Update runAsimSchemaAndDataTesters.yaml #13353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft

v-atulyadav wants to merge 1 commit into master from v-atulyadav/asimworkflow

Collaborator

v-atulyadav commented Dec 23, 2025

Required items, please complete

Change(s):

See guidance below

Reason for Change(s):

See guidance below

Version Updated:

Required only for Detections/Analytic Rule templates
See guidance below

Testing Completed:

See guidance below

Checked that the validations are passing and have addressed any issues that are present:

See guidance below

Guidance <- remove section before submitting

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

Updated syntax for XYZ.yaml

Reason for Change(s):

New schema used for XYZ.yaml
Resolves ISSUE Add Logstash required version to Readme file #1234

Version updated:

Yes
Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

Guidance for Detection checks

General contribution guidance

PR validation troubleshooting


          Update runAsimSchemaAndDataTesters.yaml

f9b522c

v-atulyadav assigned v-amolpatil

v-atulyadav added the workflows label

vakohl requested a review from Copilot

December 30, 2025 04:27

Copilot started reviewing on behalf of vakohl

December 30, 2025 04:30

Copilot AI reviewed

View reviewed changes

Contributor

Copilot AI left a comment

Pull request overview

This PR enhances the security of the ASIM testing workflow by implementing several critical security controls to protect against malicious code execution from forked pull requests.

Key changes:

Switched from pull_request to pull_request_target trigger with stricter SafeToRun label approval logic
Inverted the approval logic to only allow execution on the labeled event, requiring re-approval for any code changes
Implemented isolated execution environments for all downloaded Python and PowerShell scripts to prevent import shadowing and code injection attacks

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/runAsimSchemaAndDataTesters.yaml

    
                        echo "Creating isolated execution environment..."

                        TMPDIR=$(mktemp -d) && trap "rm -rf $TMPDIR" EXIT

                        echo "Downloading script from master to isolated directory..."

                        curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ASimFilteringTest.py -o "$TMPDIR/script.py"

Copilot AI Dec 30, 2025

The curl command uses the -f flag (fail silently on HTTP errors), but if the download fails, the script will still attempt to execute the non-existent or partially downloaded script file. This could lead to cryptic error messages or unexpected behavior. Consider adding explicit error checking after the curl command to verify the download succeeded before proceeding with execution.

Suggested change

      
                      curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ASimFilteringTest.py -o "$TMPDIR/script.py"
          
                      if ! curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ASimFilteringTest.py -o "$TMPDIR/script.py"; then
          
                        echo "Error: Failed to download ASimFilteringTest.py from master. Aborting."
          
                        exit 1
          
                      fi
          
                      if [ ! -s "$TMPDIR/script.py" ]; then
          
                        echo "Error: Downloaded script file is missing or empty: $TMPDIR/script.py"
          
                        exit 1
          
                      fi

Copilot uses AI. Check for mistakes.

.github/workflows/runAsimSchemaAndDataTesters.yaml

Comment on lines +341 to +342

    
                            Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1 -OutFile "$tmpDir/script.ps1"

                            Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1 -OutFile "$tmpDir/helper.ps1"

Copilot AI Dec 30, 2025

The PowerShell script downloads two scripts to an isolated directory but doesn't verify that the downloads succeeded before attempting to execute them. If either Invoke-WebRequest fails, the script execution could fail with unclear error messages. Consider adding error checking or using -ErrorAction Stop to ensure download failures are caught properly.

Suggested change

      
                          Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1 -OutFile "$tmpDir/script.ps1"
          
                          Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1 -OutFile "$tmpDir/helper.ps1"
          
                          Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1 -OutFile "$tmpDir/script.ps1" -ErrorAction Stop
          
                          Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1 -OutFile "$tmpDir/helper.ps1" -ErrorAction Stop
          
                          if (-not (Test-Path "$tmpDir/script.ps1") -or -not (Test-Path "$tmpDir/helper.ps1")) {
          
                            throw "Failed to download required ASIM test scripts to isolated directory."
          
                          }

Copilot uses AI. Check for mistakes.

