From a93c07cc2b77f491973c9a035dd8af9e5a5e349a Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 10 Feb 2026 09:41:48 -0600 Subject: [PATCH 1/2] Ad note about trusting ApplicationArguments data --- .../About/about_Automatic_Variables.md | 8 +++++++- .../New-PSSessionOption.md | 9 +++++++-- .../About/about_Automatic_Variables.md | 10 +++++++--- .../New-PSSessionOption.md | 13 +++++++++---- .../About/about_Automatic_Variables.md | 8 +++++++- .../New-PSSessionOption.md | 9 +++++++-- .../About/about_Automatic_Variables.md | 8 +++++++- .../New-PSSessionOption.md | 13 +++++++++---- 8 files changed, 60 insertions(+), 18 deletions(-) diff --git a/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index 7e4d75e2b308..6e12e067d4f4 100644 --- a/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -1,7 +1,7 @@ --- description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 02/10/2026 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -583,6 +583,12 @@ from the originating session. To add data to the **ApplicationArguments** property, use the **ApplicationArguments** parameter of the `New-PSSessionOption` cmdlet. +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using +> this for security decisions could allow attackers to bypass authorization +> controls. Never use this data for trust decisions. Validate all user input +> when used for other application logic. + ### `$PSUICulture` Contains the name of the user interface (UI) culture that's configured in the diff --git a/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md index e1fe0f07f77f..b8fc85a122e0 100644 --- a/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 12/09/2022 +ms.date: 02/10/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 title: New-PSSessionOption @@ -267,11 +267,16 @@ The final `Invoke-Command` shows how the data might be used. ### -ApplicationArguments -Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the +Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the remote session, including startup scripts in the session configuration, can find this dictionary in the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this parameter to send data to the remote session. +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using this for security +> decisions could allow attackers to bypass authorization controls. Never use this data for trust +> decisions. Validate all user input when used for other application logic. + For more information, see [about_Hash_Tables](about/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and [about_Automatic_Variables](about/about_Automatic_Variables.md). diff --git a/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index 02dbc226efb7..b942556ac4ff 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -1,7 +1,7 @@ --- description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 02/10/2026 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments** property, use the **ApplicationArguments** parameter of the `New-PSSessionOption` cmdlet. +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using +> this for security decisions could allow attackers to bypass authorization +> controls. Never use this data for trust decisions. Validate all user input +> when used for other application logic. + ### `$PSUICulture` Contains the name of the user interface (UI) culture that's configured in the @@ -1155,5 +1161,3 @@ Default (Current): End [76]: xref:System.Collections.IEnumerator.MoveNext [77]: xref:System.Collections.IEnumerator.Reset - - diff --git a/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md index 80020ae12a64..3095c013d924 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 12/09/2022 +ms.date: 02/10/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 title: New-PSSessionOption @@ -267,14 +267,19 @@ The final `Invoke-Command` shows how the data might be used. ### -ApplicationArguments -Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the +Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the remote session, including startup scripts in the session configuration, can find this dictionary in the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this parameter to send data to the remote session. -For more information, see [about_Hash_Tables](about/about_Hash_Tables.md), +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using this for security +> decisions could allow attackers to bypass authorization controls. Never use this data for trust +> decisions. Validate all user input when used for other application logic. + +For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and -[about_Automatic_Variables](about/about_Automatic_Variables.md). +[about_Automatic_Variables](About/about_Automatic_Variables.md). ```yaml Type: System.Management.Automation.PSPrimitiveDictionary diff --git a/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index 70ad43465fcd..7e7cb9ea95bf 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -1,7 +1,7 @@ --- description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 02/10/2026 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments** property, use the **ApplicationArguments** parameter of the `New-PSSessionOption` cmdlet. +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using +> this for security decisions could allow attackers to bypass authorization +> controls. Never use this data for trust decisions. Validate all user input +> when used for other application logic. + ### `$PSUICulture` Contains the name of the user interface (UI) culture that's configured in the diff --git a/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md index b2f19594dea2..e66e99c421d9 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 12/09/2022 +ms.date: 02/10/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 title: New-PSSessionOption @@ -267,11 +267,16 @@ The final `Invoke-Command` shows how the data might be used. ### -ApplicationArguments -Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the +Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the remote session, including startup scripts in the session configuration, can find this dictionary in the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this parameter to send data to the remote session. +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using this for security +> decisions could allow attackers to bypass authorization controls. Never use this data for trust +> decisions. Validate all user input when used for other application logic. + For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and [about_Automatic_Variables](About/about_Automatic_Variables.md). diff --git a/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index 179dfefa6f37..ab3406696c7a 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -1,7 +1,7 @@ --- description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell. Locale: en-US -ms.date: 01/18/2026 +ms.date: 02/10/2026 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments** property, use the **ApplicationArguments** parameter of the `New-PSSessionOption` cmdlet. +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using +> this for security decisions could allow attackers to bypass authorization +> controls. Never use this data for trust decisions. Validate all user input +> when used for other application logic. + ### `$PSUICulture` Contains the name of the user interface (UI) culture that's configured in the diff --git a/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md index 0773f2a32dee..ee20979bc5e7 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -2,7 +2,7 @@ external help file: System.Management.Automation.