Skip to content

Replaced Invoke-Expression with Parser #29056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dunnryan wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Replaced Invoke-Expression with Parser #29056

dunnryan wants to merge 4 commits into from
+244 −9

Conversation

@dunnryan
Copy link
Contributor

@dunnryan dunnryan commented Jan 14, 2026
edited
Loading

Description

We were instructed to remove our usage of 'Invoke-Expression' because it is a security vulnerability. It has been replaced by a PowerShell AST parser that can robustly handle any valid Metadata input. I also added some tests to validate this helper function.

Mandatory Checklist

  • SHOULD update ChangeLog.md file(s) appropriately
    • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
      • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
    • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
  • SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
  • SHOULD have proper test coverage for changes in pull request.
  • SHOULD NOT adjust version of module manually in pull request

Copilot AI review requested due to automatic review settings January 14, 2026 19:11
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jan 14, 2026

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses a security vulnerability by replacing the use of Invoke-Expression with a PowerShell AST (Abstract Syntax Tree) parser for safely parsing metadata parameters in Policy cmdlets.

Changes:

  • Replaced Invoke-Expression with AST-based parsing to eliminate security risks
  • Added two new helper functions: Convert-AstLiteral and ConvertTo-HashtableSafely to safely parse PowerShell hashtable literals
  • Added comprehensive test suite for the new parsing functionality

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 9 comments.

File Description
src/Resources/Policy.Autorest/custom/Helpers.ps1 Added AST parser implementation with recursive literal conversion and safe hashtable parsing; replaced Invoke-Expression call with ConvertTo-HashtableSafely function
src/Resources/Policy.Autorest/test/ResolvePolicyMetadataParameter.Tests.ps1 Added new test file with test cases for simple and complex hashtable parsing, JSON parsing, file content parsing, and error handling
Comments suppressed due to low confidence (1)

src/Resources/Policy.Autorest/custom/Helpers.ps1:577

  • The parameter is declared as $MetadataValue (line 550) with Pascal case, but it is referenced as $metadataValue with camel case throughout the function body (lines 554, 558, 562, 577). While PowerShell is case-insensitive for variable names, using inconsistent casing reduces code readability and maintainability. Use consistent casing throughout the function.
        $MetadataValue,
        [bool]$Debug = $false
    )

    if ($metadataValue -is [hashtable]) {
        return $metadataValue
    }

    if ([System.String]::IsNullOrEmpty($metadataValue)) {
        return $metadataValue
    }

    $metadata = (GetFileUriOrStringParameterValue $metadataValue).Trim()
    if ($debug) {
        Write-Host -ForegroundColor Cyan Metadata: $metadata
    }

    if ($metadata -like '@{*') {
        # probably a PSCustomObject, try converting to hashtable
        return ConvertTo-HashtableSafely $metadata
    }

    # otherwise it should be a JSON string
    if ($metadata -like '{*}') {
        return $metadata | ConvertFrom-JsonSafe -AsHashtable
    }

    throw "Unrecognized metadata format - value: [$($metadataValue)], type: [$($metadataValue.GetType())]"

@isra-fel
Copy link
Member

isra-fel commented Jan 14, 2026

/azp run

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Jan 14, 2026

Azure Pipelines successfully started running 3 pipeline(s).

@isra-fel
Copy link
Member

isra-fel commented Jan 14, 2026

/azp run

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Jan 14, 2026

Azure Pipelines successfully started running 3 pipeline(s).

vidai-msft
vidai-msft requested changes Jan 15, 2026
View reviewed changes
Copy link
Contributor

@vidai-msft vidai-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the ChangeLog.md and fix the test errors.

@github-actions
Copy link

github-actions bot commented Jan 15, 2026

This PR was labeled "needs-revision" because it has unresolved review comments or CI failures.
Please resolve all open review comments and make sure all CI checks are green. Refer to our guide to troubleshoot common CI failures.

Copilot AI review requested due to automatic review settings January 16, 2026 00:02
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

@isra-fel
Copy link
Member

isra-fel commented Jan 16, 2026

/azp run

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Jan 16, 2026

Azure Pipelines successfully started running 3 pipeline(s).

@isra-fel
Copy link
Member

isra-fel commented Jan 16, 2026

/azp run

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Jan 16, 2026

Azure Pipelines successfully started running 3 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vidai-msft vidai-msft vidai-msft requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

needs-revision

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dunnryan @isra-fel @vidai-msft