[release/v7.4] add CodeQL suppresion for NativeCommandProcessor (#26174)

pwshBot · web-flow · commit a27518f86136 · 2025-10-09T15:55:08.000-07:00
diff --git a/src/System.Management.Automation/engine/NativeCommandProcessor.cs b/src/System.Management.Automation/engine/NativeCommandProcessor.cs
@@ -1469,6 +1469,7 @@ private ProcessStartInfo GetProcessStartInfo(
                 {
                     using (ParameterBinderBase.bindingTracer.TraceScope("BIND argument [{0}]", NativeParameterBinderController.Arguments))
                     {
+                        // codeql[cs/microsoft/command-line-injection ] - This is intended PowerShell behavior as NativeParameterBinderController.Arguments is what the native parameter binder generates based on the user input when invoking the command and cannot be injected externally.
                         startInfo.Arguments = NativeParameterBinderController.Arguments;
                     }
                 }

Original file line number	Diff line number	Diff line change
`@@ -1469,6 +1469,7 @@ private ProcessStartInfo GetProcessStartInfo(`
`1469`	`1469`	`{`
`1470`	`1470`	`using (ParameterBinderBase.bindingTracer.TraceScope("BIND argument [{0}]", NativeParameterBinderController.Arguments))`
`1471`	`1471`	`{`
	`1472`	`+ // codeql[cs/microsoft/command-line-injection ] - This is intended PowerShell behavior as NativeParameterBinderController.Arguments is what the native parameter binder generates based on the user input when invoking the command and cannot be injected externally.`
`1472`	`1473`	`startInfo.Arguments = NativeParameterBinderController.Arguments;`
`1473`	`1474`	`}`
`1474`	`1475`	`}`