From 81a30bc67e4af6b5085e373b3b6769a391fda4b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Aparecido=20Estev=C3=A3o=20da=20Silva?=
 <98992289+moisesest3vao@users.noreply.github.com>
Date: Wed, 8 Oct 2025 10:08:37 -0300
Subject: [PATCH] fix(before-after-operation-rules): replace Invoke-Expression
 with call operator to prevent code interpretation issues

Replaced the use of `Invoke-Expression` in the ConnectorAfterCreate rule with the PowerShell call operator `&`.
This change prevents special characters in the `$requestAsString` (such as quotes, pipes, or ampersands) from being misinterpreted as code, eliminating syntax errors and potential injection risks during execution.

The update improves reliability and security when handling complex or user-provided input in CreateAfterRule PowerShell scripts.

Currently SailPoint already has lot of clients facing issues with Invoke-Expression, and a significant amount of users are already using "&" to invoke this command (check https://github.com/sailpoint/identitynow-services-config to confirm the usage)
---
 .../rules/connector-rules/before_after_operation_rule.md       | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/extensibility/rules/connector-rules/before_after_operation_rule.md b/docs/extensibility/rules/connector-rules/before_after_operation_rule.md
index 28f2b7251647a..887e4a7aa0795 100644
--- a/docs/extensibility/rules/connector-rules/before_after_operation_rule.md
+++ b/docs/extensibility/rules/connector-rules/before_after_operation_rule.md
@@ -102,8 +102,7 @@ Try{
     }
 
     #Call the client script
-    $command = -join ($command, " -requestString '$requestAsString'")
-    Invoke-Expression $command
+    & $command -requestString $requestAsString
 
 }Catch{
  $ErrorMessage = $_.Exception.Message