Skip to content

Add validation scripts for all sample apps#248

Merged
dluces merged 14 commits into
mainfrom
user/dluces/sample_app_test_plan
Jul 6, 2026
Merged

Add validation scripts for all sample apps#248
dluces merged 14 commits into
mainfrom
user/dluces/sample_app_test_plan

Conversation

@dluces

@dluces dluces commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Validation scripts for all sample apps to help ensure dependency auto-upgrades don't break them

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a consistent, root-level PowerShell validation entrypoint (validate-sample.ps1) across sample apps, backed by shared tooling to perform local builds and lightweight runtime/browser smoke checks.

Changes:

  • Added shared Playwright-based browser smoke tooling under Tools/sample-validation (Node + Playwright).
  • Added shared PowerShell helper functions (Tools/powershell/SampleValidation.ps1) and per-sample validate-sample.ps1 scripts to standardize validation flows.
  • Documented the new validation approach in README.md and ignored generated validation logs via .gitignore.

Reviewed changes

Copilot reviewed 12 out of 14 changed files in this pull request and generated 12 comments.

Show a summary per file
File Description
Tools/sample-validation/package.json Introduces Node tooling dependency for shared browser smoke checks.
Tools/sample-validation/package-lock.json Locks Playwright dependency tree for the shared validation tooling.
Tools/sample-validation/browser-smoke.mjs Implements the Playwright-driven browser smoke test runner.
Tools/powershell/SampleValidation.ps1 Adds shared PowerShell helpers for running commands, managing processes, and HTTP/browser smoke checks.
Custom Apps/webhook/validate-sample.ps1 Adds validation script for the webhook sample (runtime echo check).
Custom Apps/project-management/validate-sample.ps1 Adds validation script for the project-management sample (build + optional browser smoke).
Custom Apps/legal-docs/validate-sample.ps1 Adds validation script for the legal-docs sample (build + optional browser smoke).
Custom Apps/boilerplate-typescript-react/validate-sample.ps1 Adds validation script for the TypeScript React boilerplate (build + optional runtime + optional browser smoke).
Custom Apps/boilerplate-react-azurefunction/validate-sample.ps1 Adds validation script for the React + Azure Functions boilerplate (build + optional runtime + optional browser smoke).
Custom Apps/boilerplate-aspnet-webservice/validate-sample.ps1 Adds validation script for the ASP.NET web service sample (build + optional runtime smoke).
AI/ocr/validate-sample.ps1 Adds validation script for OCR sample (build/test + optional runtime + optional browser smoke).
AI/mcp-server/validate-sample.ps1 Adds validation script for MCP server sample (build + optional runtime health check).
README.md Documents how to run sample validation scripts and their downgrade behavior.
.gitignore Ignores generated local .validation log folders.
Files not reviewed (1)
  • Tools/sample-validation/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Tools/powershell/SampleValidation.ps1 Outdated
Comment thread Custom Apps/webhook/validate-sample.ps1 Outdated
Comment thread Tools/powershell/SampleValidation.ps1 Outdated
Comment thread Custom Apps/project-management/validate-sample.ps1 Outdated
Comment thread Custom Apps/legal-docs/validate-sample.ps1 Outdated
Comment thread Custom Apps/boilerplate-react-azurefunction/validate-sample.ps1 Outdated
Comment thread AI/ocr/validate-sample.ps1 Outdated
Comment thread AI/mcp-server/validate-sample.ps1 Outdated
Comment thread Custom Apps/webhook/validate-sample.ps1 Outdated
Comment thread Custom Apps/boilerplate-aspnet-webservice/validate-sample.ps1 Outdated
Resolve-CommandPath returned the highest-precedence Get-Command match,
which on Windows is the PowerShell script shim (e.g. npx.ps1). Start-
LoggedProcess passes that path to Start-Process with output redirection,
forcing the CreateProcess code path -- which cannot execute .ps1 (or the
extensionless npm/npx) shims. Every Windows runtime/browser smoke step
therefore failed immediately with "%1 is not a valid Win32 application".

Resolve a directly executable form (.cmd/.exe/...) when one exists, while
falling back to the Application command form for Linux/macOS, where the
shebang executable can be exec'd directly. The call operator path
(Invoke-ExternalCommand) is unaffected since it runs .cmd shims fine too.

Verified on Windows (pwsh 7.4): Resolve-CommandPath now returns npx.cmd /
npm.cmd / node.exe; Start-LoggedProcess launches with redirection without
error; and project-management/validate-sample.ps1 reaches and passes the
preview-server startup it previously crashed on (exit code 0).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment thread AI/ocr/server/onReceiptAdded.ts Fixed
dilucesr and others added 2 commits July 3, 2026 15:38
CodeQL js/reflected-xss (high) flagged AI/ocr/server/onReceiptAdded.ts:
the Microsoft Graph subscription validationToken from req.query was echoed
straight into the HTTP response body. Although the response is sent as
text/plain, a user-controlled value reflected verbatim is a reflected XSS
sink (browsers can MIME-sniff, and the value is attacker influenceable).

Graph requires the opaque, URL-safe validationToken to be echoed back to
complete the subscription handshake, so strip any character outside the
token's known-safe set (base64url/base64) before reflecting it. This is a
no-op for legitimate tokens while removing the characters needed for XSS.
Also set X-Content-Type-Options: nosniff as defense in depth.

Verified on Windows (Node 24): backend builds; validate-sample.ps1 backend
smoke passes; a legitimate token echoes verbatim (handshake intact) while
'<script>alert(1)</script>' is returned as 'scriptalert1/script' (angle
brackets stripped).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
fix(ocr): sanitize Graph validationToken echo to prevent reflected XSS
@dluces dluces merged commit dfe3269 into main Jul 6, 2026
6 checks passed
@dluces dluces deleted the user/dluces/sample_app_test_plan branch July 6, 2026 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants