Merge pull request #37 from KelvinTegelaar/master

[pull] master from KelvinTegelaar:master

Author: pull[bot]

.gitignore

@@ -21,3 +21,4 @@ yarn.lock
 /*.ps1
 !/profile.ps1
 .DS_Store
+proxyman.pem

CIPPDBCacheTypes.json

@@ -279,6 +279,16 @@
     "friendlyName": "OneDrive Usage",
     "description": "OneDrive usage statistics"
   },
+  {
+    "type": "OfficeActivations",
+    "friendlyName": "Office Activations",
+    "description": "Microsoft 365 app activation counts per user per platform (Windows, Mac, Mobile)"
+  },
+  {
+    "type": "CopilotReadinessActivity",
+    "friendlyName": "Copilot Readiness Activity",
+    "description": "Per-user Copilot readiness signals (update channel, Teams, Outlook, Office docs) over 30 days"
+  },
   {
     "type": "ConditionalAccessPolicies",
     "friendlyName": "Conditional Access Policies",
@@ -328,5 +338,30 @@
     "type": "DetectedApps",
     "friendlyName": "Detected Apps",
     "description": "All detected applications with devices where each app is installed"
+  },
+  {
+    "type": "SensitivityLabels",
+    "friendlyName": "Sensitivity Labels",
+    "description": "Microsoft Purview sensitivity labels configured in the tenant"
+  },
+  {
+    "type": "DlpCompliancePolicies",
+    "friendlyName": "DLP Compliance Policies",
+    "description": "Data Loss Prevention compliance policies from the Purview compliance portal"
+  },
+  {
+    "type": "CopilotUsageUserDetail",
+    "friendlyName": "Copilot Usage User Detail",
+    "description": "Per-user Microsoft 365 Copilot usage details across apps (30-day period)"
+  },
+  {
+    "type": "CopilotUserCountSummary",
+    "friendlyName": "Copilot User Count Summary",
+    "description": "Aggregate active Copilot user counts by app (30-day period)"
+  },
+  {
+    "type": "CopilotUserCountTrend",
+    "friendlyName": "Copilot User Count Trend",
+    "description": "Daily Copilot active user count trend (7-day period)"
   }
 ]

Config/standards.json

@@ -5,3 +5,11 @@ ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
     AzureFunctionsJobHost__Logging__Console__IsEnabled=true
 
 COPY . /home/site/wwwroot
+
+# Optionally install Proxyman CA certificate if proxyman.pem exists in the build context
+RUN if [ -f /home/site/wwwroot/proxyman.pem ]; then \
+        apt-get update && apt-get install -y --no-install-recommends ca-certificates && \
+        cp /home/site/wwwroot/proxyman.pem /usr/local/share/ca-certificates/proxyman.crt && \
+        update-ca-certificates && \
+        rm -rf /var/lib/apt/lists/*; \
+    fi

