Update PowerShellV2 sanitize regexp (#19053)

* Add \n to allowed symbols

* Bump task to 2.229.2

* Separate test suites

* Fix naming

* Update regex

* Update regex for node version

* Exclude A-Z from regex

* Use \w instead of a-z0-9

* Revert msbuildV1 changes

* bump task version

Author: localconst

BuildConfigGen/Program.cs

@@ -570,7 +570,7 @@ private static void UpdateVersions(string gitRootPath, string task, string taskT
 
                 if (inputVersion <= maxVersion && !defaultVersionMatchesSourceVersion)
                 {
-                    throw new Exception($"inputVersion={inputVersion} version specified in task taskTarget={taskTarget} must not be less or equal to maxversion maxVersion={maxVersion} specified in versionMapFile{versionMapFile}, or must match defaultVersion={defaultVersion} in {versionMapFile}");
+                    throw new Exception($"inputVersion={inputVersion} version specified in task taskTarget={taskTarget} must not be less or equal to maxversion maxVersion={maxVersion} specified in versionMapFile {versionMapFile}, or must match defaultVersion={defaultVersion} in {versionMapFile}");
                 }
             }
 

Tasks/PowerShellV2/Tests/L0ValidateFileArgs.ts

@@ -22,7 +22,17 @@ export const runValidateFileArgsTests = () => {
         ],
         [
             "Accepts allowed symbols",
-            "a A 1 \\ ` _ ' \" - = / : . * , + ~ ? %", ["AZP_75787_ENABLE_NEW_LOGIC=true"]
+            "a A z Z 1 \\ ` _ ' \" - = / : . * , + ~ ? % \n #", ["AZP_75787_ENABLE_NEW_LOGIC=true"]
+        ],
+        [
+            "Paths check",
+            "D:\\my\\path d/my/path",
+            ["AZP_75787_ENABLE_NEW_LOGIC=true"]
+        ],
+        [
+            "Accepts $true and $false",
+            "$TrUe $true $fAlsE $false",
+            ["AZP_75787_ENABLE_NEW_LOGIC=true"]
         ]
     ];
 

Tasks/PowerShellV2/Tests/powershellImpl/L0.ts

@@ -25,8 +25,12 @@ export function testPowerShellImpl() {
             psr.run(path.join(__dirname, 'L0Expand-EnvVariables.ps1'), done);
         })
 
-        it('Run of L0Test-FileArgs tests suite.', (done) => {
-            psr.run(path.join(__dirname, 'L0Test-FileArgs.ps1'), done);
+        it('Run of L0Test-FileArgs.Passes tests suite.', (done) => {
+            psr.run(path.join(__dirname, 'L0Test-FileArgs.Passes.ps1'), done);
+        })
+
+        it('Run of L0Test-FileArgs.Fails tests suite.', (done) => {
+            psr.run(path.join(__dirname, 'L0Test-FileArgs.Fails.ps1'), done);
         })
     }
 }

Tasks/PowerShellV2/Tests/powershellImpl/L0Test-FileArgs.Fails.ps1

@@ -0,0 +1,50 @@
+[CmdletBinding()]
+param()
+
+. $PSScriptRoot\..\..\..\..\Tests\lib\Initialize-Test.ps1
+. $PSScriptRoot\..\..\helpers.ps1
+
+$failTestSuites = @(
+    @{
+        Name      = 'If dangerous symbols are present, and FF is on'
+        Input     = 'test; whoami'
+        Variables = @('AZP_75787_ENABLE_NEW_LOGIC=true')
+    },
+    @{
+        Name      = 'If inside args line is env variable with dangerous symbols'
+        Input     = 'test $env:VAR1 test'
+        Variables = @('VAR1=12;3', 'AZP_75787_ENABLE_NEW_LOGIC=true')
+    },
+    @{
+        Name      = 'If inside args line not correct env syntax'
+        Input     = 'test $venv:VAR1 test'
+        Variables = @('VAR1=123', 'AZP_75787_ENABLE_NEW_LOGIC=true')
+    }
+)
+foreach ($test in $failTestSuites) {
+    $test.Variables | ForEach-Object {
+        $name, $value = $_.Split('=')
+        if ($value) {
+            Set-Item -Path env:$name -Value $value
+        }
+        else {
+            Remove-Item env:$name -ErrorAction SilentlyContinue
+        }
+    }
+
+    try {
+        $msg = Get-VstsLocString -Key 'ScriptArgsSanitized'
+        Assert-Throws {
+            Test-FileArgs $test.Input
+        } -MessagePattern $msg
+    }
+    catch {
+        throw "Error occured in '$($test.Name)' suite: $($_.Exception.Message)"
+    }
+    finally {
+        $test.Variables | ForEach-Object {
+            $name, $value = $_.Split('=')
+            Remove-Item env:$name -ErrorAction SilentlyContinue
+        }
+    }
+}

Tasks/PowerShellV2/Tests/powershellImpl/L0Test-FileArgs.ps1 renamed to Tasks/PowerShellV2/Tests/powershellImpl/L0Test-FileArgs.Passes.ps1

@@ -4,7 +4,7 @@ param()
 . $PSScriptRoot\..\..\..\..\Tests\lib\Initialize-Test.ps1
 . $PSScriptRoot\..\..\helpers.ps1
 
