Skip to content

Add note about trusting ApplicationArguments data #12746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sdwheeler merged 2 commits into from
Feb 10, 2026
Merged

Add note about trusting ApplicationArguments data #12746

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a93c07c
Ad note about trusting ApplicationArguments data
sdwheeler Feb 10, 2026
76c0cb7
Add link to OWASP
sdwheeler Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
Locale: en-US
ms.date: 01/18/2026
ms.date: 02/10/2026
no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp
schema: 2.0.0
Expand Down Expand Up @@ -583,6 +583,12 @@ from the originating session. To add data to the **ApplicationArguments**
property, use the **ApplicationArguments** parameter of the
`New-PSSessionOption` cmdlet.

> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using
> this for security decisions could allow attackers to bypass authorization
> controls. Never use this data for trust decisions.
> [Validate all user input][78] when used for other application logic.

### `$PSUICulture`

Contains the name of the user interface (UI) culture that's configured in the
Expand Down Expand Up @@ -1114,6 +1120,4 @@ Default (Current): End
[75]: xref:System.Collections.IEnumerator.Current
[76]: xref:System.Collections.IEnumerator.MoveNext
[77]: xref:System.Collections.IEnumerator.Reset



[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/
14 changes: 10 additions & 4 deletions reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
external help file: System.Management.Automation.dll-Help.xml
Locale: en-US
Module Name: Microsoft.PowerShell.Core
ms.date: 12/09/2022
ms.date: 02/10/2026
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-5.1&WT.mc_id=ps-gethelp
schema: 2.0.0
title: New-PSSessionOption
Expand Down Expand Up @@ -267,14 +267,20 @@ The final `Invoke-Command` shows how the data might be used.

### -ApplicationArguments

Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
remote session, including startup scripts in the session configuration, can find this dictionary in
the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
parameter to send data to the remote session.

For more information, see [about_Hash_Tables](about/about_Hash_Tables.md),
> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using this for security
> decisions could allow attackers to bypass authorization controls. Never use this data for trust
> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
> when used for other application logic.

For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
[about_Session_Configurations](About/about_Session_Configurations.md), and
[about_Automatic_Variables](about/about_Automatic_Variables.md).
[about_Automatic_Variables](About/about_Automatic_Variables.md).

```yaml
Type: System.Management.Automation.PSPrimitiveDictionary
Expand Down
12 changes: 8 additions & 4 deletions reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
Locale: en-US
ms.date: 01/18/2026
ms.date: 02/10/2026
no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The online version URL is using view=powershell-5.1 in the 7.4 reference topic, which will send readers to the wrong version of the docs. Please update the querystring to view=powershell-7.4 to match this file's versioned folder.

Suggested change
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.4&WT.mc_id=ps-gethelp

Copilot uses AI. Check for mistakes.
schema: 2.0.0
Expand Down Expand Up @@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments**
property, use the **ApplicationArguments** parameter of the
`New-PSSessionOption` cmdlet.

> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using
> this for security decisions could allow attackers to bypass authorization
> controls. Never use this data for trust decisions.
> [Validate all user input][78] when used for other application logic.

### `$PSUICulture`

Contains the name of the user interface (UI) culture that's configured in the
Expand Down Expand Up @@ -1154,6 +1160,4 @@ Default (Current): End
[75]: xref:System.Collections.IEnumerator.Current
[76]: xref:System.Collections.IEnumerator.MoveNext
[77]: xref:System.Collections.IEnumerator.Reset



[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/
14 changes: 10 additions & 4 deletions reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
external help file: System.Management.Automation.dll-Help.xml
Locale: en-US
Module Name: Microsoft.PowerShell.Core
ms.date: 12/09/2022
ms.date: 02/10/2026
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.4&WT.mc_id=ps-gethelp
schema: 2.0.0
title: New-PSSessionOption
Expand Down Expand Up @@ -267,14 +267,20 @@ The final `Invoke-Command` shows how the data might be used.

### -ApplicationArguments

Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
remote session, including startup scripts in the session configuration, can find this dictionary in
the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
parameter to send data to the remote session.

For more information, see [about_Hash_Tables](about/about_Hash_Tables.md),
> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using this for security
> decisions could allow attackers to bypass authorization controls. Never use this data for trust
> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
> when used for other application logic.

For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
[about_Session_Configurations](About/about_Session_Configurations.md), and
[about_Automatic_Variables](about/about_Automatic_Variables.md).
[about_Automatic_Variables](About/about_Automatic_Variables.md).
Comment thread
sdwheeler marked this conversation as resolved.