ConversionTable.csv

@@ -0,0 +1,109 @@
+function ConvertTo-StringList {
+    <#
+    .SYNOPSIS
+        Turns encoded list data into something you can foreach over.
+
+    .DESCRIPTION
+        String input: if it is JSON (object or array), it is converted first; otherwise comma/semicolon/newline
+        splitting applies. Other shapes: wrapper objects, or an existing array/list. After conversion, the return
+        value is always foreach-able (empty collection is @()). Arrays and IList instances are returned
+        as-is — they are already foreach-able without conversion.
+        This exists because front end multi-value input is annoying to deal with.
+
+    .PARAMETER InputObject
+        Encoded list (string/JSON), wrapper object, or an existing array/list.
+
+    .PARAMETER PropertyNames
+        On hashtables/PSCustomObjects, property names to read in order.
+
+    .OUTPUTS
+        Always an enumerable suitable for: foreach ($item in (ConvertTo-StringList ...)) { }
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Position = 0)]
+        [Alias('Input', 'Value')]
+        [AllowNull()]
+        $InputObject,
+
+        [string[]]$PropertyNames = @('Items', 'Value')
+    )
+
+    # Output must be foreach-able; $null input yields empty collection.
+    if ($null -eq $InputObject) {
+        return @()
+    }
+
+    if ($InputObject -is [string]) {
+        $s = $InputObject.Trim()
+        if (-not $s) {
+            return @()
+        }
+        if ($s.StartsWith('[') -or $s.StartsWith('{')) {
+            try {
+                $parsed = $s | ConvertFrom-Json -ErrorAction Stop
+                return ConvertTo-StringList -InputObject $parsed -PropertyNames $PropertyNames
+            } catch {
+            }
+        }
+        return @(
+            $s -split '[,;\r\n]+' | ForEach-Object { $_.Trim() } | Where-Object { $_ }
+        )
+    }
+
+    if ($InputObject -is [Array]) {
+        return $InputObject
+    }
+    if ($InputObject -is [System.Collections.IList] -and $InputObject -isnot [string]) {
+        return $InputObject
+    }
+
+    if ($InputObject -is [hashtable]) {
+        if ($InputObject.Count -eq 0) {
+            return @()
+        }
+        foreach ($name in $PropertyNames) {
+            if ($InputObject.ContainsKey($name)) {
+                return ConvertTo-StringList -InputObject $InputObject[$name] -PropertyNames $PropertyNames
+            }
+        }
+        foreach ($p in $InputObject.GetEnumerator() | Sort-Object { $_.Key }) {
+            $v = $p.Value
+            if ($null -eq $v) { continue }
+            if ($v -is [string] -or ($v -is [System.Collections.IEnumerable] -and $v -isnot [hashtable] -and $v -isnot [pscustomobject])) {
+                return ConvertTo-StringList -InputObject $v -PropertyNames @()
+            }
+        }
+        $single = "$InputObject".Trim()
+        if ($single) {
+            return , @($single)
+        }
+        return @()
+    }
+
+    if ($InputObject -is [pscustomobject]) {
+        foreach ($name in $PropertyNames) {
+            if ($InputObject.PSObject.Properties.Name -contains $name) {
+                return ConvertTo-StringList -InputObject $InputObject.$name -PropertyNames $PropertyNames
+            }
+        }
+        foreach ($p in $InputObject.PSObject.Properties) {
+            $v = $p.Value
+            if ($null -eq $v) { continue }
+            if ($v -is [string] -or ($v -is [System.Collections.IEnumerable] -and $v -isnot [hashtable] -and $v -isnot [pscustomobject])) {
+                return ConvertTo-StringList -InputObject $v -PropertyNames @()
+            }
+        }
+        $single = "$InputObject".Trim()
+        if ($single) {
+            return , @($single)
+        }
+        return @()
+    }
+
+    $t = "$InputObject".Trim()
+    if ($t) {
+        return , @($t)
+    }
+    return @()
+}

Dockerfile

@@ -0,0 +1,56 @@
+function Get-CIPPSchedulerBlockedCommands {
+    <#
+    .SYNOPSIS
+        Returns the list of commands that are blocked from execution via the CIPP scheduler.
+    .DESCRIPTION
+        Prevents privilege escalation and credential exfiltration by blocking functions that
+        return tokens, secrets, keys, credentials, tenant lists, or perform SAM/CPV configuration
+        from being executed as user-scheduled tasks.
+    #>
+    [CmdletBinding()]
+    param()
+
+    return @(
+        # Token & authentication functions - would exfiltrate access/refresh tokens
+        'Get-GraphToken'
+        'Get-GraphTokenFromCert'
+        'Get-ClassicAPIToken'
+        'Get-CIPPAzIdentityToken'
+        'Get-CIPPAuthentication'
+        'New-CIPPAzServiceSAS'
+
+        # Extension authentication tokens
+        'Get-GradientToken'
+        'Get-HaloToken'
+        'Get-NinjaOneToken'
+        'Get-SherwebAuthentication'
+        'Get-HIBPAuth'
+
+        # Secret & key material
+        'Get-CippKeyVaultSecret'
+        'Remove-CippKeyVaultSecret'
+        'Get-ExtensionAPIKey'
+        'Set-ExtensionAPIKey'
+        'Remove-ExtensionAPIKey'
+
+        # Tenant enumeration - would reveal full tenant list
+        'Get-Tenants'
+
+        # SAM permission enumeration - exposes which permissions the SAM app holds
+        'Get-CippSamPermissions'
+
+        # Direct storage access - bypasses CIPP data access controls
+        'Get-CIPPTable'
+        'Get-CIPPAzDataTableEntity'
+        'Get-AzDataTableEntity'
+        'Get-AzDataTable'
+        'Add-CIPPAzDataTableEntity'
+        'Add-AzDataTableEntity'
+        'Update-AzDataTableEntity'
+        'Remove-AzDataTableEntity'
+        'Remove-AzDataTable'
+
+        # Backup & restore
+        'Get-CIPPBackup'
+    )
+}

