Add Codeql Suppressions (PowerShell#25943)

anamnavi · SIRMARGIN · commit cd2401117708 · 2025-12-11T03:33:29.000+02:00
diff --git a/src/Microsoft.PowerShell.Commands.Management/commands/management/Process.cs b/src/Microsoft.PowerShell.Commands.Management/commands/management/Process.cs
@@ -1903,6 +1903,7 @@ protected override void BeginProcessing()
             }
             catch (CommandNotFoundException)
             {
+                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path they are specifying and the process is on the user's system except for remoting in which case restricted remoting security guidelines should be used.
                 startInfo.FileName = FilePath;
 #if UNIX
                 // Arguments are passed incorrectly to the executable used for ShellExecute and not to filename https://github.com/dotnet/corefx/issues/30718
diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs
@@ -1295,6 +1295,7 @@ internal virtual HttpResponseMessage GetResponse(HttpClient client, HttpRequestM
                         WriteWebRequestDebugInfo(currentRequest);
                     }
 
+                    // codeql[cs/ssrf] - This is expected Poweshell behavior where user inputted Uri is supported for the context of this method. The user assumes trust for the Uri and invocation is done on the user's machine, not a web application. If there is concern for remoting, they should use restricted remoting.
                     response = client.SendAsync(currentRequest, HttpCompletionOption.ResponseHeadersRead, _cancelToken.Token).GetAwaiter().GetResult();
 
                     if (IsWriteVerboseEnabled())
diff --git a/src/System.Management.Automation/engine/NativeCommandProcessor.cs b/src/System.Management.Automation/engine/NativeCommandProcessor.cs
@@ -1605,6 +1605,7 @@ private ProcessStartInfo GetProcessStartInfo(
         {
             var startInfo = new ProcessStartInfo
             {
+                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
                 FileName = this.Path
             };
 
diff --git a/src/System.Management.Automation/engine/remoting/common/RunspaceConnectionInfo.cs b/src/System.Management.Automation/engine/remoting/common/RunspaceConnectionInfo.cs
@@ -2272,6 +2272,7 @@ internal int StartSSHProcess(
             //   linux|macos:
             //     Subsystem powershell /usr/local/bin/pwsh -SSHServerMode -NoLogo -NoProfile
 
+            // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified, so any file executed in the runspace would be in the user's local system/process or a system they have access to in which case restricted remoting security guidelines should be used.
             System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(filePath);
 
             // pass "-i identity_file" command line argument to ssh if KeyFilePath is set
diff --git a/src/System.Management.Automation/namespaces/FileSystemProvider.cs b/src/System.Management.Automation/namespaces/FileSystemProvider.cs
@@ -1324,6 +1324,7 @@ protected override void InvokeDefaultAction(string path)
             if (ShouldProcess(resource, action))
             {
                 var invokeProcess = new System.Diagnostics.Process();
+                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path they are specifying. If there is concern for remoting, restricted remoting guidelines should be used.
                 invokeProcess.StartInfo.FileName = path;
 #if UNIX
                 bool useShellExecute = false;

Original file line number	Diff line number	Diff line change
`@@ -1903,6 +1903,7 @@ protected override void BeginProcessing()`
`1903`	`1903`	`}`
`1904`	`1904`	`catch (CommandNotFoundException)`
`1905`	`1905`	`{`
	`1906`	`+ // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path they are specifying and the process is on the user's system except for remoting in which case restricted remoting security guidelines should be used.`
`1906`	`1907`	`startInfo.FileName = FilePath;`
`1907`	`1908`	`#if UNIX`
`1908`	`1909`	`// Arguments are passed incorrectly to the executable used for ShellExecute and not to filename https://github.com/dotnet/corefx/issues/30718`
Original file line number	Diff line number	Diff line change
`@@ -1295,6 +1295,7 @@ internal virtual HttpResponseMessage GetResponse(HttpClient client, HttpRequestM`
`1295`	`1295`	`WriteWebRequestDebugInfo(currentRequest);`
`1296`	`1296`	`}`
`1297`	`1297`
	`1298`	`+ // codeql[cs/ssrf] - This is expected Poweshell behavior where user inputted Uri is supported for the context of this method. The user assumes trust for the Uri and invocation is done on the user's machine, not a web application. If there is concern for remoting, they should use restricted remoting.`
`1298`	`1299`	`response = client.SendAsync(currentRequest, HttpCompletionOption.ResponseHeadersRead, _cancelToken.Token).GetAwaiter().GetResult();`
`1299`	`1300`
`1300`	`1301`	`if (IsWriteVerboseEnabled())`
Original file line number	Diff line number	Diff line change
`@@ -1605,6 +1605,7 @@ private ProcessStartInfo GetProcessStartInfo(`
`1605`	`1605`	`{`
`1606`	`1606`	`var startInfo = new ProcessStartInfo`
`1607`	`1607`	`{`
	`1608`	`+ // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.`
`1608`	`1609`	`FileName = this.Path`
`1609`	`1610`	`};`
`1610`	`1611`
Original file line number	Diff line number	Diff line change
`@@ -1324,6 +1324,7 @@ protected override void InvokeDefaultAction(string path)`
`1324`	`1324`	`if (ShouldProcess(resource, action))`
`1325`	`1325`	`{`
`1326`	`1326`	`var invokeProcess = new System.Diagnostics.Process();`
	`1327`	`+ // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path they are specifying. If there is concern for remoting, restricted remoting guidelines should be used.`
`1327`	`1328`	`invokeProcess.StartInfo.FileName = path;`
`1328`	`1329`	`#if UNIX`
`1329`	`1330`	`bool useShellExecute = false;`