PowerShell · TravisEz13 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
diff --git a/src/Microsoft.PowerShell.Commands.Management/commands/management/Process.cs b/src/Microsoft.PowerShell.Commands.Management/commands/management/Process.cs
@@ -1926,6 +1926,7 @@ protected override void BeginProcessing()
             }
             catch (CommandNotFoundException)
             {
+                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path they are specifying and the process is on the user's system except for remoting in which case restricted remoting security guidelines should be used.
                 startInfo.FileName = FilePath;
 #if UNIX
                 // Arguments are passed incorrectly to the executable used for ShellExecute and not to filename https://github.com/dotnet/corefx/issues/30718

diff --git a/...owerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs b/...owerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs
@@ -1296,6 +1296,7 @@ internal virtual HttpResponseMessage GetResponse(HttpClient client, HttpRequestM
                 _cancelToken = new CancellationTokenSource();
                 try
                 {
+                    // codeql[cs/ssrf] - This is expected Poweshell behavior where user inputted Uri is supported for the context of this method. The user assumes trust for the Uri and invocation is done on the user's machine, not a web application. If there is concern for remoting, they should use restricted remoting.
                     response = client.SendAsync(currentRequest, HttpCompletionOption.ResponseHeadersRead, _cancelToken.Token).GetAwaiter().GetResult();
                 }
                 catch (TaskCanceledException ex)

diff --git a/src/System.Management.Automation/engine/NativeCommandProcessor.cs b/src/System.Management.Automation/engine/NativeCommandProcessor.cs
@@ -1397,6 +1397,7 @@ private ProcessStartInfo GetProcessStartInfo(
         {
             var startInfo = new ProcessStartInfo
             {
+                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
                 FileName = this.Path
             };
 

@@ -2230,6 +2230,7 @@ internal int StartSSHProcess(
             //   linux|macos:
             //     Subsystem powershell /usr/local/bin/pwsh -SSHServerMode -NoLogo -NoProfile
 
+            // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified, so any file executed in the runspace would be in the user's local system/process or a system they have access to in which case restricted remoting security guidelines should be used.
             System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(filePath);
 
             // pass "-i identity_file" command line argument to ssh if KeyFilePath is set

diff --git a/src/System.Management.Automation/namespaces/FileSystemProvider.cs b/src/System.Management.Automation/namespaces/FileSystemProvider.cs
@@ -1324,6 +1324,7 @@ protected override void InvokeDefaultAction(string path)
             if (ShouldProcess(resource, action))
             {
                 var invokeProcess = new System.Diagnostics.Process();
+                // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path they are specifying. If there is concern for remoting, restricted remoting guidelines should be used.
                 invokeProcess.StartInfo.FileName = path;
 #if UNIX
                 bool useShellExecute = false;
-Original file line number
+Diff line change
@@ Expand Up / @@ -1397,6 +1397,7 @@ private ProcessStartInfo GetProcessStartInfo( @@
             {
                 var startInfo = new ProcessStartInfo
                 {
+                    // codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
                     FileName = this.Path
                 };
@@ Expand Down @@