Add security notes to Process[StartInfo] (dotnet#8802)

jozkee · web-flow · commit 4f26c4d55c3d · 2023-01-24T14:42:39.000-06:00
Add security notes to Process[StartInfo]
diff --git a/xml/System.Diagnostics/Process.xml b/xml/System.Diagnostics/Process.xml
@@ -97,6 +97,8 @@
 
  This type implements the <xref:System.IDisposable> interface. When you have finished using the type, you should dispose of it either directly or indirectly. To dispose of the type directly, call its <xref:System.IDisposable.Dispose%2A> method in a `try`/`finally` block. To dispose of it indirectly, use a language construct such as `using` (in C#) or `Using` (in Visual Basic). For more information, see the "Using an Object that Implements IDisposable" section in the <xref:System.IDisposable> interface topic.
 
+ [!INCLUDE [untrusted-data-class-note](~/includes/untrusted-data-class-note.md)]
+
 > [!NOTE]
 >  32-bit processes cannot access the modules of a 64-bit process. If you try to get information about a 64-bit process from a 32-bit process, you will get a <xref:System.ComponentModel.Win32Exception> exception. A 64-bit process, on the other hand, can access the modules of a 32-bit process.
 
@@ -5308,6 +5310,8 @@ There is a similar issue when you read all text from both the standard output an
 
  You can start a ClickOnce application by specifying the location (for example, a Web address) from which you originally installed the application. Do not start a ClickOnce application by specifying its installed location on your hard drive.
 
+ [!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]
+
 > [!NOTE]
 >  If you are using Visual Studio, this overload of the <xref:System.Diagnostics.Process.Start%2A> method is the one that you insert into your code after you drag a <xref:System.Diagnostics.Process> component onto the designer. Use the `Properties` window to expand the `StartInfo` category and write the appropriate value into the `FileName` property. Your changes will appear in the form's `InitializeComponent` procedure.
 
@@ -5415,6 +5419,8 @@ The <see cref="P:System.Diagnostics.ProcessStartInfo.UseShellExecute" /> member
 ## Remarks
  Use this overload to start a process resource by specifying a <xref:System.Diagnostics.ProcessStartInfo> instance. The overload associates the resource with a new <xref:System.Diagnostics.Process> object.
 
+ [!INCLUDE [untrusted-data-method-note](~/includes/untrusted-data-method-note.md)]
+
 > [!NOTE]
 >  If the address of the executable file to start is a URL, the process is not started and `null` is returned.
 
@@ -5538,6 +5544,8 @@ The <see cref="P:System.Diagnostics.ProcessStartInfo.UseShellExecute" /> member
 ## Remarks
  Use this overload to start a process resource by specifying its file name. The overload associates the resource with a new <xref:System.Diagnostics.Process> object.
 
+ [!INCLUDE [untrusted-data-method-note](~/includes/untrusted-data-method-note.md)]
+
 > [!NOTE]
 >  If the address of the executable file to start is a URL, the process is not started and `null` is returned.
 
@@ -5627,7 +5635,16 @@ The file specified in the <paramref name="fileName" /> could not be found.</exce
         <param name="arguments">The command-line arguments to pass when starting the process.</param>
         <summary>Starts a process resource by specifying the name of an application and a set of command line arguments.</summary>
         <returns>A new <see cref="T:System.Diagnostics.Process" /> that is associated with the process resource, or <see langword="null" /> if no process resource is started.</returns>
-        <remarks>Each argument will be escaped automatically if required.</remarks>
+        <remarks>
+          <format type="text/markdown"><![CDATA[
+
+## Remarks
+ Each argument will be escaped automatically if required.
+
+ [!INCLUDE [untrusted-data-method-note](~/includes/untrusted-data-method-note.md)]
+
+ ]]></format>
+        </remarks>
       </Docs>
     </Member>
     <Member MemberName="Start">
@@ -5692,6 +5709,8 @@ The file specified in the <paramref name="fileName" /> could not be found.</exce
 ## Remarks
  Use this overload to start a process resource by specifying its file name and command-line arguments. The overload associates the resource with a new <xref:System.Diagnostics.Process> object.
 
+ [!INCLUDE [untrusted-data-method-note](~/includes/untrusted-data-method-note.md)]
+
 > [!NOTE]
 >  If the address of the executable file to start is a URL, the process is not started and `null` is returned.
 
@@ -5801,6 +5820,8 @@ The file specified in the <paramref name="fileName" /> could not be found.
 ## Remarks
  Use this overload to create a new process and its primary thread by specifying its file name, user name, password, and domain. The new process then runs the specified executable file in the security context of the specified credentials (user, domain, and password).
 
+ [!INCLUDE [untrusted-data-method-note](~/includes/untrusted-data-method-note.md)]
+
 > [!NOTE]
 >  When the executable file is located on a remote drive, you must identify the network share by using a uniform resource identifier (URI), not a linked drive letter.
 
@@ -5899,6 +5920,8 @@ The file specified in the <paramref name="fileName" /> could not be found.</exce
 ## Remarks
  Use this overload to create a new process and its primary thread by specifying its file name, command-line arguments, user name, password, and domain. The new process then runs the specified executable file in the security context of the specified credentials (user, domain, and password).
 
