Skip to content

Parameter value is evaluated as an expressionΒ #18658

New issue
New issue
Open
Open
Parameter value is evaluated as an expression#18658
Labels
Needs: Triage πŸ”
@anthony-c-martin

Description

@anthony-c-martin
anthony-c-martin
opened on Dec 9, 2025

Repro

  • main.bicepparam 
    using 'main.bicep'

param safeInput = '[subscription().id]'
param vulnerableInput = {
  'in the value': '[subscription().id]'
  '[subscription().id]': 'in the key'
}
  • main.bicep 
    param safeInput string
param vulnerableInput object = {}

var expansion = [for key in objectKeys(vulnerableInput): {
  name: key
  value: string(vulnerableInput[key])
}]

output safeOutput string = safeInput
output vulnerableOutput object[] = expansion

Expected outcome

Both safeOutput and vulnerableOutput contain the string [subscription().id] unevaluated

Actual outcome

The vulnerableOutput output contains the evaluated result of [subscription().id]:

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Triage πŸ”

    Type

    No type

    Projects

    Bicep

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions