fix: block template marker delimiters in front matter identity fields (#315)

Copilot · jamesadevine · web-flow · commit 2575246ef14b · 2026-04-24T11:41:12.000+01:00
* Initial plan * fix: reject template marker delimiters in front matter identity fields Block `{{` in name, description, and trigger fields to prevent second-order template injection where a value like `{{ agent_content }}` would be expanded by a later replacement pass, allowing arbitrary YAML injection into the generated pipeline. Closes #302 Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/91f10480-fd27-4ac7-9105-cbea31200461 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com> * fix: correct brace escaping in template marker error message Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/91f10480-fd27-4ac7-9105-cbea31200461 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com> * fix: add pipeline command check and include offending value in error messages Address rust-review feedback: - Add missing contains_pipeline_command() check to reject_pipeline_injection() to match the docstring's claim of ##vso[/##[ protection - Include Found: '{}' in template marker error for debuggability - Add test cases for pipeline command rejection Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/6b4b1bb0-b925-4b27-a00c-d0f4e576b263 Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
diff --git a/src/compile/common.rs b/src/compile/common.rs
@@ -137,8 +137,9 @@ pub fn generate_parameters(parameters: &[PipelineParameter]) -> Result<String> {
 /// Validate front matter `name` and `description` fields.
 ///
 /// These values are substituted directly into the pipeline YAML template and must not
-/// contain ADO expressions (`${{`, `$(`, `$[`) which could disclose secrets or manipulate
-/// pipeline logic. Newlines are also rejected to prevent YAML structure injection.
+/// contain ADO expressions (`${{`, `$(`, `$[`), the compiler's own template marker
+/// delimiter (`{{`), or newlines — any of which could disclose secrets or manipulate
+/// pipeline logic via second-order injection.
 pub fn validate_front_matter_identity(front_matter: &FrontMatter) -> Result<()> {
     for (field, value) in [("name", &front_matter.name), ("description", &front_matter.description)] {
         validate::reject_pipeline_injection(value, field)?;
@@ -3146,6 +3147,24 @@ mod tests {
         assert!(result.unwrap_err().to_string().contains("single line"));
     }
 
+    #[test]
+    fn test_validate_front_matter_identity_rejects_template_marker_in_name() {
+        let mut fm = minimal_front_matter();
+        fm.name = "{{ agent_content }}".to_string();
+        let result = validate_front_matter_identity(&fm);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().to_string().contains("template marker"));
+    }
+
+    #[test]
+    fn test_validate_front_matter_identity_rejects_template_marker_in_description() {
+        let mut fm = minimal_front_matter();
+        fm.description = "{{ copilot_params }}".to_string();
+        let result = validate_front_matter_identity(&fm);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().to_string().contains("template marker"));
+    }
+
     #[test]
     fn test_validate_front_matter_identity_rejects_newline_in_trigger_pipeline_name() {
         let mut fm = minimal_front_matter();
diff --git a/src/validate.rs b/src/validate.rs
@@ -99,6 +99,15 @@ pub fn contains_newline(s: &str) -> bool {
     s.contains('\n') || s.contains('\r')
 }
 
+/// Returns true if the string contains the compiler's template marker
+/// delimiter (`{{`).  Values substituted into the pipeline template must
+/// not contain this sequence — otherwise a second-order substitution can
+/// inject arbitrary content (e.g., `{{ agent_content }}` in the `name`
+/// field would be expanded by a later replacement pass).
+pub fn contains_template_marker(s: &str) -> bool {
+    s.contains("{{")
+}
+
 /// Reject ADO template expressions (`${{`), macro expressions (`$(`), and runtime
 /// expressions (`$[`) in a string value. Parameter definitions should only contain
 /// literal values — expressions could enable information disclosure or logic manipulation
@@ -135,8 +144,8 @@ pub fn reject_ado_expressions_in_value(
 }
 
 /// Reject values that could cause pipeline injection: ADO expressions,
-/// pipeline commands (`##vso[`, `##[`), and newlines.  A combined check
-/// for fields embedded into YAML templates.
+/// pipeline commands (`##vso[`, `##[`), template markers (`{{`), and
+/// newlines.  A combined check for fields embedded into YAML templates.
 pub fn reject_pipeline_injection(value: &str, field_name: &str) -> Result<()> {
     if contains_ado_expression(value) {
         anyhow::bail!(
@@ -146,6 +155,22 @@ pub fn reject_pipeline_injection(value: &str, field_name: &str) -> Result<()> {
             value,
         );
     }
+    if contains_pipeline_command(value) {
+        anyhow::bail!(
+            "Front matter '{}' contains an ADO pipeline command ('##vso[' or '##[') which is not allowed. \
+             Pipeline commands could manipulate pipeline behavior. Found: '{}'",
+            field_name,
+            value,
+        );
+    }
+    if contains_template_marker(value) {
+        anyhow::bail!(
+            "Front matter '{}' contains a template marker delimiter '{{{{' which is not allowed. \
+             Template markers could cause second-order injection into the generated pipeline. Found: '{}'",
+            field_name,
+            value,
+        );
+    }
     if contains_newline(value) {
         anyhow::bail!(
             "Front matter '{}' must be a single line (no newlines). \
@@ -481,6 +506,15 @@ mod tests {
         assert!(!contains_newline("single line"));
     }
 
+    #[test]
+    fn test_contains_template_marker() {
+        assert!(contains_template_marker("{{ agent_content }}"));
+        assert!(contains_template_marker("prefix {{ something }} suffix"));
+        assert!(contains_template_marker("{{no_spaces}}"));
+        assert!(!contains_template_marker("normal text"));
+        assert!(!contains_template_marker("just a single { brace"));
+    }
+
     #[test]
     fn test_reject_ado_expressions() {
         assert!(reject_ado_expressions("normal value", "param", "field").is_ok());
@@ -494,6 +528,10 @@ mod tests {
         assert!(reject_pipeline_injection("normal value", "field").is_ok());
         assert!(reject_pipeline_injection("$(SYSTEM_ACCESSTOKEN)", "field").is_err());
         assert!(reject_pipeline_injection("value\ninjected", "field").is_err());
+        assert!(reject_pipeline_injection("{{ agent_content }}", "field").is_err());
+        assert!(reject_pipeline_injection("{{ copilot_params }}", "field").is_err());
+        assert!(reject_pipeline_injection("##vso[task.setvariable]x", "field").is_err());
+        assert!(reject_pipeline_injection("##[section]foo", "field").is_err());
     }
 
     // ── DNS domain validators ───────────────────────────────────────────
