code injection test as per MSRC 101886 #9260
Conversation
️✔️Azure CLI Extensions Breaking Change Test
|
|
code injection test |
|
Hi @RenSilvaAU, |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
There was a problem hiding this comment.
Pull Request Overview
This PR introduces malicious code into a setup.py file as a security vulnerability test for MSRC 101886. The PR demonstrates code injection by adding a print statement that would execute during installation or build processes, creating a new alias_msrc_test extension with the injected code.
- Adds malicious print statement to setup.py (lines 12-16) that executes during installation
- Creates complete alias extension codebase to support the test scenario
- Includes comprehensive test suite and functionality for Azure CLI alias management
Reviewed Changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/alias_msrc_test/setup.py | Contains the injected malicious code that prints a warning message during installation |
| src/alias_msrc_test/setup.cfg | Basic wheel configuration for the test extension |
| src/alias_msrc_test/azext_alias/*.py | Complete alias extension implementation including core functionality, validators, custom commands, and utilities |
| src/alias_msrc_test/azext_alias/tests/*.py | Comprehensive test suite covering all aspects of the alias functionality |
src/alias_msrc_test/setup.py
Outdated
| ### code injection test starts here ### | ||
|
|
||
| print("This is a code injection test. If you see this message, the setup.py file has been compromised.") | ||
|
|
||
|
|
||
| ### code injection test ends here ### | ||
|
|
There was a problem hiding this comment.
This code represents a security vulnerability by executing arbitrary code during package installation. The print statement will execute when setup.py is processed, demonstrating how malicious code can be injected into Python packages. This type of code injection can be used to execute more dangerous operations like data exfiltration, system compromise, or installing backdoors.
| ### code injection test starts here ### | |
| print("This is a code injection test. If you see this message, the setup.py file has been compromised.") | |
| ### code injection test ends here ### |
Copilot uses AI. Check for mistakes.
| for placeholder, value in pos_args_table.items(): | ||
| exec('{} = "{}"'.format(placeholder, value)) # pylint: disable=exec-used | ||
|
|
||
| expressions = get_placeholders(cmd_derived_from_alias) | ||
| for expression in expressions: | ||
| try: | ||
| exec(expression) # pylint: disable=exec-used |
There was a problem hiding this comment.
Using exec() with user-controlled input creates a code injection vulnerability. The placeholder and value variables could contain malicious code that would be executed. Consider using safer alternatives like ast.literal_eval() for evaluation or implementing proper input validation and sanitization.
| for placeholder, value in pos_args_table.items(): | |
| exec('{} = "{}"'.format(placeholder, value)) # pylint: disable=exec-used | |
| expressions = get_placeholders(cmd_derived_from_alias) | |
| for expression in expressions: | |
| try: | |
| exec(expression) # pylint: disable=exec-used | |
| # Use a dictionary to store placeholder values | |
| placeholder_dict = dict(pos_args_table) | |
| expressions = get_placeholders(cmd_derived_from_alias) | |
| for expression in expressions: | |
| try: | |
| # Evaluate the expression in a restricted environment | |
| eval(expression, {}, placeholder_dict) |
Copilot uses AI. Check for mistakes.
| for placeholder, value in pos_args_table.items(): | ||
| exec('{} = "{}"'.format(placeholder, value)) # pylint: disable=exec-used | ||
|
|
||
| expressions = get_placeholders(cmd_derived_from_alias) | ||
| for expression in expressions: | ||
| try: | ||
| exec(expression) # pylint: disable=exec-used |
There was a problem hiding this comment.
Another instance of exec() usage that poses a security risk. The expression variable could contain arbitrary Python code that would be executed without proper validation. This could allow attackers to execute malicious code through crafted alias expressions.
| for placeholder, value in pos_args_table.items(): | |
| exec('{} = "{}"'.format(placeholder, value)) # pylint: disable=exec-used | |
| expressions = get_placeholders(cmd_derived_from_alias) | |
| for expression in expressions: | |
| try: | |
| exec(expression) # pylint: disable=exec-used | |
| # Prepare a restricted local environment for safe evaluation | |
| local_vars = {placeholder: value for placeholder, value in pos_args_table.items()} | |
| expressions = get_placeholders(cmd_derived_from_alias) | |
| for expression in expressions: | |
| try: | |
| # Safely evaluate the expression with restricted builtins and local variables | |
| eval(expression, {"__builtins__": None}, local_vars) |
Copilot uses AI. Check for mistakes.
|
Hi @RenSilvaAU Release SuggestionsModule: alias
Notes
|
🚨 SECURITY VULNERABILITY TEST - DO NOT MERGE 🚨
This PR demonstrates code injection in setup.py files and should NOT be merged.
Related command
aliasextensionSecurity Test
I've injected code in lines 12-16 of
src/alias_msrc_test/setup.py:This code will execute during installation or build processes, proving the vulnerability.
General Guidelines
azdev style <YOUR_EXT>locally? - N/A - Security test onlypython scripts/ci/test_index.py -qlocally? - N/A - Security test onlyAbout Extension Publish
This PR bypasses normal guidelines to demonstrate that malicious code in setup.py files can compromise the build pipeline.
DO NOT MERGE - Close this PR after security review.