GitHub-Mirror/PowerShell
1
0
Fork 0
mirror of https://github.com/PowerShell/PowerShell synced 2025-10-06 00:22:59 +02:00
Code Issues Releases Wiki Activity

Add CodeQL suppressions for UpdatableHelp and NativeCommandProcessor methods (#26132)

Browse Source
This commit is contained in:
Anam Navied
2025-10-01 18:52:12 -04:00
committed by GitHub
parent 31cd731926
commit d5267d2ee6
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/System.Management.Automation/engine/NativeCommandProcessor.cs
View File

@@ -854,6 +854,8 @@ namespace System.Management.Automation
{ {
startInfo.ArgumentList.RemoveAt(0); startInfo.ArgumentList.RemoveAt(0);
} }
// codeql[cs/microsoft/command-line-injection-shell-execution] - This is expected Poweshell behavior where user inputted paths are supported for the context of this method. The user assumes trust for the file path specified on the user's system to retrieve process info for, and in the case of remoting, restricted remoting security guidelines should be used.
startInfo.FileName = oldFileName; startInfo.FileName = oldFileName;
} }
} }

2
src/System.Management.Automation/help/UpdatableHelpSystem.cs
View File

@@ -419,6 +419,7 @@ namespace System.Management.Automation.Help
using (HttpClient client = new HttpClient(handler)) using (HttpClient client = new HttpClient(handler))
{ {
client.Timeout = new TimeSpan(0, 0, 30); // Set 30 second timeout client.Timeout = new TimeSpan(0, 0, 30); // Set 30 second timeout
// codeql[cs/ssrf] - This is expected Poweshell behavior and the user assumes trust for the module they download and any URIs it references. The URIs are also not executables or scripts that would be invoked by this method.
Task<HttpResponseMessage> responseMessage = client.GetAsync(uri); Task<HttpResponseMessage> responseMessage = client.GetAsync(uri);
using (HttpResponseMessage response = responseMessage.Result) using (HttpResponseMessage response = responseMessage.Result)
{ {
@@ -783,6 +784,7 @@ namespace System.Management.Automation.Help
using (HttpClient client = new HttpClient(handler)) using (HttpClient client = new HttpClient(handler))
{ {
client.Timeout = _defaultTimeout; client.Timeout = _defaultTimeout;
// codeql[cs/ssrf] - This is expected Poweshell behavior and the user assumes trust for the module they download and any URIs it references. The URIs are also not executables or scripts that would be invoked by this method.
Task<HttpResponseMessage> responseMsg = client.GetAsync(new Uri(uri), _cancelTokenSource.Token); Task<HttpResponseMessage> responseMsg = client.GetAsync(new Uri(uri), _cancelTokenSource.Token);
// TODO: Should I use a continuation to write the stream to a file? // TODO: Should I use a continuation to write the stream to a file?