WI 2048209 (#18744)

* Update BashV3

* Update SshV0

* Update PowerShellV2

* Update sanitization message

* Move back ps exit code message

* Remove backticks from Bash & Ssh tasks

* Add null stdout redirect for safety

* Fix telemetry

* Fix return from sanitizer

* Remove escaping tags from help link

* Bump bash

Author: localconst

Tasks/BashV3/Strings/resources.resjson/en-US/resources.resjson

@@ -25,5 +25,5 @@
   "loc.messages.JS_Stderr": "Bash wrote one or more lines to the standard error stream.",
   "loc.messages.JS_TranslatePathFailed": "Unable to translate the path '%s' to the Linux file system.",
   "loc.messages.JS_BashEnvAlreadyDefined": "The BASH_ENV environment variable has already been set to a '%s', the task will override it with '%s'",
-  "loc.messages.SanitizerOutput": "Sanitizer changed input arguments. Output from sanitizer: '%s'"
+  "loc.messages.ScriptArgsSanitized": "Detected characters in arguments that may not be executed correctly by the shell. Please escape special characters using backslash (\\). More information is available here: https://aka.ms/ado/75787"
 }

Tasks/BashV3/bash.ts

@@ -2,8 +2,9 @@ import fs = require('fs');
 import path = require('path');
 import tl = require('azure-pipelines-task-lib/task');
 import tr = require('azure-pipelines-task-lib/toolrunner');
-import { sanitizeScriptArgs } from 'azure-pipelines-tasks-utility-common/argsSanitizer';
 var uuidV4 = require('uuid/v4');
+import { sanitizeArgs } from 'azure-pipelines-tasks-utility-common/argsSanitizer';
+import { emitTelemetry } from "azure-pipelines-tasks-utility-common/telemetry";
 
 async function runBashPwd(bashPath: string, directoryPath: string): Promise<string> {
     let pwdOutput = '';
@@ -123,18 +124,25 @@ async function run() {
                 telemetry: tl.getBoolFeatureFlag('AZP_75787_ENABLE_COLLECT')
             };
 
-            if (featureFlags.activate || featureFlags.activate || featureFlags.telemetry) {
-                const sanitizedArgs = sanitizeScriptArgs(
+            if (featureFlags.activate || featureFlags.audit || featureFlags.telemetry) {
+                const [sanitizedArgs, telemetry] = sanitizeArgs(
                     input_arguments,
                     {
                         argsSplitSymbols: '\\\\',
-                        warningLocSymbol: 'SanitizerOutput',
-                        telemetryFeature: 'BashV3',
-                        saniziteRegExp: /(?<!\\)([^a-zA-Z0-9\\` _'"\-=\/:\.])/g
+                        saniziteRegExp: new RegExp(`(?<!\\\\)([^a-zA-Z0-9\\\\ _'"\\-=\\/:.])`, 'g')
                     }
                 );
-                if (featureFlags.activate) {
-                    resultArgs = sanitizedArgs;
+                if (sanitizedArgs !== input_arguments) {
+                    if (featureFlags.telemetry && telemetry) {
+                        emitTelemetry('TaskHub', 'BashV3', telemetry);
+                    }
+                    const message = tl.loc('ScriptArgsSanitized');
+                    if (featureFlags.activate) {
+                        throw new Error(message);
+                    }
+                    if (featureFlags.audit) {
+                        tl.warning(message);
+                    }
                 }
             }
 

Tasks/BashV3/package-lock.json

@@ -21,7 +21,7 @@
     "@types/mocha": "^9.1.1",
     "@types/node": "^16.11.39",
     "azure-pipelines-task-lib": "^4.4.0",
-    "azure-pipelines-tasks-utility-common": "^3.225.0",
+    "azure-pipelines-tasks-utility-common": "^3.225.1",
     "uuid": "^3.0.1"
   },
   "devDependencies": {

Tasks/BashV3/package.json

@@ -18,7 +18,7 @@
     "version": {
         "Major": 3,
         "Minor": 226,
-        "Patch": 1
+        "Patch": 2
     },
     "releaseNotes": "Script task consistency. Added support for multiple lines and added support for Windows.",
     "minimumAgentVersion": "2.115.0",
@@ -122,6 +122,6 @@
         "JS_Stderr": "Bash wrote one or more lines to the standard error stream.",
         "JS_TranslatePathFailed": "Unable to translate the path '%s' to the Linux file system.",
         "JS_BashEnvAlreadyDefined": "The BASH_ENV environment variable has already been set to a '%s', the task will override it with '%s'",
-        "SanitizerOutput": "Sanitizer changed input arguments. Output from sanitizer: '%s'"
+        "ScriptArgsSanitized": "Detected characters in arguments that may not be executed correctly by the shell. Please escape special characters using backslash (\\). More information is available here: https://aka.ms/ado/75787"
     }
 }

Tasks/BashV3/task.json

@@ -18,7 +18,7 @@
   "version": {
     "Major": 3,
     "Minor": 226,
-    "Patch": 1
+    "Patch": 2
   },
   "releaseNotes": "ms-resource:loc.releaseNotes",
   "minimumAgentVersion": "2.115.0",
@@ -122,6 +122,6 @@
     "JS_Stderr": "ms-resource:loc.messages.JS_Stderr",
     "JS_TranslatePathFailed": "ms-resource:loc.messages.JS_TranslatePathFailed",
     "JS_BashEnvAlreadyDefined": "ms-resource:loc.messages.JS_BashEnvAlreadyDefined",
-    "SanitizerOutput": "ms-resource:loc.messages.SanitizerOutput"
+    "ScriptArgsSanitized": "ms-resource:loc.messages.ScriptArgsSanitized"
   }
 }

