pub fn parameter_interpolation_into_shell(
graph: &AuthorityGraph,
) -> Vec<Finding>Expand description
Rule: free-form type: string parameter (no values: allowlist)
interpolated via ${{ parameters.<name> }} directly into an inline
shell/PowerShell script body. ADO does not escape parameter values in
YAML emission, so any user with “queue build” can inject shell.
Detection requires the parser to populate
AuthorityGraph::parameters (currently ADO only) and to stamp Step
nodes with META_SCRIPT_BODY.
Severity: Medium.