+ [!INCLUDE [untrusted-data-method-note](~/includes/untrusted-data-method-note.md)]
+
 > [!NOTE]
 >  When the executable file is located on a remote drive, you must identify the network share by using a uniform resource identifier (URI), not a linked drive letter.
 
diff --git a/xml/System.Diagnostics/ProcessStartInfo.xml b/xml/System.Diagnostics/ProcessStartInfo.xml
@@ -59,7 +59,9 @@
   
  Set the <xref:System.Diagnostics.ProcessStartInfo.UseShellExecute%2A> property to specify whether to start the process by using the operating system shell. If <xref:System.Diagnostics.ProcessStartInfo.UseShellExecute%2A> is set to `false`, the new process inherits the standard input, standard output, and standard error streams of the calling process, unless the <xref:System.Diagnostics.ProcessStartInfo.RedirectStandardInput%2A>, <xref:System.Diagnostics.ProcessStartInfo.RedirectStandardOutput%2A>, or <xref:System.Diagnostics.ProcessStartInfo.RedirectStandardError%2A> properties, respectively, are set to `true`. 
   
- You can change the value of any <xref:System.Diagnostics.ProcessStartInfo> property up to the time that the process starts. After you start the process, changing these values has no effect.  
+ You can change the value of any <xref:System.Diagnostics.ProcessStartInfo> property up to the time that the process starts. After you start the process, changing these values has no effect.
+ 
+ [!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]
   
 > [!NOTE]
 >  This class contains a link demand at the class level that applies to all members. A <xref:System.Security.SecurityException> is thrown when the immediate caller does not have full-trust permission. For details about security demands, see [Link Demands](/dotnet/framework/misc/link-demands).  
@@ -128,6 +130,8 @@
   
  Optionally, you can also set other properties before you start the process. The <xref:System.Diagnostics.ProcessStartInfo.Verb%2A> property supplies actions to take, such as "print", with the file indicated in the <xref:System.Diagnostics.ProcessStartInfo.FileName%2A> property. The <xref:System.Diagnostics.ProcessStartInfo.Arguments%2A> property supplies a way to pass command-line arguments to the file when the system opens it.  
   
+ [!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]
+
  ]]></format>
         </remarks>
       </Docs>
@@ -175,7 +179,9 @@
  The file name is any application or document. In this case, a document is defined to be any file type that has an open or default action associated with it. You can view registered file types and their associated applications for your computer by using the **Folder Options** dialog box, which is available through the operating system. The **Advanced** button leads to a dialog box that shows whether there is an open action associated with a specific registered file type.  
   
  You can change the <xref:System.Diagnostics.ProcessStartInfo.FileName%2A> property after you call this constructor, up to the time that the process starts. After you start the process, changing these values has no effect.  
-  
+ 
+ [!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]
+
  ]]></format>
         </remarks>
       </Docs>
@@ -225,6 +231,8 @@
  The file name is any application or document. In this case, a document is defined to be any file type that has an open or default action associated with it. You can view registered file types and their associated applications for your computer by using the **Folder Options** dialog box, which is available through the operating system. The **Advanced** button leads to a dialog box that shows whether there is an open action associated with a specific registered file type.  
   
  You can change the <xref:System.Diagnostics.ProcessStartInfo.FileName%2A> or <xref:System.Diagnostics.ProcessStartInfo.Arguments%2A> properties after you call this constructor, up to the time that the process starts. After you start the process, changing these values has no effect.  
+ 
+ [!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]
   
  ]]></format>
         </remarks>
@@ -260,6 +268,8 @@
           <format type="text/markdown"><![CDATA[
           
 `ArgumentList` and the <xref:System.Diagnostics.ProcessStartInfo.Arguments> property are independent of one another and **only one of them can be used at the same time**. The main difference between both APIs is that `ArgumentList` takes care of escaping the provided arguments and **internally** builds a single string that is passed to operating system when calling `Process.Start(info)`. So if you are not sure how to properly escape your arguments, you should choose `ArgumentList` over <xref:System.Diagnostics.ProcessStartInfo.Arguments>.
+
+[!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]
 ```
 
 ## Examples
@@ -397,6 +407,8 @@ If you use this property to set command-line arguments, <xref:System.Diagnostics
   
 `Arguments` and <xref:System.Diagnostics.ProcessStartInfo.ArgumentList>, which is supported starting with .NET Core 2.1 and .NET Standard 2.1, are independent of one another. That is, the string assigned to the `Arguments` property does not populate the <xref:System.Diagnostics.ProcessStartInfo.ArgumentList> collection, and the members of the <xref:System.Diagnostics.ProcessStartInfo.ArgumentList> collection are not assigned to the `Arguments` property.
 
+[!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]
+
 ## Examples  
  The first example creates a small application (argsecho.exe) that echos its arguments to the console. The second example creates an application that invokes argsecho.exe to demonstrate different variations for the `Arguments` property.  
   
@@ -938,7 +950,7 @@ If you use this property to set command-line arguments, <xref:System.Diagnostics
   
  You can start a ClickOnce application by setting the <xref:System.Diagnostics.ProcessStartInfo.FileName%2A> property to the location (for example, a Web address) from which you originally installed the application. Do not start a ClickOnce application by specifying its installed location on your hard disk.  
   
-   
+ [!INCLUDE [untrusted-data-instance-note](~/includes/untrusted-data-instance-note.md)]  
   
 ## Examples  
  :::code language="cpp" source="~/snippets/cpp/VS_Snippets_CLR/Process.Start_instance/CPP/processstart.cpp" id="Snippet1":::
