Azure Pipelines scripts should not interpolate parameters or variables directly into script blocks, to avoid script injection when values are controlled at queue time or from other untrusted sources.

Why is this an issue?

Azure Pipelines can use parameters and variables that may be set or overridden by users when a pipeline is run (for example, at queue time). When this data is interpolated directly into script blocks using Azure’s expression syntax (${{ …​ }}) or variable syntax ($(VARIABLE_NAME)), it can lead to script injection vulnerabilities. A user who can set parameter values or variables when running the pipeline could supply values containing shell metacharacters and potentially execute arbitrary commands on the agent.

Understanding expression and variable expansion

Azure Pipelines expressions and variables are expanded before the shell script runs:

• Compile-time expressions (${{ …​ }}): Used for parameters (e.g. ${{ parameters.EXAMPLE_PARAMETER }}) and variables (e.g. ${{ variables.MY_VARIABLE }}). These are evaluated when the pipeline is compiled. The resulting string is then inserted into the script and passed to the shell.
• Runtime variables ($(VARIABLE_NAME)): Variable references in the script are also expanded by the pipeline runtime before the script is executed. The value (which may contain shell metacharacters) is substituted into the script, and the shell then receives the already-expanded script.

In both cases, if the value comes from a string parameter or from a variable that is derived from such input, an attacker who controls that value can inject shell commands. For example, if a parameter is set to "; rm -rf / #", the script may be transformed into multiple shell commands instead of a single safe string.

Parameters of type string (with no values restriction) are untrusted when provided at queue time. Variables that are defined from such parameters (e.g. variables: MY_VAR: ${{ parameters.MY_PARAM }}) are also untrusted when used in script blocks. Using them directly in script, bash, pwsh, or similar steps is therefore unsafe.

What is the potential impact?

The consequences of successful script injection in Azure Pipelines can be severe:

• Information disclosure: Attackers can read secrets, variables, and other sensitive data available to the agent.
• System compromise: Arbitrary commands can be run on the agent, potentially installing malware or accessing other resources.
• Supply chain and repository risk: Build and release steps can be altered to publish malicious artifacts or modify source and pipeline definitions if the agent has sufficient permissions.

How to fix it

Code examples

Noncompliant code example

The following pipeline is vulnerable to script injection because it uses a string parameter and variables directly in script steps. Values are expanded before the shell runs, so an attacker who can set the parameter or variable at queue time could inject shell metacharacters:

parameters:
- name: PackageName
  type: string
  default: 'nginx'

variables:
  PACKAGE_NAME: ${{ parameters.PackageName }}

pool:
  vmImage: 'ubuntu-latest'

steps:
- script: |
    echo "Installing ${{ parameters.PackageName }}" # Noncompliant: string parameter expanded in script
- script: |
    echo "${{ variables.PACKAGE_NAME }}" # Noncompliant: variable (from parameter) expanded in script
- script: |
    echo "$(PACKAGE_NAME)" # Noncompliant: variable expanded in script

If a user queues the pipeline with PackageName set to "; rm -rf / #", the first script becomes echo "Installing "; rm -rf / #", which the shell executes as multiple commands.

Compliant solution

Pass untrusted data via the step’s env block, then reference it with normal shell variable syntax in the script. The pipeline expands the expression when setting the environment variable; the shell then treats the value as data, not as part of the script:

parameters:
- name: PackageName
  type: string
  default: 'nginx'

variables:
  PACKAGE_NAME: ${{ parameters.PackageName }}

pool:
  vmImage: 'ubuntu-latest'

steps:
- script: |
    echo "Installing $PACKAGE_NAME_ENVVAR"
  env:
    PACKAGE_NAME_ENVVAR: ${{ parameters.PackageName }}
- script: |
    echo "$PACKAGE_NAME_ENVVAR"
  env:
    PACKAGE_NAME_ENVVAR: ${{ variables.PACKAGE_NAME }}
- script: |
    echo "$PACKAGE_NAME_ENVVAR"
  env:
    PACKAGE_NAME_ENVVAR: $(PACKAGE_NAME)

When the parameter has a values list, it is safe to use directly in the script because only the pipeline author controls the allowed values:

parameters:
- name: PackageName
  type: string
  default: 'nginx'
  values:
  - nginx
  - apache2
  - postgresql

pool:
  vmImage: 'ubuntu-latest'

steps:
- script: |
    echo "Installing ${{ parameters.PackageName }}" # Compliant
  displayName: 'Install package'

How does this work?

The key difference lies in when and how the data is processed:

• Direct interpolation (vulnerable): When using ${{ parameters.PackageName }} or $(PACKAGE) directly in a script step, Azure Pipelines expands the expression or variable before the shell runs:
  1. The pipeline is compiled and expressions are evaluated, or at runtime variables are substituted
  2. The resulting string (which may contain shell metacharacters) is inserted into the script content
  3. The shell receives and executes the already-expanded script
  4. Any shell metacharacters in the value are interpreted as part of the script, enabling injection
• Environment variable approach (safe): When untrusted data is assigned via the step’s env block, the pipeline still expands the expression when setting the environment variable, but the script uses normal shell variable syntax:
  1. Azure Pipelines evaluates ${{ parameters.PackageName }} and assigns the value to an environment variable (e.g. PACKAGE_NAME)
  2. The script references it with shell syntax ($PACKAGE_NAME)
  3. The shell treats the environment variable’s contents as literal data, not as part of the script

When the shell evaluates $PACKAGE_NAME, it performs variable expansion: the value is used as a string. Even if the value contains shell metacharacters, they remain literal characters and are not interpreted as commands. That separation prevents malicious content from being executed.

• Parameter with a values list (safe when used directly): When a parameter specifies a values list, only those values can be selected at queue time. Using the parameter directly in a script is safe because:
  1. The pipeline author defines all allowed values in the values list
  2. Users cannot supply arbitrary values; they can only choose from the list
  3. The author can ensure none of the options contain shell metacharacters
  4. Expression expansion will only ever produce one of those predefined values

Resources

Documentation

• Microsoft Learn - Use runtime and type-safe parameters
• Microsoft Learn - Define variables
• Microsoft Learn - Secure your Azure Pipelines - Securely use variables and parameters

Standards

• OWASP - Top 10 2021 Category A3 - Injection
• OWASP - Top 10 2017 Category A1 - Injection
• CWE - CWE-20 - Improper Input Validation
• CWE - CWE-78 - Improper Neutralization of Special Elements used in an OS Command
• STIG Viewer - Application Security and Development: V-222604 - The application must protect from command injection.
• STIG Viewer - Application Security and Development: V-222609 - The application must not be subject to input handling vulnerabilities.