Skip to content

Update runAsimSchemaAndDataTesters.yaml #13353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
v-atulyadav wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Update runAsimSchemaAndDataTesters.yaml #13353

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 42 additions & 64 deletions .github/workflows/runAsimSchemaAndDataTesters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# The script runs ASIM Schema and Data testers on the "eco-connector-test" workspace.
name: Run ASIM tests on "ASIM-SchemaDataTester-GithubShared" workspace
on:
pull_request:
pull_request_target:
types: [opened, edited, reopened, synchronize, labeled]
branches:
- master
Expand Down Expand Up @@ -66,22 +66,23 @@
if echo "$labels" | grep -q "SafeToRun"; then
log_success "'SafeToRun' label found - checking if re-approval needed"

# Check if this workflow was triggered by new commits (synchronize event)
# SECURITY: Only allow 'labeled' event to pass when SafeToRun exists
# Block ALL other events (synchronize, edited, reopened) to prevent bypass
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security comment states "Block ALL other events (synchronize, edited, reopened)" but the workflow trigger on line 6 still includes these events in the types list. This creates a mismatch between the documented security intent and the actual trigger configuration. If these events should truly be blocked, they should be removed from the trigger types list, or the comment should be clarified to indicate they trigger the workflow but require re-approval.

Suggested change
# Block ALL other events (synchronize, edited, reopened) to prevent bypass
# Other events (synchronize, edited, reopened) still trigger this workflow,
# but are blocked from approval and require re-applying the 'SafeToRun' label

Copilot uses AI. Check for mistakes.
trigger_event="${{ github.event.action }}"
log_info "Workflow triggered by: $trigger_event"

if [ "$trigger_event" = "synchronize" ]; then
log_info "New commits detected on fork PR with existing 'SafeToRun' label"
if [ "$trigger_event" = "labeled" ]; then
log_success "Label approval granted - triggered by adding SafeToRun label"
echo "approved=true" >> $GITHUB_OUTPUT
echo "needs_approval=false" >> $GITHUB_OUTPUT
echo "comment_needed=false" >> $GITHUB_OUTPUT
else
log_info "Event '$trigger_event' detected on fork PR with existing 'SafeToRun' label"
log_info "Maintainer must remove and re-add the 'SafeToRun' label for security"
echo "approved=false" >> $GITHUB_OUTPUT
echo "needs_approval=false" >> $GITHUB_OUTPUT
echo "comment_needed=true" >> $GITHUB_OUTPUT
exit 1
else
log_success "Label approval granted (no new commits)"
echo "approved=true" >> $GITHUB_OUTPUT
echo "needs_approval=false" >> $GITHUB_OUTPUT
echo "comment_needed=false" >> $GITHUB_OUTPUT
fi
else
log_info "'SafeToRun' label not found - approval required"
Expand Down Expand Up @@ -227,17 +228,13 @@
pip install tabulate
- name: Run ASim parsers template validations python script
run: |
filePath=".script/tests/asimParsersTest/VerifyASimParserTemplate.py"
url="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/VerifyASimParserTemplate.py"
# Check if file exists and delete if it does
if [ -f "$filePath" ]; then
rm -f "$filePath"
fi
# Download the file
echo "Downloading script from the master: $url"
curl -o "$filePath" "$url"
# Execute the script
python "$filePath"
# SECURITY: Execute in isolated environment to prevent import shadowing
echo "Creating isolated execution environment..."
TMPDIR=$(mktemp -d) && trap "rm -rf $TMPDIR" EXIT
echo "Downloading script from master to isolated directory..."
curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/VerifyASimParserTemplate.py -o "$TMPDIR/script.py"
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The curl command uses the -f flag (fail silently on HTTP errors), but if the download fails, the script will still attempt to execute the non-existent or partially downloaded script file. This could lead to cryptic error messages or unexpected behavior. Consider adding explicit error checking after the curl command to verify the download succeeded before proceeding with execution.

Suggested change
curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/VerifyASimParserTemplate.py -o "$TMPDIR/script.py"
curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/VerifyASimParserTemplate.py -o "$TMPDIR/script.py"
if [ $? -ne 0 ] || [ ! -s "$TMPDIR/script.py" ]; then
echo "Error: Failed to download VerifyASimParserTemplate.py or file is empty." >&2
exit 1
fi

Copilot uses AI. Check for mistakes.
echo "Executing script with Python isolation flags..."
python -I -s "$TMPDIR/script.py"
Run-ASim-Sample-Data-Ingest:
needs: Run-ASim-TemplateValidation
name: Run ASim Sample Data Ingestion
Expand Down Expand Up @@ -287,18 +284,13 @@
- name: Asim Sample Log Ingestion
id: Ingestlogs
run: |
filePath=".script/tests/asimParsersTest/ingestASimSampleData.py"
url="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ingestASimSampleData.py"
# Check if file exists and delete if it does
if [ -f "$filePath" ]; then
rm -f "$filePath"
fi
# Download the file
echo "Downloading script from the master: $url"
curl -o "$filePath" "$url"
chmod +x "$filePath"
# Execute the script
python "$filePath" "${{ github.event.pull_request.number }}"
# SECURITY: Execute in isolated environment to prevent import shadowing
echo "Creating isolated execution environment..."
TMPDIR=$(mktemp -d) && trap "rm -rf $TMPDIR" EXIT
echo "Downloading script from master to isolated directory..."
curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ingestASimSampleData.py -o "$TMPDIR/script.py"
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The curl command uses the -f flag (fail silently on HTTP errors), but if the download fails, the script will still attempt to execute the non-existent or partially downloaded script file. This could lead to cryptic error messages or unexpected behavior. Consider adding explicit error checking after the curl command to verify the download succeeded before proceeding with execution.

Suggested change
curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ingestASimSampleData.py -o "$TMPDIR/script.py"
if ! curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ingestASimSampleData.py -o "$TMPDIR/script.py"; then
echo "Error: Failed to download ingestASimSampleData.py from master branch."
exit 1
fi
if [ ! -s "$TMPDIR/script.py" ]; then
echo "Error: Downloaded script is missing or empty: $TMPDIR/script.py"
exit 1
fi

Copilot uses AI. Check for mistakes.
echo "Executing script with Python isolation flags..."
python -I -s "$TMPDIR/script.py" "${{ github.event.pull_request.number }}"
Run-ASim-Schema-Data-tests:
needs: Run-ASim-Sample-Data-Ingest
name: Run ASim Schema and Data tests
Expand Down Expand Up @@ -337,33 +329,23 @@
git merge --abort
exit 1
fi
- name: Run ASIM Schema and Data tests PowerShell script
uses: azure/powershell@v2
with:
inlineScript: |
$filePath = ".script/tests/asimParsersTest/runAsimTesters.ps1"
$url = "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1"
# Check if file exists and delete if it does
if (Test-Path $filePath) {
Remove-Item $filePath -Force
}
# Download the runAsimTesters file
Write-Host "Downloading script from the master: $url"
Invoke-WebRequest -Uri $url -OutFile $filePath
# download the convertYamlToObject.ps1 script form master
$filePath_convert_yaml = ".script/tests/asimParsersTest/convertYamlToObject.ps1"
$url_convert_yaml = "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1"
# Check if file exists and delete if it does
if (Test-Path $filePath_convert_yaml) {
Remove-Item $filePath_convert_yaml -Force
}
# Download the convertYamlToObject file
Write-Host "Downloading script from the master: $url_convert_yaml"
Invoke-WebRequest -Uri $url_convert_yaml -OutFile $filePath_convert_yaml
# Execute the script
& $filePath
# SECURITY: Execute in isolated environment to prevent code injection
Write-Host "Creating isolated execution environment..."
$tmpDir = New-TemporaryFile | % { Remove-Item $_; New-Item -ItemType Directory -Path $_ }
try {
Write-Host "Downloading scripts from master to isolated directory..."
Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1 -OutFile "$tmpDir/script.ps1"
Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1 -OutFile "$tmpDir/helper.ps1"
Comment on lines +341 to +342
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PowerShell script downloads two scripts to an isolated directory but doesn't verify that the downloads succeeded before attempting to execute them. If either Invoke-WebRequest fails, the script execution could fail with unclear error messages. Consider adding error checking or using -ErrorAction Stop to ensure download failures are caught properly.

