A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.

The authors explore the use of “logging commands” which are special terms that can be logged that can communicate with the agent running the pipeline. These can be used to for example mark a step as failed but can do other things also. The logging commands look something like the following:

##vso[area.action property=value;property2=value2;...]message

There are a variety of actions that might be useful to an attacker, two they explore are task.setvariable, and artifact.upload. The first is used in their dummy example case where they have a pipeline that downloads a file from a location from a pipeline variable, and executes it. So there is a clear path to RCE there. The second is used in a case study to exploit thescikit-learn repository.

In the scikit-learn repository the Pipeline will log the latest commit message from a pull request, so a malicious attacker, capable of getting a PR merged (you want it running inside their organization) can gain control over the scikit-learn artifacts with a commit message like:

##vso[artifact.upload]local file path

This particular scikit-learn attack feels somewhat unlikely, the commit message being something like that should raise questions to any human in the loop, but the general principal is something to keep in mind. All it takes is logging attacker data to potentially do some damage.