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Core -ms.date: 12/09/2022 +ms.date: 02/10/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 title: New-PSSessionOption @@ -267,14 +267,19 @@ The final `Invoke-Command` shows how the data might be used. ### -ApplicationArguments -Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the +Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the remote session, including startup scripts in the session configuration, can find this dictionary in the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this parameter to send data to the remote session. -For more information, see [about_Hash_Tables](about/about_Hash_Tables.md), +> [!IMPORTANT] +> Since this property contains data explicitly provided by the client, using this for security +> decisions could allow attackers to bypass authorization controls. Never use this data for trust +> decisions. Validate all user input when used for other application logic. + +For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and -[about_Automatic_Variables](about/about_Automatic_Variables.md). +[about_Automatic_Variables](About/about_Automatic_Variables.md). ```yaml Type: System.Management.Automation.PSPrimitiveDictionary From 76c0cb730355dac33718b1df862bd4a22f78f8ef Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 10 Feb 2026 09:52:27 -0600 Subject: [PATCH 2/2] Add link to OWASP --- .../About/about_Automatic_Variables.md | 8 +++----- .../5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md | 7 ++++--- .../About/about_Automatic_Variables.md | 6 +++--- .../7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md | 3 ++- .../About/about_Automatic_Variables.md | 6 +++--- .../7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md | 3 ++- .../About/about_Automatic_Variables.md | 6 +++--- .../7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md | 3 ++- 8 files changed, 22 insertions(+), 20 deletions(-) diff --git a/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index 6e12e067d4f4..aa6467ae692f 100644 --- a/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -586,8 +586,8 @@ property, use the **ApplicationArguments** parameter of the > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using > this for security decisions could allow attackers to bypass authorization -> controls. Never use this data for trust decisions. Validate all user input -> when used for other application logic. +> controls. Never use this data for trust decisions. +> [Validate all user input][78] when used for other application logic. ### `$PSUICulture` @@ -1120,6 +1120,4 @@ Default (Current): End [75]: xref:System.Collections.IEnumerator.Current [76]: xref:System.Collections.IEnumerator.MoveNext [77]: xref:System.Collections.IEnumerator.Reset - - - +[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ diff --git a/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md index b8fc85a122e0..72a8cc352c84 100644 --- a/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -275,11 +275,12 @@ parameter to send data to the remote session. > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using this for security > decisions could allow attackers to bypass authorization controls. Never use this data for trust -> decisions. Validate all user input when used for other application logic. +> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/) +> when used for other application logic. -For more information, see [about_Hash_Tables](about/about_Hash_Tables.md), +For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and -[about_Automatic_Variables](about/about_Automatic_Variables.md). +[about_Automatic_Variables](About/about_Automatic_Variables.md). ```yaml Type: System.Management.Automation.PSPrimitiveDictionary diff --git a/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index b942556ac4ff..55b127c6ff49 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -622,8 +622,8 @@ property, use the **ApplicationArguments** parameter of the > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using > this for security decisions could allow attackers to bypass authorization -> controls. Never use this data for trust decisions. Validate all user input -> when used for other application logic. +> controls. Never use this data for trust decisions. +> [Validate all user input][78] when used for other application logic. ### `$PSUICulture` @@ -1160,4 +1160,4 @@ Default (Current): End [75]: xref:System.Collections.IEnumerator.Current [76]: xref:System.Collections.IEnumerator.MoveNext [77]: xref:System.Collections.IEnumerator.Reset - +[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ diff --git a/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md index 3095c013d924..5c18dff801d5 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -275,7 +275,8 @@ parameter to send data to the remote session. > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using this for security > decisions could allow attackers to bypass authorization controls. Never use this data for trust -> decisions. Validate all user input when used for other application logic. +> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/) +> when used for other application logic. For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and diff --git a/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index 7e7cb9ea95bf..66a95cdeb02c 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -622,8 +622,8 @@ property, use the **ApplicationArguments** parameter of the > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using > this for security decisions could allow attackers to bypass authorization -> controls. Never use this data for trust decisions. Validate all user input -> when used for other application logic. +> controls. Never use this data for trust decisions. +> [Validate all user input][78] when used for other application logic. ### `$PSUICulture` @@ -1160,4 +1160,4 @@ Default (Current): End [75]: xref:System.Collections.IEnumerator.Current [76]: xref:System.Collections.IEnumerator.MoveNext [77]: xref:System.Collections.IEnumerator.Reset - +[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ diff --git a/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md index e66e99c421d9..57ea39466b69 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -275,7 +275,8 @@ parameter to send data to the remote session. > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using this for security > decisions could allow attackers to bypass authorization controls. Never use this data for trust -> decisions. Validate all user input when used for other application logic. +> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/) +> when used for other application logic. For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and diff --git a/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md b/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md index ab3406696c7a..6abf3a21a87b 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md +++ b/reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md @@ -622,8 +622,8 @@ property, use the **ApplicationArguments** parameter of the > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using > this for security decisions could allow attackers to bypass authorization -> controls. Never use this data for trust decisions. Validate all user input -> when used for other application logic. +> controls. Never use this data for trust decisions. +> [Validate all user input][78] when used for other application logic. ### `$PSUICulture` @@ -1160,4 +1160,4 @@ Default (Current): End [75]: xref:System.Collections.IEnumerator.Current [76]: xref:System.Collections.IEnumerator.MoveNext [77]: xref:System.Collections.IEnumerator.Reset - +[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/ diff --git a/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md b/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md index ee20979bc5e7..097c9a7645bc 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md +++ b/reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md @@ -275,7 +275,8 @@ parameter to send data to the remote session. > [!IMPORTANT] > Since this property contains data explicitly provided by the client, using this for security > decisions could allow attackers to bypass authorization controls. Never use this data for trust -> decisions. Validate all user input when used for other application logic. +> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/) +> when used for other application logic. For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), [about_Session_Configurations](About/about_Session_Configurations.md), and