.github/workflows/runAsimSchemaAndDataTesters.yaml

    
                            # Check if this workflow was triggered by new commits (synchronize event)

                            # SECURITY: Only allow 'labeled' event to pass when SafeToRun exists

                            # Block ALL other events (synchronize, edited, reopened) to prevent bypass

Copilot AI Dec 30, 2025

The security comment states "Block ALL other events (synchronize, edited, reopened)" but the workflow trigger on line 6 still includes these events in the types list. This creates a mismatch between the documented security intent and the actual trigger configuration. If these events should truly be blocked, they should be removed from the trigger types list, or the comment should be clarified to indicate they trigger the workflow but require re-approval.

Suggested change

      
                          # Block ALL other events (synchronize, edited, reopened) to prevent bypass
          
                          # Other events (synchronize, edited, reopened) still trigger this workflow,
          
                          # but are blocked from approval and require re-applying the 'SafeToRun' label

Copilot uses AI. Check for mistakes.

.github/workflows/runAsimSchemaAndDataTesters.yaml

    
                            Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1 -OutFile "$tmpDir/script.ps1"

                            Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1 -OutFile "$tmpDir/helper.ps1"

                            Write-Host "Executing script from isolated environment..."

                            Push-Location $env:GITHUB_WORKSPACE

Copilot AI Dec 30, 2025

The PowerShell script execution logic has a critical issue. The script changes the working directory to GITHUB_WORKSPACE using Push-Location, but the scripts being executed (runAsimTesters.ps1 and convertYamlToObject.ps1) are downloaded to a temporary directory. If these scripts need to reference each other or other files using relative paths, they won't be able to find them because they're not in the same directory where the working directory is set. The helper script (convertYamlToObject.ps1) should be in the same directory as the main script for it to be discoverable, but the working directory is changed away from where they're stored.

Suggested change

      
                          Push-Location $env:GITHUB_WORKSPACE
          
                          Push-Location $tmpDir

Copilot uses AI. Check for mistakes.

.github/workflows/runAsimSchemaAndDataTesters.yaml

    
                            echo "Creating isolated execution environment..."

                            TMPDIR=$(mktemp -d) && trap "rm -rf $TMPDIR" EXIT

                            echo "Downloading script from master to isolated directory..."

                            curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/VerifyASimParserTemplate.py -o "$TMPDIR/script.py"

Copilot AI Dec 30, 2025

The curl command uses the -f flag (fail silently on HTTP errors), but if the download fails, the script will still attempt to execute the non-existent or partially downloaded script file. This could lead to cryptic error messages or unexpected behavior. Consider adding explicit error checking after the curl command to verify the download succeeded before proceeding with execution.

Suggested change

      
                          curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/VerifyASimParserTemplate.py -o "$TMPDIR/script.py"
          
                          curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/VerifyASimParserTemplate.py -o "$TMPDIR/script.py"
          
                          if [ $? -ne 0 ] || [ ! -s "$TMPDIR/script.py" ]; then
          
                            echo "Error: Failed to download VerifyASimParserTemplate.py or file is empty." >&2
          
                            exit 1
          
                          fi

Copilot uses AI. Check for mistakes.

.github/workflows/runAsimSchemaAndDataTesters.yaml

    
                            echo "Creating isolated execution environment..."

                            TMPDIR=$(mktemp -d) && trap "rm -rf $TMPDIR" EXIT

                            echo "Downloading script from master to isolated directory..."

                            curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ingestASimSampleData.py -o "$TMPDIR/script.py"

Copilot AI Dec 30, 2025

The curl command uses the -f flag (fail silently on HTTP errors), but if the download fails, the script will still attempt to execute the non-existent or partially downloaded script file. This could lead to cryptic error messages or unexpected behavior. Consider adding explicit error checking after the curl command to verify the download succeeded before proceeding with execution.

Suggested change

      
                          curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ingestASimSampleData.py -o "$TMPDIR/script.py"
          
                          if ! curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ingestASimSampleData.py -o "$TMPDIR/script.py"; then
          
                            echo "Error: Failed to download ingestASimSampleData.py from master branch."
          
                            exit 1
          
                          fi
          
                          if [ ! -s "$TMPDIR/script.py" ]; then
          
                            echo "Error: Downloaded script is missing or empty: $TMPDIR/script.py"
          
                            exit 1
          
                          fi

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels