System.CommandLine: add notes based on Threat Model review (#48184)

adamsitnik · web-flow · commit a9efdf2b27b4 · 2025-09-10T11:41:32.000-07:00
diff --git a/docs/standard/commandline/how-to-configure-the-parser.md b/docs/standard/commandline/how-to-configure-the-parser.md
@@ -31,6 +31,8 @@ They are exposed by the <xref:System.CommandLine.ParseResult.Configuration?displ
 
 [Response files](syntax.md#response-files) are enabled by default, but you can disable them by setting the <xref:System.CommandLine.ParserConfiguration.ResponseFileTokenReplacer> property to `null`. You can also provide a custom implementation to customize how response files are processed.
 
+Response file can contain other response file names, hence parsing might include opening other files. The library expects that all response files were generated and stored by trustworthy agents.
+
 ## InvocationConfiguration
 
 ### Standard output and error
diff --git a/docs/standard/commandline/syntax.md b/docs/standard/commandline/syntax.md
@@ -43,6 +43,8 @@ A token can contain spaces if it's enclosed in quotation marks (`"`). Here's an
 dotnet tool search "ef migrations add"
 ```
 
+The symbol hierarchy (commands, options, arguments) is considered to be trusted input; the token values are not.
+
 ## Commands
 
 A *command* in command-line input is a token that specifies an action or defines a group of related actions. For example:
