Update Enable shell tasks arguments validation task list#14371
Open
wawanawna wants to merge 3 commits into
Open
Update Enable shell tasks arguments validation task list#14371wawanawna wants to merge 3 commits into
wawanawna wants to merge 3 commits into
Conversation
The section was last refreshed in September 2023 (commit 6cab6dc) when the original sanitizer shipped for PowerShell, Bash, Ssh, AzureFileCopy, and WindowsMachineFileCopy. Four subsequent retrofit PRs in microsoft/azure- pipelines-tasks added sanitization to additional task families but the docs were never updated: - microsoft/azure-pipelines-tasks#21947 (2026-04-16): SqlAzureDacpacDeployment, SqlDacpacDeploymentOnMachineGroup - microsoft/azure-pipelines-tasks#21968 (2026-04-15): PowerShellOnTargetMachines - microsoft/azure-pipelines-tasks#22066 (2026-04-28): AzureCLI v2/v3 - microsoft/azure-pipelines-tasks#22163 (in flight, MSRC 115118): AzurePowerShell v2-v5, ServiceFabricPowerShell v1 Also adds a note about the dual-gate model used by the post-2023 retrofits: the org-level setting now requires a per-task pipeline-level feature flag to be on as well, which Microsoft rolls out gradually to avoid regressing pipelines that opted in early. Task versions in the list reflect the actual on-disk task.json versions in the azure-pipelines-tasks repo as of today. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
9 tasks
Per review feedback - task version numbers and the internal per-task feature-flag mechanism are Microsoft implementation details that don't belong in the customer-facing docs. The page only needs the list of task families that participate in the validation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
Contributor
There was a problem hiding this comment.
Pull request overview
Refreshes the documentation for the Enable shell tasks arguments validation setting in Azure Pipelines by updating the referenced task-family list to reflect the expanded sanitizer coverage.
Changes:
- Updates
ms.dateto 05/12/2026. - Extends the bulleted list of task families covered by the setting to include six additional task families.
- Normalizes minor list formatting (removes trailing whitespace on existing bullets).
Comment on lines
+122
to
+124
| Applying the **Enable shell tasks arguments validation** setting validates `argument` parameters for built-in shell tasks to check for inputs that can inject commands into scripts. The check ensures that the shell correctly executes characters like semicolons, quotes, and parentheses in the following pipeline tasks: | ||
|
|
||
| - PowerShell | ||
| - PowerShell |
Author
There was a problem hiding this comment.
Fixed in 68bc6e3 — changed argument to arguments (plural) on line 122 so it matches the surrounding text and the actual task input name.
nemanjarogic
approved these changes
May 13, 2026
Addresses PR review feedback: the surrounding text and the actual task input are both named 'arguments', so the singular 'argument' on line 122 was an internal inconsistency. Now reads 'validates `arguments` parameters' matching the previous sentence's `arguments` reference. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
4 tasks
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refreshes the Enable shell tasks arguments validation task list under Securely use pipeline variables and parameters.
The list was last updated in September 2023 (commit 6cab6dc by @merlynomsft) when the original sanitizer shipped for
PowerShell,Bash,Ssh,AzureFileCopy, andWindowsMachineFileCopy. Since then the sanitizer was extended inmicrosoft/azure-pipelines-tasksto six additional task families but the docs were never updated:PowerShellOnTargetMachinesSqlAzureDacpacDeploymentSqlDacpacDeploymentOnMachineGroupAzureCLIAzurePowerShellServiceFabricPowerShellChanges
The six task family names above are appended to the existing bulleted list. No other changes, no version annotations, no implementation detail. Style matches the original 2023 entries.