Add note about trusting ApplicationArguments data#12746
Add note about trusting ApplicationArguments data#12746sdwheeler merged 2 commits intoMicrosoftDocs:mainfrom
Conversation
sdwheeler
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Pull request overview
Adds security-focused documentation warnings advising that $PSSenderInfo.ApplicationArguments / -ApplicationArguments data is client-supplied and must not be used for authorization/trust decisions.
Changes:
- Adds
[!IMPORTANT]admonitions warning against usingApplicationArgumentsfor security/trust decisions across multiple PowerShell versions. - Updates related metadata (
ms.date) and normalizes some relative About-topic links.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md | Adds IMPORTANT warning under -ApplicationArguments and updates some About links. |
| reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md | Adds IMPORTANT warning under $PSSenderInfo / ApplicationArguments. |
| reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md | Adds IMPORTANT warning under -ApplicationArguments. |
| reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md | Adds IMPORTANT warning under $PSSenderInfo / ApplicationArguments. |
| reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md | Adds IMPORTANT warning under -ApplicationArguments and updates some About links. |
| reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md | Adds IMPORTANT warning and updates metadata. |
| reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md | Adds IMPORTANT warning under -ApplicationArguments. |
| reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md | Adds IMPORTANT warning under $PSSenderInfo / ApplicationArguments. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ms.date: 01/18/2026 | ||
| ms.date: 02/10/2026 | ||
| no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition] | ||
| online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp |
There was a problem hiding this comment.
The online version URL is using view=powershell-5.1 in the 7.4 reference topic, which will send readers to the wrong version of the docs. Please update the querystring to view=powershell-7.4 to match this file's versioned folder.
| online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp | |
| online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.4&WT.mc_id=ps-gethelp |
| > Since this property contains data explicitly provided by the client, using this for security | ||
| > decisions could allow attackers to bypass authorization controls. Never use this data for trust | ||
| > decisions. Validate all user input when used for other application logic. |
There was a problem hiding this comment.
The added IMPORTANT blockquote lines exceed the repo's markdownlint MD013 line-length limit (100 chars) for non-About topics. Please wrap the blockquote text onto more lines (keeping each quoted line under the limit) to avoid lint failures.
| > Since this property contains data explicitly provided by the client, using this for security | |
| > decisions could allow attackers to bypass authorization controls. Never use this data for trust | |
| > decisions. Validate all user input when used for other application logic. | |
| > Since this property contains data explicitly provided by the client, using this | |
| > for security decisions could allow attackers to bypass authorization controls. | |
| > Never use this data for trust decisions. Validate all user input when used for | |
| > other application logic. |
| For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), | ||
| [about_Session_Configurations](About/about_Session_Configurations.md), and | ||
| [about_Automatic_Variables](about/about_Automatic_Variables.md). | ||
| [about_Automatic_Variables](About/about_Automatic_Variables.md). |
There was a problem hiding this comment.
This file still contains a relative link using about/... (lowercase) earlier in the page (for example in the preceding example section). There is no about directory here (only About/), so please update remaining about/... links to About/... to avoid broken links on case-sensitive systems.
| > Since this property contains data explicitly provided by the client, using this for security | ||
| > decisions could allow attackers to bypass authorization controls. Never use this data for trust | ||
| > decisions. Validate all user input when used for other application logic. |
There was a problem hiding this comment.
The added IMPORTANT blockquote lines exceed the repo's markdownlint MD013 line-length limit (100 chars) for non-About topics. Please wrap the blockquote text onto more lines (keeping each quoted line under the limit) to avoid lint failures.
| > Since this property contains data explicitly provided by the client, using this for security | |
| > decisions could allow attackers to bypass authorization controls. Never use this data for trust | |
| > decisions. Validate all user input when used for other application logic. | |
| > Since this property contains data explicitly provided by the client, using this for | |
| > security decisions could allow attackers to bypass authorization controls. Never use | |
| > this data for trust decisions. Validate all user input when used for other | |
| > application logic. |
| For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), | ||
| [about_Session_Configurations](About/about_Session_Configurations.md), and | ||
| [about_Automatic_Variables](About/about_Automatic_Variables.md). |
There was a problem hiding this comment.
This file still contains a relative link using about/... (lowercase) earlier in the page (example section). There is no about directory here (only About/), so the link will be broken on case-sensitive systems; please update it to About/... for consistency with the other links in this section.
| For more information, see [about_Hash_Tables](about/about_Hash_Tables.md), | ||
| [about_Session_Configurations](About/about_Session_Configurations.md), and | ||
| [about_Automatic_Variables](about/about_Automatic_Variables.md). |
There was a problem hiding this comment.
These relative links use about/... (lowercase), but this folder only contains About/ (capital A). On case-sensitive systems this will break the links; please update them to About/... (and consider fixing the same about/... link used earlier in the example section).
| For more information, see [about_Hash_Tables](about/about_Hash_Tables.md), | |
| [about_Session_Configurations](About/about_Session_Configurations.md), and | |
| [about_Automatic_Variables](about/about_Automatic_Variables.md). | |
| For more information, see [about_Hash_Tables](About/about_Hash_Tables.md), | |
| [about_Session_Configurations](About/about_Session_Configurations.md), and | |
| [about_Automatic_Variables](About/about_Automatic_Variables.md). |
| > [!IMPORTANT] | ||
| > Since this property contains data explicitly provided by the client, using this for security | ||
| > decisions could allow attackers to bypass authorization controls. Never use this data for trust | ||
| > decisions. Validate all user input when used for other application logic. |
There was a problem hiding this comment.
The added IMPORTANT blockquote lines exceed the repo's markdownlint MD013 line-length limit (100 chars) for non-About topics. Please wrap the blockquote text onto more lines (keeping each quoted line under the limit) to avoid lint failures.
| > decisions. Validate all user input when used for other application logic. | |
| > decisions. | |
| > Validate all user input when used for other application logic. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 76c0cb7: ✅ Validation status: passed
For more details, please refer to the build report. |
PR Summary
Ad note about trusting ApplicationArguments data
PR Checklist