Modules/CIPPCore/CIPPCore.psd1

@@ -0,0 +1,78 @@
+function Test-CIPPConditionFilter {
+    <#
+    .SYNOPSIS
+        Returns a sanitized PowerShell condition string for an audit log / delta query condition.
+    .DESCRIPTION
+        Validates operator and property name against allowlists, sanitizes input values,
+        then returns a safe condition string suitable for [ScriptBlock]::Create().
+
+        This replaces the old Invoke-Expression pattern which was vulnerable to code injection
+        through unsanitized user-controlled fields.
+    .PARAMETER Condition
+        A single condition object with Property.label, Operator.value, and Input.value.
+    .OUTPUTS
+        [string] A sanitized PowerShell condition string, or $null if validation fails.
+    .FUNCTIONALITY
+        Internal
+    #>
+    [CmdletBinding()]
+    [OutputType([string])]
+    param(
+        [Parameter(Mandatory = $true)]
+        $Condition
+    )
+
+    # Operator allowlist - only these PowerShell comparison operators are permitted
+    $AllowedOperators = @(
+        'eq', 'ne', 'like', 'notlike', 'match', 'notmatch',
+        'gt', 'lt', 'ge', 'le', 'in', 'notin',
+        'contains', 'notcontains'
+    )
+
+    # Property name validation - only alphanumeric, underscores, and dots allowed
+    $SafePropertyRegex = [regex]'^[a-zA-Z0-9_.]+$'
+
+    # Value sanitization - block characters that enable code injection
+    $UnsafeValueRegex = [regex]'[;|`\$\{\}]'
+
+    $propertyName = $Condition.Property.label
+    $operatorValue = $Condition.Operator.value.ToLower()
+    $inputValue = $Condition.Input.value
+
+    # Validate operator against allowlist
+    if ($operatorValue -notin $AllowedOperators) {
+        Write-Warning "Blocked invalid operator '$($Condition.Operator.value)' in condition for property '$propertyName'"
+        return $null
+    }
+
+    # Validate property name to prevent injection via property paths
+    if (-not $SafePropertyRegex.IsMatch($propertyName)) {
+        Write-Warning "Blocked invalid property name '$propertyName' in condition"
+        return $null
+    }
+
+    # Build sanitized condition string
+    if ($inputValue -is [array]) {
+        # Sanitize each array element
+        $sanitizedItems = foreach ($item in $inputValue) {
+            $itemStr = [string]$item
+            if ($UnsafeValueRegex.IsMatch($itemStr)) {
+                Write-Warning "Blocked unsafe value in array for property '$propertyName': '$itemStr'"
+                return $null
+            }
+            $itemStr -replace "'", "''"
+        }
+        if ($null -eq $sanitizedItems) { return $null }
+        $arrayAsString = $sanitizedItems | ForEach-Object { "'$_'" }
+        $value = "@($($arrayAsString -join ', '))"
+    } else {
+        $valueStr = [string]$inputValue
+        if ($UnsafeValueRegex.IsMatch($valueStr)) {
+            Write-Warning "Blocked unsafe value for property '$propertyName': '$valueStr'"
+            return $null
+        }
+        $value = "'$($valueStr -replace "'", "''")'"
+    }
+
+    return "`$(`$_.$propertyName) -$operatorValue $value"
+}