-
Notifications
You must be signed in to change notification settings - Fork 6.8k
Expand file tree
/
Copy pathGet-CippCustomScriptAllowedCommand.ps1
More file actions
33 lines (28 loc) · 1.23 KB
/
Copy pathGet-CippCustomScriptAllowedCommand.ps1
File metadata and controls
33 lines (28 loc) · 1.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
function Get-CippCustomScriptAllowedCommand {
<#
.SYNOPSIS
Single source of truth for the custom-test command allowlist.
.DESCRIPTION
Used by both Test-CustomScriptSecurity (static pre-check) and
New-CippSandboxInitialSessionState (the ConstrainedLanguage runspace) so the
validator and the sandbox can never drift apart.
Notes:
- New-Object is intentionally NOT allowed — it is the primary sandbox-escape
vector and is blocked by ConstrainedLanguage anyway.
- Data access is limited to Get-CIPPTestData. The lower-level New-CIPPDbRequest /
Get-CIPPDbItem are not exposed: the sandbox serves pre-fetched, tenant-locked
cache data only.
#>
[CmdletBinding()]
param()
@(
# Data shaping
'ForEach-Object', 'Where-Object', 'Select-Object', 'Sort-Object', 'Group-Object',
'Measure-Object', 'Compare-Object', 'Get-Unique', 'Get-Member', 'Select-String',
# Conversion / utility
'ConvertTo-Json', 'ConvertFrom-Json', 'Get-Date', 'Get-Random', 'New-TimeSpan',
'New-Guid', 'Write-Output',
# CIPP read-only data access (provided as a CLM-safe proxy in the sandbox)
'Get-CIPPTestData'
)
}