Add CodeQL suppressions for NativeCommandProcessor (PowerShell#26729)

anamnavi · web-flow · commit 34f6e267a4a7 · 2026-02-02T16:45:16.000-08:00
diff --git a/src/System.Management.Automation/engine/NativeCommandProcessor.cs b/src/System.Management.Automation/engine/NativeCommandProcessor.cs
@@ -831,6 +831,7 @@ private void InitNativeProcess()
                             bool useSpecialArgumentPassing = UseSpecialArgumentPassing(oldFileName);
                             if (useSpecialArgumentPassing)
                             {
+                                // codeql[cs/microsoft/command-line-injection] - This is expected PowerShell behavior where user inputted paths are supported for the context of this method and the path portion of the argument is escaped. The user assumes trust for the file path specified on the user's system to start process for, and in the case of remoting, restricted remoting security guidelines should be used.
                                 startInfo.Arguments = "\"" + oldFileName + "\" " + startInfo.Arguments;
                             }
                             else
@@ -855,7 +856,7 @@ private void InitNativeProcess()
                                     startInfo.ArgumentList.RemoveAt(0);
                                 }
 
-                                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
+                                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected PowerShell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
                                 startInfo.FileName = oldFileName;
                             }
                         }
@@ -1607,7 +1608,7 @@ private ProcessStartInfo GetProcessStartInfo(
         {
             var startInfo = new ProcessStartInfo
             {
-                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
+                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected PowerShell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
                 FileName = this.Path
             };
 

Original file line number	Diff line number	Diff line change
`@@ -831,6 +831,7 @@ private void InitNativeProcess()`
`831`	`831`	`bool useSpecialArgumentPassing = UseSpecialArgumentPassing(oldFileName);`
`832`	`832`	`if (useSpecialArgumentPassing)`
`833`	`833`	`{`
	`834`	`+ // codeql[cs/microsoft/command-line-injection] - This is expected PowerShell behavior where user inputted paths are supported for the context of this method and the path portion of the argument is escaped. The user assumes trust for the file path specified on the user's system to start process for, and in the case of remoting, restricted remoting security guidelines should be used.`
`834`	`835`	`startInfo.Arguments = "\"" + oldFileName + "\" " + startInfo.Arguments;`
`835`	`836`	`}`
`836`	`837`	`else`
`@@ -855,7 +856,7 @@ private void InitNativeProcess()`
`855`	`856`	`startInfo.ArgumentList.RemoveAt(0);`
`856`	`857`	`}`
`857`	`858`
`858`		`- // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.`
	`859`	`+ // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected PowerShell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.`
`859`	`860`	`startInfo.FileName = oldFileName;`
`860`	`861`	`}`
`861`	`862`	`}`
`@@ -1607,7 +1608,7 @@ private ProcessStartInfo GetProcessStartInfo(`
`1607`	`1608`	`{`
`1608`	`1609`	`var startInfo = new ProcessStartInfo`
`1609`	`1610`	`{`
`1610`		`- // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.`
	`1611`	`+ // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected PowerShell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.`
`1611`	`1612`	`FileName = this.Path`
`1612`	`1613`	`};`
`1613`	`1614`