Suggested change
Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1 -OutFile "$tmpDir/script.ps1"
Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1 -OutFile "$tmpDir/helper.ps1"
Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/runAsimTesters.ps1 -OutFile "$tmpDir/script.ps1" -ErrorAction Stop
Invoke-WebRequest https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/convertYamlToObject.ps1 -OutFile "$tmpDir/helper.ps1" -ErrorAction Stop
if (-not (Test-Path "$tmpDir/script.ps1") -or -not (Test-Path "$tmpDir/helper.ps1")) {
throw "Failed to download required ASIM test scripts to isolated directory."
}

Copilot uses AI. Check for mistakes.
Write-Host "Executing script from isolated environment..."
Push-Location $env:GITHUB_WORKSPACE
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PowerShell script execution logic has a critical issue. The script changes the working directory to GITHUB_WORKSPACE using Push-Location, but the scripts being executed (runAsimTesters.ps1 and convertYamlToObject.ps1) are downloaded to a temporary directory. If these scripts need to reference each other or other files using relative paths, they won't be able to find them because they're not in the same directory where the working directory is set. The helper script (convertYamlToObject.ps1) should be in the same directory as the main script for it to be discoverable, but the working directory is changed away from where they're stored.

Suggested change
Push-Location $env:GITHUB_WORKSPACE
Push-Location $tmpDir

Copilot uses AI. Check for mistakes.
& "$tmpDir/script.ps1"
} finally { Pop-Location; Remove-Item $tmpDir -Recurse -Force -EA SilentlyContinue }
azPSVersion: "latest"
Run-ASim-Parser-Filtering-Tests:

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
needs: Run-ASim-Sample-Data-Ingest
name: Run ASim Parser Filtering tests
runs-on: ubuntu-latest
Expand Down Expand Up @@ -409,14 +391,10 @@
allow-no-subscriptions: true
- name: Run ASim parsers filtering tests python script
run: |
filePath=".script/tests/asimParsersTest/ASimFilteringTest.py"
url="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ASimFilteringTest.py"
# Check if file exists and delete if it does
if [ -f "$filePath" ]; then
rm -f "$filePath"
fi
# Download the file
echo "Downloading script from the master: $url"
curl -o "$filePath" "$url"
# Execute the script
python "$filePath"
# SECURITY: Execute in isolated environment to prevent import shadowing
echo "Creating isolated execution environment..."
TMPDIR=$(mktemp -d) && trap "rm -rf $TMPDIR" EXIT
echo "Downloading script from master to isolated directory..."
curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ASimFilteringTest.py -o "$TMPDIR/script.py"
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The curl command uses the -f flag (fail silently on HTTP errors), but if the download fails, the script will still attempt to execute the non-existent or partially downloaded script file. This could lead to cryptic error messages or unexpected behavior. Consider adding explicit error checking after the curl command to verify the download succeeded before proceeding with execution.

Suggested change
curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ASimFilteringTest.py -o "$TMPDIR/script.py"
if ! curl -sSf https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/.script/tests/asimParsersTest/ASimFilteringTest.py -o "$TMPDIR/script.py"; then
echo "Error: Failed to download ASimFilteringTest.py from master. Aborting."
exit 1
fi
if [ ! -s "$TMPDIR/script.py" ]; then
echo "Error: Downloaded script file is missing or empty: $TMPDIR/script.py"
exit 1
fi

Copilot uses AI. Check for mistakes.
echo "Executing script with Python isolation flags..."
python -I -s "$TMPDIR/script.py"
Loading