Add CodeQL suppressions for PowerShell intended behavior (PowerShell#25359)

anamnavi · web-flow · commit 4e3875c3780b · 2025-04-15T01:52:00.000Z
diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
@@ -684,6 +684,7 @@ private void LoadAssemblies(IEnumerable<string> assemblies)
             {
                 // CoreCLR doesn't allow re-load TPA assemblies with different API (i.e. we load them by name and now want to load by path).
                 // LoadAssemblyHelper helps us avoid re-loading them, if they already loaded.
+                // codeql[cs/dll-injection-remote] - This is expected PowerShell behavior and integral to the purpose of the class. It allows users to load any C# dependencies they need for their PowerShell application and add other types they require.
                 Assembly assembly = LoadAssemblyHelper(assemblyName) ?? Assembly.LoadFrom(ResolveAssemblyName(assemblyName, false));
 
                 if (PassThru)
diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs
@@ -1771,6 +1771,7 @@ private static StringContent GetMultipartStringContent(object fieldName, object
             ContentDispositionHeaderValue contentDisposition = new("form-data");
             contentDisposition.Name = LanguagePrimitives.ConvertTo<string>(fieldName);
 
+            // codeql[cs/information-exposure-through-exception] - PowerShell is an on-premise product, meaning local users would already have access to the binaries and stack traces. Therefore, the information would not be exposed in the same way it would be for an ASP .NET service.
             StringContent result = new(LanguagePrimitives.ConvertTo<string>(fieldValue));
             result.Headers.ContentDisposition = contentDisposition;
 
diff --git a/src/System.Management.Automation/engine/ExecutionContext.cs b/src/System.Management.Automation/engine/ExecutionContext.cs
@@ -1385,6 +1385,7 @@ private static Assembly LoadAssembly(string name, string filePath, out Exception
             {
                 try
                 {
+                    // codeql[cs/dll-injection-remote] - The dll is loaded during the initial state setup, which is expected behavior. This allows users hosting PowerShell to load additional C# types to enable their specific scenarios.
                     loadedAssembly = Assembly.LoadFrom(filePath);
                     return loadedAssembly;
                 }

Original file line number	Diff line number	Diff line change
`@@ -684,6 +684,7 @@ private void LoadAssemblies(IEnumerable<string> assemblies)`
`684`	`684`	`{`
`685`	`685`	`// CoreCLR doesn't allow re-load TPA assemblies with different API (i.e. we load them by name and now want to load by path).`
`686`	`686`	`// LoadAssemblyHelper helps us avoid re-loading them, if they already loaded.`
	`687`	`+ // codeql[cs/dll-injection-remote] - This is expected PowerShell behavior and integral to the purpose of the class. It allows users to load any C# dependencies they need for their PowerShell application and add other types they require.`
`687`	`688`	`Assembly assembly = LoadAssemblyHelper(assemblyName) ?? Assembly.LoadFrom(ResolveAssemblyName(assemblyName, false));`
`688`	`689`
`689`	`690`	`if (PassThru)`
Original file line number	Diff line number	Diff line change
`@@ -1385,6 +1385,7 @@ private static Assembly LoadAssembly(string name, string filePath, out Exception`
`1385`	`1385`	`{`
`1386`	`1386`	`try`
`1387`	`1387`	`{`
	`1388`	`+ // codeql[cs/dll-injection-remote] - The dll is loaded during the initial state setup, which is expected behavior. This allows users hosting PowerShell to load additional C# types to enable their specific scenarios.`
`1388`	`1389`	`loadedAssembly = Assembly.LoadFrom(filePath);`
`1389`	`1390`	`return loadedAssembly;`
`1390`	`1391`	`}`