Add CodeQL suppressions for UpdatableHelp and NativeCommandProcessor methods (PowerShell#26132)

anamnavi · pwshBot · commit bb0263d86ec1 · 2025-10-09T19:50:56.000Z
diff --git a/src/System.Management.Automation/engine/NativeCommandProcessor.cs b/src/System.Management.Automation/engine/NativeCommandProcessor.cs
@@ -658,6 +658,8 @@ private void InitNativeProcess()
                                 {
                                     startInfo.ArgumentList.RemoveAt(0);
                                 }
+
+                                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
                                 startInfo.FileName = oldFileName;
                             }
                         }
diff --git a/src/System.Management.Automation/help/UpdatableHelpSystem.cs b/src/System.Management.Automation/help/UpdatableHelpSystem.cs
@@ -419,6 +419,7 @@ private string ResolveUri(string baseUri, bool verbose)
                         using (HttpClient client = new HttpClient(handler))
                         {
                             client.Timeout = new TimeSpan(0, 0, 30); // Set 30 second timeout
+                            // codeql[cs/ssrf] - This is expected Poweshell behavior and the user assumes trust for the module they download and any URIs it references. The URIs are also not executables or scripts that would be invoked by this method.
                             Task<HttpResponseMessage> responseMessage = client.GetAsync(uri);
                             using (HttpResponseMessage response = responseMessage.Result)
                             {
@@ -783,6 +784,7 @@ private bool DownloadHelpContentHttpClient(string uri, string fileName, Updatabl
                 using (HttpClient client = new HttpClient(handler))
                 {
                     client.Timeout = _defaultTimeout;
+                    // codeql[cs/ssrf] - This is expected Poweshell behavior and the user assumes trust for the module they download and any URIs it references. The URIs are also not executables or scripts that would be invoked by this method.
                     Task<HttpResponseMessage> responseMsg = client.GetAsync(new Uri(uri), _cancelTokenSource.Token);
 
                     // TODO: Should I use a continuation to write the stream to a file?

Original file line number	Diff line number	Diff line change
`@@ -658,6 +658,8 @@ private void InitNativeProcess()`
`658`	`658`	`{`
`659`	`659`	`startInfo.ArgumentList.RemoveAt(0);`
`660`	`660`	`}`
	`661`	`+`
	`662`	`+ // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.`
`661`	`663`	`startInfo.FileName = oldFileName;`
`662`	`664`	`}`
`663`	`665`	`}`
Original file line number	Diff line number	Diff line change
`@@ -419,6 +419,7 @@ private string ResolveUri(string baseUri, bool verbose)`
`419`	`419`	`using (HttpClient client = new HttpClient(handler))`
`420`	`420`	`{`
`421`	`421`	`client.Timeout = new TimeSpan(0, 0, 30); // Set 30 second timeout`
	`422`	`+ // codeql[cs/ssrf] - This is expected Poweshell behavior and the user assumes trust for the module they download and any URIs it references. The URIs are also not executables or scripts that would be invoked by this method.`
`422`	`423`	`Task<HttpResponseMessage> responseMessage = client.GetAsync(uri);`
`423`	`424`	`using (HttpResponseMessage response = responseMessage.Result)`
`424`	`425`	`{`
`@@ -783,6 +784,7 @@ private bool DownloadHelpContentHttpClient(string uri, string fileName, Updatabl`
`783`	`784`	`using (HttpClient client = new HttpClient(handler))`
`784`	`785`	`{`
`785`	`786`	`client.Timeout = _defaultTimeout;`
	`787`	`+ // codeql[cs/ssrf] - This is expected Poweshell behavior and the user assumes trust for the module they download and any URIs it references. The URIs are also not executables or scripts that would be invoked by this method.`
`786`	`788`	`Task<HttpResponseMessage> responseMsg = client.GetAsync(new Uri(uri), _cancelTokenSource.Token);`
`787`	`789`
`788`	`790`	`// TODO: Should I use a continuation to write the stream to a file?`