```yaml
Type: System.Management.Automation.PSPrimitiveDictionary
Expand Down
10 changes: 8 additions & 2 deletions reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
Locale: en-US
ms.date: 01/18/2026
ms.date: 02/10/2026
no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.5&WT.mc_id=ps-gethelp
schema: 2.0.0
Expand Down Expand Up @@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments**
property, use the **ApplicationArguments** parameter of the
`New-PSSessionOption` cmdlet.

> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using
> this for security decisions could allow attackers to bypass authorization
> controls. Never use this data for trust decisions.
> [Validate all user input][78] when used for other application logic.
### `$PSUICulture`

Contains the name of the user interface (UI) culture that's configured in the
Expand Down Expand Up @@ -1154,4 +1160,4 @@ Default (Current): End
[75]: xref:System.Collections.IEnumerator.Current
[76]: xref:System.Collections.IEnumerator.MoveNext
[77]: xref:System.Collections.IEnumerator.Reset

[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/
10 changes: 8 additions & 2 deletions reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
external help file: System.Management.Automation.dll-Help.xml
Locale: en-US
Module Name: Microsoft.PowerShell.Core
ms.date: 12/09/2022
ms.date: 02/10/2026
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.5&WT.mc_id=ps-gethelp
schema: 2.0.0
title: New-PSSessionOption
Expand Down Expand Up @@ -267,11 +267,17 @@ The final `Invoke-Command` shows how the data might be used.

### -ApplicationArguments

Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
remote session, including startup scripts in the session configuration, can find this dictionary in
the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
parameter to send data to the remote session.

> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using this for security
> decisions could allow attackers to bypass authorization controls. Never use this data for trust
> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
> when used for other application logic.

For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
[about_Session_Configurations](About/about_Session_Configurations.md), and
[about_Automatic_Variables](About/about_Automatic_Variables.md).
Comment on lines 281 to 283
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file still contains a relative link using about/... (lowercase) earlier in the page (example section). There is no about directory here (only About/), so the link will be broken on case-sensitive systems; please update it to About/... for consistency with the other links in this section.

Copilot uses AI. Check for mistakes.
Expand Down
10 changes: 8 additions & 2 deletions reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
Locale: en-US
ms.date: 01/18/2026
ms.date: 02/10/2026
no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.6&WT.mc_id=ps-gethelp
schema: 2.0.0
Expand Down Expand Up @@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments**
property, use the **ApplicationArguments** parameter of the
`New-PSSessionOption` cmdlet.

> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using
> this for security decisions could allow attackers to bypass authorization
> controls. Never use this data for trust decisions.
> [Validate all user input][78] when used for other application logic.

### `$PSUICulture`

Contains the name of the user interface (UI) culture that's configured in the
Expand Down Expand Up @@ -1154,4 +1160,4 @@ Default (Current): End
[75]: xref:System.Collections.IEnumerator.Current
[76]: xref:System.Collections.IEnumerator.MoveNext
[77]: xref:System.Collections.IEnumerator.Reset

[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/
14 changes: 10 additions & 4 deletions reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
external help file: System.Management.Automation.dll-Help.xml
Locale: en-US
Module Name: Microsoft.PowerShell.Core
ms.date: 12/09/2022
ms.date: 02/10/2026
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.6&WT.mc_id=ps-gethelp
schema: 2.0.0
title: New-PSSessionOption
Expand Down Expand Up @@ -267,14 +267,20 @@ The final `Invoke-Command` shows how the data might be used.

### -ApplicationArguments

Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
remote session, including startup scripts in the session configuration, can find this dictionary in
the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
parameter to send data to the remote session.

For more information, see [about_Hash_Tables](about/about_Hash_Tables.md),
> [!IMPORTANT]
> Since this property contains data explicitly provided by the client, using this for security
> decisions could allow attackers to bypass authorization controls. Never use this data for trust
> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
> when used for other application logic.

For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
[about_Session_Configurations](About/about_Session_Configurations.md), and
[about_Automatic_Variables](about/about_Automatic_Variables.md).
[about_Automatic_Variables](About/about_Automatic_Variables.md).
Comment on lines +281 to +283
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file still contains a relative link using about/... (lowercase) earlier in the page (for example in the preceding example section). There is no about directory here (only About/), so please update remaining about/... links to About/... to avoid broken links on case-sensitive systems.

Copilot uses AI. Check for mistakes.

```yaml
Type: System.Management.Automation.PSPrimitiveDictionary
Expand Down