Skip to content

Fix critical KQL injection vulnerabilities and runtime errors in WACOA collector #1969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 5 commits into
base: features/wacoascripts
Choose a base branch
from
Draft

Fix critical KQL injection vulnerabilities and runtime errors in WACOA collector #1969

Copilot wants to merge 5 commits into from
+247 −15

Conversation

Copy link
Contributor

Copilot AI commented Feb 3, 2026
edited
Loading

The WACOA collector script had multiple KQL injection vulnerabilities allowing malicious JSON scope files or YAML definitions to execute arbitrary queries against Azure Resource Graph. Additionally, users encountered runtime errors when settings.json was missing the scriptVersion field.

Security Fixes

KQL Injection Prevention

  • Escape single quotes in subscription IDs, resource group names, and resource types before interpolating into KQL queries
  • Add validation functions: Test-SubscriptionId (GUID format), Test-ResourceGroupName (Azure naming rules), Test-ResourceType (Provider.Service/type format)
  • Reject invalid inputs at parse time rather than at query execution
# Before: Direct interpolation allowed injection
$scopeConditions += "(SubAccountId == '$($scope.SubscriptionId)')"

# After: Escaped to prevent injection
$escapedSubId = $scope.SubscriptionId -replace "'", "''"
$scopeConditions += "(SubAccountId == '$escapedSubId')"

Archive Extraction Path Traversal Protection

  • Extract to staging directory first
  • Validate no entries contain ../ or ..\ patterns
  • Reject malicious archives before copying to final destination

Bug Fixes

Empty CurrentVersion Parameter

  • Handle missing scriptVersion in settings.json with automatic default
  • Add [AllowEmptyString()] attribute and null check in Check-ScriptVersion
  • Auto-repair incomplete settings files

CSV Header Detection

  • Replace hardcoded Skip 11 with dynamic header line detection
  • Warn if no data found after parsing

User Input Normalization

  • Apply .Trim().ToLower() to all Yes/No prompts for consistent behavior

Operational Improvements

  • Add security warnings when downloading scripts from remote URLs
  • Change logging ErrorAction from SilentlyContinue to Continue to surface write failures
  • Add file size validation (minimum 100 bytes) for downloaded scripts
Original prompt

Review the WARA collector script

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Skill: DevOps GitHub setup and automation label Feb 3, 2026
@microsoft-github-policy-service microsoft-github-policy-service bot added Skill: Documentation Documentation updates Tool: FinOps guide Implementing FinOps guide Needs: Review 👀 PR that is ready to be reviewed labels Feb 3, 2026
Copilot AI and others added 4 commits February 3, 2026 16:49
@arthurclares
Fix critical KQL injection vulnerabilities and security issues
97e73f1 
Co-authored-by: arthurclares <53261392+arthurclares@users.noreply.github.com>
@arthurclares
Fix empty CurrentVersion parameter error in settings loading
6cb5d04 
Co-authored-by: arthurclares <53261392+arthurclares@users.noreply.github.com>
@arthurclares
Add security warnings for script downloads and improve logging
825cd49 
Co-authored-by: arthurclares <53261392+arthurclares@users.noreply.github.com>
@arthurclares
Fix critical KQL injection vulnerabilities and runtime errors in WACO…
d80bf13 
…A collector

Co-authored-by: arthurclares <53261392+arthurclares@users.noreply.github.com>
Copilot AI changed the title [WIP] Review WARA collector script for improvements Fix critical KQL injection vulnerabilities and runtime errors in WACOA collector Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arthurclares arthurclares Awaiting requested review from arthurclares arthurclares is a code owner

@flanakin flanakin Awaiting requested review from flanakin flanakin is a code owner

@aromano2 aromano2 Awaiting requested review from aromano2

At least 1 approving review is required to merge this pull request.

Assignees

@flanakin flanakin

@aromano2 aromano2

@arthurclares arthurclares

Copilot code review Copilot

Labels

Needs: Review 👀 PR that is ready to be reviewed Skill: DevOps GitHub setup and automation Skill: Documentation Documentation updates Tool: FinOps guide Implementing FinOps guide

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@flanakin @aromano2 @arthurclares