Summary
The ConditionGroup constructor's mutual-exclusion guard requires all three of AllOf, AnyOf, and Not to be present before throwing. A hashtable with any two of the three silently passes construction. Test-Condition then processes only the first group key it encounters (AllOf → AnyOf → Not in order) and silently discards the others. Rule authors who believe they wrote compound logic get single-branch evaluation.
File
Gatekeeper/Classes/FeatureFlag.ps1:27
Root Cause
# Current — only fires if ALL THREE are present:
if ($data.ContainsKey('AllOf') -and $data.ContainsKey('AnyOf') -and $data.ContainsKey('Not')) {
throw ...
}
# AllOf + AnyOf together passes this guard silentlyFix
$groupKeys = @('AllOf', 'AnyOf', 'Not') | Where-Object { $data.ContainsKey($_) }
if ($groupKeys.Count -gt 1) {
throw "ConditionGroup may only define one of: AllOf, AnyOf, Not. Got: $($groupKeys -join ', ')"
}Notes
- Good first issue
- Found by Jordan B., Sage Nakamura, DualCore, and Glenn
Summary
The
ConditionGroupconstructor's mutual-exclusion guard requires all three ofAllOf,AnyOf, andNotto be present before throwing. A hashtable with any two of the three silently passes construction.Test-Conditionthen processes only the first group key it encounters (AllOf→AnyOf→Notin order) and silently discards the others. Rule authors who believe they wrote compound logic get single-branch evaluation.File
Gatekeeper/Classes/FeatureFlag.ps1:27Root Cause
Fix
Notes