2022

View reviewed changes

vmapetr approved these changes Oct 17, 2022

View reviewed changes

KonstantinTyukalov and others added 3 commits October 18, 2022 18:34

Merge branch 'master' into users/KonstantinTyukalov/Fix_vso_commands_…

862da67

…exec

Add new test case

32c6ade

Rename Scrub -> Deactivate

c60a449

kirill-ivlev approved these changes Oct 20, 2022

View reviewed changes

Merge branch 'master' into users/KonstantinTyukalov/Fix_vso_commands_…

84518ab

…exec

max-zaytsev approved these changes Oct 25, 2022

View reviewed changes

KonstantinTyukalov self-assigned this Oct 27, 2022

wojgasior approved these changes Oct 27, 2022

View reviewed changes

KonstantinTyukalov added 2 commits October 27, 2022 15:25

Merge branch 'master' of https://github.com/microsoft/azure-pipelines…

91ddb65

…-agent into users/KonstantinTyukalov/Fix_vso_commands_exec

Add trace info about vso commands deactivation

d793a44

KonstantinTyukalov merged commit 65ee7d9 into master Oct 27, 2022

This was referenced Nov 10, 2022

Add release variables for vso commands deactivating dictionary #4048

Merged

Add null & empty check for DeactivateVsoCommands #4053

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix vso commands execution in vulnerable variables #3987

Fix vso commands execution in vulnerable variables #3987

KonstantinTyukalov commented Oct 10, 2022 •

edited

KonstantinTyukalov commented Oct 27, 2022

Fix vso commands execution in vulnerable variables #3987

Fix vso commands execution in vulnerable variables #3987

Conversation

KonstantinTyukalov commented Oct 10, 2022 • edited

KonstantinTyukalov commented Oct 27, 2022

KonstantinTyukalov commented Oct 10, 2022 •

edited