Skip to content

fix(writers/python): prevent code injection via x-ms-enum description#7735

Merged
MIchaelMainer merged 8 commits into
mainfrom
fix/python-enum-description-injection
Jun 2, 2026
Merged

fix(writers/python): prevent code injection via x-ms-enum description#7735
MIchaelMainer merged 8 commits into
mainfrom
fix/python-enum-description-injection

Conversation

@MIchaelMainer
Copy link
Copy Markdown
Member

@MIchaelMainer MIchaelMainer commented May 26, 2026

Fixes a code injection vulnerability in the Python writer where malicious x-ms-enum description fields containing newline characters could break out of
inline comments (# ...) or docstrings and inject arbitrary Python code into generated output.

Changes

  • PythonConventionService.RemoveInvalidDescriptionCharacters: Added newline stripping (\r\n, \r, \n → space) before the existing backslash and
    triple-quote replacements.
  • CodeEnumWriterTests: Added two regression tests verifying hostile payloads with newlines and triple-quotes are properly neutralized.

Root Cause

The RemoveInvalidDescriptionCharacters method only handled backslash and triple-quote escaping but did not strip newline characters. Since Python
inline comments are single-line (# ...), an embedded newline would terminate the comment and allow subsequent text to execute as Python code.

Security Impact

A malicious OpenAPI specification could inject arbitrary Python code into generated SDK clients via the x-ms-enum extension's description field.

@MIchaelMainer
fix(writers/python): prevent code injection via x-ms-enum description…
1a7033d 
… newlines

The RemoveInvalidDescriptionCharacters method in PythonConventionService
did not strip newline characters (\r\n, \r, \n). A malicious OpenAPI spec
could inject arbitrary Python code via x-ms-enum description fields by
embedding newlines that break out of inline comments (# ...) or
docstrings.

This fix replaces newlines with spaces, keeping all description content
on a single line where it remains safely within comments/docstrings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@MIchaelMainer MIchaelMainer requested a review from a team as a code owner May 26, 2026 19:57
@msgraph-bot msgraph-bot Bot added this to Kiota May 26, 2026
@MIchaelMainer
fix(writers/python): prevent code injection via x-ms-enum description…
fd6f19c 
… newlines

The RemoveInvalidDescriptionCharacters method in PythonConventionService
did not strip newline characters (\r\n, \r, \n). A malicious OpenAPI spec
could inject arbitrary Python code via x-ms-enum description fields by
embedding newlines that break out of inline comments (# ...) or
docstrings.

This fix replaces newlines with spaces, keeping all description content
on a single line where it remains safely within comments/docstrings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
baywet
baywet previously approved these changes May 26, 2026
View reviewed changes
@github-project-automation github-project-automation Bot moved this to In Progress 🚧 in Kiota May 26, 2026
@baywet
Copy link
Copy Markdown
Member

baywet commented May 26, 2026

@MIchaelMainer some unit tests are failing. Could be transient.
Also do we have exposure in other languages?
Also, it'd be good to update the agent /copilot instructions to be on the look out for these kind of instances, I'm not sure why it didn't flag it in the initial fixes.

baywet
baywet reviewed May 27, 2026
View reviewed changes
Comment thread .github/instructions/pre-commit-testing.instructions.md
@MIchaelMainer
test(python): align deprecation warning assertion with description sa…
b91b284 
…nitization

The Python writer now normalizes description control characters (newline, carriage return, tab) to spaces as part of injection hardening.
This caused EscapesDeprecationWarningStringLiteral to expect an outdated \n sequence in the generated warning output.
@MIchaelMainer
docs: add central Copilot policies and validation checklist for repos…
7594334 
…itory-wide defaults
@MIchaelMainer
Merge branch 'main' into fix/python-enum-description-injection
33c091c
github-code-quality[bot]
github-code-quality Bot found potential problems Jun 1, 2026
View reviewed changes
Comment thread tests/Kiota.Builder.Tests/Writers/Python/CodeEnumWriterTests.cs Dismissed
Comment thread tests/Kiota.Builder.Tests/Writers/Python/CodeEnumWriterTests.cs Dismissed
@github-code-quality
Copy link
Copy Markdown

github-code-quality Bot commented Jun 1, 2026

Code Coverage Overview

Languages: C#

C# / code-coverage/dotnet

The overall coverage in the branch is 71%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 7580cf2 +/-
/home/runner/wo...guageRefiner.cs 98%
/home/runner/wo...criptRefiner.cs 98%
/home/runner/wo...MethodWriter.cs 97%
/home/runner/wo...MethodWriter.cs 96%
/home/runner/wo...MethodWriter.cs 96%
/home/runner/wo...MethodWriter.cs 95%
/home/runner/wo...rs/GoRefiner.cs 93%
/home/runner/wo...KiotaBuilder.cs 90%
/home/runner/wo...ationService.cs 89%
/home/runner/wo...xGenerator.g.cs 72%

Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@MIchaelMainer MIchaelMainer enabled auto-merge (squash) June 1, 2026 21:59
@baywet
Copy link
Copy Markdown
Member

baywet commented Jun 2, 2026

currently impacted by this microsoft/vs-streamjsonrpc#1447

@MIchaelMainer MIchaelMainer merged commit 5958d62 into main Jun 2, 2026
313 checks passed
@MIchaelMainer MIchaelMainer deleted the fix/python-enum-description-injection branch June 2, 2026 11:02
@github-project-automation github-project-automation Bot moved this from In Progress 🚧 to Done ✔️ in Kiota Jun 2, 2026
@adrian05-ms adrian05-ms mentioned this pull request Jun 2, 2026
Merged
Copilot AI added a commit that referenced this pull request Jun 2, 2026
docs: add 1.32.0 entries for security fixes #7735 and #7746
08d0ea9
adrian05-ms added a commit that referenced this pull request Jun 2, 2026
@adrian05-ms
bump version for release 1.32.0 with dependency and changelog updates (
3639d38 
…#7753)

* - bumps version for release of 1.32.0

* chore: update StreamJsonRpc and remove explicit MessagePack override

* docs: add 1.32.0 entries for security fixes #7735 and #7746

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
@BrewTestBot BrewTestBot mentioned this pull request Jun 2, 2026
Draft
This was referenced Jun 2, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baywet baywet baywet approved these changes

+1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

Kiota
Status: Done ✔️

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MIchaelMainer @baywet