azure-cli-extensions icon indicating copy to clipboard operation
azure-cli-extensions copied to clipboard
verified publisher icon Azure

code injection test as per MSRC 101886

Open RenSilvaAU opened this issue 2 months ago • 5 comments

🚨 SECURITY VULNERABILITY TEST - DO NOT MERGE 🚨

This PR demonstrates code injection in setup.py files and should NOT be merged.

Related command

alias extension

Security Test

I've injected code in lines 12-16 of src/alias_msrc_test/setup.py:

### code injection test starts here ###
print("This is a code injection test. If you see this message, the setup.py file has been compromised.")
### code injection test ends here ###

This code will execute during installation or build processes, proving the vulnerability.

General Guidelines

  • [ ] Have you run azdev style <YOUR_EXT> locally? - N/A - Security test only
  • [ ] Have you run python scripts/ci/test_index.py -q locally? - N/A - Security test only
  • [ ] My extension version conforms to the Extension version schema - N/A - Security test only

About Extension Publish

This PR bypasses normal guidelines to demonstrate that malicious code in setup.py files can compromise the build pipeline.

DO NOT MERGE - Close this PR after security review.

RenSilvaAU avatar Sep 30 '25 22:09 RenSilvaAU

️✔️Azure CLI Extensions Breaking Change Test
️✔️Non Breaking Changes

azure-client-tools-bot-prd[bot] avatar Sep 30 '25 22:09 azure-client-tools-bot-prd[bot]

code injection test

yonzhan avatar Sep 30 '25 22:09 yonzhan

Hi @RenSilvaAU, Please write the description of changes which can be perceived by customers into HISTORY.rst. If you want to release a new extension version, please update the version in setup.py as well.

azure-client-tools-bot-prd[bot] avatar Sep 30 '25 22:09 azure-client-tools-bot-prd[bot]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

github-actions[bot] avatar Sep 30 '25 22:09 github-actions[bot]

Hi @RenSilvaAU

Release Suggestions

Module: alias

  • Please log updates into to src/alias/HISTORY.rst

Notes

github-actions[bot] avatar Sep 30 '25 22:09 github-actions[bot]