-$notThrowTestSuites = @(
+$passTestSuites = @(
     @{
         Name      = 'Handles empty line'
         Input     = ''
@@ -27,53 +27,21 @@ $notThrowTestSuites = @(
     },
     @{
         Name      = 'Accepts allowed symbols'
-        Input     = 'a A 1 \ ` _ '' " - = / : . * , + ~ ? %'
-        Variables = @('AZP_75787_ENABLE_NEW_LOGIC=true')
-    }
-)
-foreach ($test in $notThrowTestSuites) {
-    $test.Variables | ForEach-Object {
-        $name, $value = $_.Split('=')
-        if ($value) {
-            Set-Item -Path env:$name -Value $value
-        }
-        else {
-            Remove-Item env:$name -ErrorAction SilentlyContinue
-        }
-    }
-
-    try {
-        Test-FileArgs $test.Input
-    }
-    catch {
-        throw "Error occured in '$($test.Name)' suite: $($_.Exception.Message)"
-    }
-    finally {
-        $test.Variables | ForEach-Object {
-            $name, $value = $_.Split('=')
-            Remove-Item env:$name -ErrorAction SilentlyContinue
-        }
-    }
-}
-
-$throwTestSuites = @(
-    @{
-        Name      = 'If dangerous symbols are present, and FF is on'
-        Input     = 'test; whoami'
+        Input     = "a A z Z 1 \ ` _ ' `" - = / : . * , + ~ ? % `n #"
         Variables = @('AZP_75787_ENABLE_NEW_LOGIC=true')
     },
     @{
-        Name      = 'If inside args line is env variable with dangerous symbols'
-        Input     = 'test $env:VAR1 test'
-        Variables = @('VAR1=12;3', 'AZP_75787_ENABLE_NEW_LOGIC=true')
+        Name      = 'Paths check'
+        Input     = 'D:\my\path d/my/path'
+        Variables = @('AZP_75787_ENABLE_NEW_LOGIC=true')
     },
     @{
-        Name      = 'If inside args line not correct env syntax'
-        Input     = 'test $venv:VAR1 test'
-        Variables = @('VAR1=123', 'AZP_75787_ENABLE_NEW_LOGIC=true')
+        Name      = 'Accepts $true and $false'
+        Input     = '$TrUe $true $fAlsE $false'
+        Variables = @('AZP_75787_ENABLE_NEW_LOGIC=true')
     }
 )
-foreach ($test in $throwTestSuites) {
+foreach ($test in $passTestSuites) {
     $test.Variables | ForEach-Object {
         $name, $value = $_.Split('=')
         if ($value) {
@@ -85,10 +53,7 @@ foreach ($test in $throwTestSuites) {
     }
 
     try {
-        $msg = Get-VstsLocString -Key 'ScriptArgsSanitized'
-        Assert-Throws {
-            Test-FileArgs $test.Input
-        } -MessagePattern $msg
+        Test-FileArgs $test.Input
     }
     catch {
         throw "Error occured in '$($test.Name)' suite: $($_.Exception.Message)"
@@ -100,3 +65,4 @@ foreach ($test in $throwTestSuites) {
         }
     }
 }
+

Tasks/PowerShellV2/helpers.ps1

@@ -32,8 +32,10 @@ function Sanitize-Arguments([string]$InputArgs) {
     # We're splitting by ``, removing all suspicious characters and then join
     $argsArr = $InputArgs -split $argsSplitSymbols;
 
-    ## '?<!`' - checking if before character no backtick. '^a-zA-Z0-9` _'"-=\/:\.*,+~?' - checking if character is allowed. Insead replacing to #removed#
-    $regex = '(?<!`)([^a-zA-Z0-9\\` _''"\-=\/:\.*,+~?%])'
+    ## PowerShell Regex is case insensitive by default, so we don't need to specify a-zA-Z.
+    ## ('?<!`') - checking if before character no backtick.
+    ## ([^\w` _'"-=\/:\.*,+~?%\n#]) - checking if character is allowed. Insead replacing to #removed#
+    $regex = '(?<!`)([^\w\\` _''"\-=\/:\.*,+~?%\n#])(?!true|false)'
     for ($i = 0; $i -lt $argsArr.Length; $i++ ) {
         [string[]]$matches = (Select-String $regex -input $argsArr[$i] -AllMatches) | ForEach-Object { $_.Matches }
         if ($null -ne $matches ) {

Tasks/PowerShellV2/helpers.ts

@@ -180,7 +180,7 @@ export function validateFileArgs(inputArguments: string): void {
             expandedArgs,
             {
                 argsSplitSymbols: '``',
-                saniziteRegExp: new RegExp('(?<!`)([^a-zA-Z0-9\\\\` _\'"\\-=\\/:\\.*,+~?%])', 'g')
+                saniziteRegExp: new RegExp('(?<!`)([^\\w\\\\` _\'"\\-=\\/:\\.*,+~?%\\n#])(?!true|false)', 'ig')
             }
         );
         if (sanitizedArgs !== inputArguments) {

Tasks/PowerShellV2/task.json

@@ -17,8 +17,8 @@
     "author": "Microsoft Corporation",
     "version": {
         "Major": 2,
-        "Minor": 229,
-        "Patch": 4
+        "Minor": 230,
+        "Patch": 0
     },
     "releaseNotes": "Script task consistency. Added support for macOS and Linux.",
     "minimumAgentVersion": "2.115.0",

Tasks/PowerShellV2/task.loc.json

@@ -17,8 +17,8 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 2,
-    "Minor": 229,
-    "Patch": 4
+    "Minor": 230,
+    "Patch": 0
   },
   "releaseNotes": "ms-resource:loc.releaseNotes",
   "minimumAgentVersion": "2.115.0",

_generated/PowerShellV2.versionmap.txt

@@ -1,2 +1,2 @@
-Default|2.229.4
-Node20-225|2.229.5
+Default|2.230.0
+Node20-225|2.230.1