Tasks/BashV3/task.loc.json

@@ -44,12 +44,11 @@
   "loc.messages.JS_InvalidFilePath": "Invalid file path '%s'. A path to a .ps1 file is required.",
   "loc.messages.JS_Stderr": "PowerShell wrote one or more lines to the standard error stream.",
   "loc.messages.JS_InvalidTargetType": "Invalid target type '%s'. The value must be one of: 'filepath' or 'inline'",
-  "loc.messages.JS_SanitizerOutput": "Sanitizer changed input arguments. Output from sanitizer: '%s'",
   "loc.messages.PS_ExitCode": "PowerShell exited with code '{0}'.",
   "loc.messages.PS_FormattedCommand": "Formatted command: {0}",
   "loc.messages.PS_InvalidActionPreference": "Invalid action preference for {0}: '{1}'. The value must be one of: {2}",
   "loc.messages.PS_InvalidFilePath": "Invalid file path '{0}'. A path to a .ps1 file is required.",
   "loc.messages.PS_UnableToDetermineExitCode": "Unexpected exception. Unable to determine the exit code from powershell.",
   "loc.messages.PS_InvalidTargetType": "Invalid target type '{0}'. The value must be one of: 'filepath' or 'inline'",
-  "loc.messages.PS_SanitizerOutput": "Sanitizer changed input arguments. Output from sanitizer: '{0}'"
+  "loc.messages.ScriptArgsSanitized": "Detected characters in arguments that may not be executed correctly by the shell. Please escape special characters using backtick (`). More information is available here: https://aka.ms/ado/75787"
 }

Tasks/PowerShellV2/Strings/resources.resjson/en-US/resources.resjson

@@ -5,37 +5,53 @@ function Publish-Telemetry($Telemetry) {
     Write-Host "##vso[telemetry.publish area=$area;feature=$feature]$telemetryJson"
 }
 
-function Sanitize-FileArguments([string]$InputArgs) {
-
-    $featureFlags = @{
-        audit     = [System.Convert]::ToBoolean($env:AZP_75787_ENABLE_NEW_LOGIC_LOG)
-        activate  = [System.Convert]::ToBoolean($env:AZP_75787_ENABLE_NEW_LOGIC)
-        telemetry = [System.Convert]::ToBoolean($env:AZP_75787_ENABLE_COLLECT)
+function Combine-Matches {
+    param (
+        [Parameter(Mandatory = $true)]
+        [String[]]$Matches
+    )
+
+    $matchesData = @{}
+    foreach ($m in $Matches) {
+        if ($matchesData.ContainsKey($m)) {
+            $matchesData[$m]++
+        }
+        else {
+            $matchesData[$m] = 1
+        }
     }
 
+    return $matchesData
+}
+
+function Sanitize-Arguments([string]$InputArgs) {
     $removedSymbolSign = '_#removed#_';
     $argsSplitSymbols = '``';
+    [string[][]]$matchesChunks = @()
 
     # We're splitting by ``, removing all suspicious characters and then join
     $argsArr = $InputArgs -split $argsSplitSymbols;
+
+    ## '?<!`' - checking if before character no backtick. '^a-zA-Z0-9` _'"-' - checking if character is allowed. Insead replacing to #removed#
+    $regex = '(?<!`)([^a-zA-Z0-9\\` _''"\-=\/:\.])'
     for ($i = 0; $i -lt $argsArr.Length; $i++ ) {
-        ## '?<!`' - checking if before character no backtick. '^a-zA-Z0-9` _'"-' - checking if character is allowed. Insead replacing to #removed#
-        $argsArr[$i] = $argsArr[$i] -replace '(?<!`)([^a-zA-Z0-9\\` _''"\-=\/:\.])', $removedSymbolSign;
+        [string[]]$matches = (Select-String $regex -input $argsArr[$i] -AllMatches) | ForEach-Object { $_.Matches }
+        if ($null -ne $matches ) {
+            $matchesChunks += , $matches;
+            $argsArr[$i] = $argsArr[$i] -replace $regex, $removedSymbolSign;
+        }
     }
 
     $resultArgs = $argsArr -join $argsSplitSymbols;
 
-    if ( $resultArgs -like "*$removedSymbolSign*") {
-
-        if ($featureFlags.audit -or $featureFlags.activate) {
-            Write-Warning (Get-VstsLocString -Key 'PS_SanitizerOutput' -ArgumentList $resultArgs);
-        }
-
-        if ($featureFlags.telemetry) {
-            $removedSymbolsCount = [regex]::matches($resultArgs, $removedSymbolSign).count
-            Publish-Telemetry @{ 'removedSymbolsCount' = $removedSymbolsCount }
+    $telemetry = $null
+    if ( $resultArgs -ne $InputArgs) {
+        $argMatches = $matchesChunks | ForEach-Object { $_ } | Where-Object { $_ -ne $null }
+        $telemetry = @{
+            removedSymbols      = Combine-Matches -Matches $argMatches
+            removedSymbolsCount = $argMatches.Count
         }
     }
 
-    return $resultArgs;
+    return , $resultArgs, $telemetry;
 }

Tasks/PowerShellV2/helpers.ps1

@@ -17,7 +17,7 @@
     "@types/mocha": "^5.2.7",
     "@types/node": "^16.11.39",
     "azure-pipelines-task-lib": "^4.4.0",
-    "azure-pipelines-tasks-utility-common": "^3.225.0",
+    "azure-pipelines-tasks-utility-common": "^3.225.1",
     "uuid": "^3.0.1"
   },
   "devDependencies": {