Skip to content

Security update for storageURL field of ApplicationPackage #28957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wiboris wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Security update for storageURL field of ApplicationPackage #28957

wiboris wants to merge 4 commits into from

Conversation

@wiboris
Copy link
Member

@wiboris wiboris commented Dec 5, 2025
edited
Loading

Description

Mandatory Checklist

  • SHOULD update ChangeLog.md file(s) appropriately
    • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
      • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
    • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
  • SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
  • SHOULD have proper test coverage for changes in pull request.
  • SHOULD NOT adjust version of module manually in pull request

Copilot AI review requested due to automatic review settings December 5, 2025 06:37
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 5, 2025

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

Copilot finished reviewing on behalf of wiboris December 5, 2025 06:40
@isra-fel
Copy link
Member

isra-fel commented Dec 5, 2025

/azp run

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Dec 5, 2025

Azure Pipelines successfully started running 3 pipeline(s).

Copilot AI reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements a security update to prevent exposing the storageUrl field (which contains SAS tokens) in the PSApplicationPackage object returned to users. The code refactors the application package upload workflow by separating the existence check from the storage URL retrieval, and comments out the StorageUrl assignment in the response converter.

Key changes:

  • Refactored GetStorageUrl method to remove the out parameter and split existence checking into a separate AppPackageExists method
  • Commented out StorageUrl assignment in ConvertGetApplicationPackageResponseToApplicationPackage to prevent exposing SAS tokens
  • Updated test to use -FilePath parameter instead of -ActivateOnly flag

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

File Description
src/Batch/Batch/Models/BatchClient.ApplicationPackages.cs Refactored application package upload logic; split existence check and storage URL retrieval; commented out StorageUrl field assignment
src/Batch/Batch.Test/ScenarioTests/BatchApplicationPackageTests.ps1 Changed test parameter from -ActivateOnly to -FilePath to match updated API
src/Batch/Batch.Test/SessionRecords/*.json Updated test recordings with new timestamps, request IDs, and API version 4.0.0 reflecting the code changes

dpwatrous
dpwatrous reviewed Dec 5, 2025
View reviewed changes
@isra-fel
Copy link
Member

isra-fel commented Dec 5, 2025

/azp run

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Dec 5, 2025

Azure Pipelines successfully started running 3 pipeline(s).

Copilot AI review requested due to automatic review settings December 5, 2025 19:47
Copilot AI reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

@isra-fel
Copy link
Member

isra-fel commented Dec 5, 2025

/azp run

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Dec 5, 2025

Azure Pipelines successfully started running 3 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wyunchi-ms wyunchi-ms Awaiting requested review from wyunchi-ms wyunchi-ms is a code owner

@dolauli dolauli Awaiting requested review from dolauli dolauli is a code owner

@isra-fel isra-fel Awaiting requested review from isra-fel isra-fel is a code owner

@VeryEarly VeryEarly Awaiting requested review from VeryEarly VeryEarly is a code owner

@YanaXu YanaXu Awaiting requested review from YanaXu YanaXu is a code owner

@vidai-msft vidai-msft Awaiting requested review from vidai-msft vidai-msft is a code owner

@NoriZC NoriZC Awaiting requested review from NoriZC NoriZC is a code owner

@notyashhh notyashhh Awaiting requested review from notyashhh notyashhh is a code owner

@Pan-Qi Pan-Qi Awaiting requested review from Pan-Qi Pan-Qi is a code owner

@DanielMicrosoft DanielMicrosoft Awaiting requested review from DanielMicrosoft DanielMicrosoft is a code owner

+1 more reviewer

@dpwatrous dpwatrous dpwatrous approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wiboris @isra-fel @dpwatrous