Merged PR 20126: Fix for partial PowerShell module search paths, that can be resolved to CWD locations (PowerShell#17231)

The problem is .NET will return empty strings for special folders that don't exist in some accounts (like System account), and the module path code appends path locations without first checking if the root path is non-empty.  This results in partial paths in the PSModulePath list, which are then interpreted by .NET file APIs as rooted in the current working directory.  And this in turn can allow low privilege users to drop modules in locations that higher privilege accounts will load from, thus gaining escalated privilege code execution.

These changes detect this non-rooted condition and prevents partial paths from being included in search lists.

Cherry picked from !17201

Co-authored-by: Travis Plunk <[email protected]>

Author: Andrew

src/System.Management.Automation/engine/Modules/ModuleIntrinsics.cs

@@ -970,7 +970,8 @@ internal static string GetPersonalModulePath()
 #if UNIX
             return Platform.SelectProductNameForDirectory(Platform.XDG_Type.USER_MODULES);
 #else
-            return Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), Utils.ModuleDirectory);
+            string myDocumentsPath = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments);
+            return string.IsNullOrEmpty(myDocumentsPath) ? null : Path.Combine(myDocumentsPath, Utils.ModuleDirectory);
 #endif
         }
 
@@ -1189,7 +1190,18 @@ public static string GetModulePath(string currentProcessModulePath, string hklmM
                     currentProcessModulePath = hkcuUserModulePath; // = EVT.User
                 }
 
-                currentProcessModulePath += Path.PathSeparator;
+                if (string.IsNullOrEmpty(currentProcessModulePath))
+                {
+                    if (currentProcessModulePath is null)
+                    {
+                        currentProcessModulePath = string.Empty;
+                    }
+                }
+                else
+                {
+                    currentProcessModulePath += Path.PathSeparator;
+                }
+
                 if (string.IsNullOrEmpty(hklmMachineModulePath)) // EVT.Machine does Not exist
                 {
                     currentProcessModulePath += CombineSystemModulePaths(); // += (SharedModulePath + $PSHome\Modules)
@@ -1210,11 +1222,23 @@ public static string GetModulePath(string currentProcessModulePath, string hklmM
                 // personalModulePath
                 // sharedModulePath
                 // systemModulePath
-                currentProcessModulePath = AddToPath(currentProcessModulePath, personalModulePathToUse, 0);
-                int insertIndex = PathContainsSubstring(currentProcessModulePath, personalModulePathToUse) + personalModulePathToUse.Length + 1;
-                currentProcessModulePath = AddToPath(currentProcessModulePath, sharedModulePath, insertIndex);
-                insertIndex = PathContainsSubstring(currentProcessModulePath, sharedModulePath) + sharedModulePath.Length + 1;
-                currentProcessModulePath = AddToPath(currentProcessModulePath, systemModulePathToUse, insertIndex);
+                int insertIndex = 0;
+                if (!string.IsNullOrEmpty(personalModulePathToUse))
+                {
+                    currentProcessModulePath = AddToPath(currentProcessModulePath, personalModulePathToUse, insertIndex);
+                    insertIndex = PathContainsSubstring(currentProcessModulePath, personalModulePathToUse) + personalModulePathToUse.Length + 1;
+                }
+
+                if (!string.IsNullOrEmpty(sharedModulePath))
+                {
+                    currentProcessModulePath = AddToPath(currentProcessModulePath, sharedModulePath, insertIndex);
+                    insertIndex = PathContainsSubstring(currentProcessModulePath, sharedModulePath) + sharedModulePath.Length + 1;
+                }
+
+                if (!string.IsNullOrEmpty(systemModulePathToUse))
+                {
+                    currentProcessModulePath = AddToPath(currentProcessModulePath, systemModulePathToUse, insertIndex);
+                }
             }
 
             return currentProcessModulePath;

src/System.Management.Automation/resources/PathUtilsStrings.resx

@@ -138,6 +138,9 @@
   <data name="ExportPSSession_ErrorDirectoryExists" xml:space="preserve">
     <value>The directory '{0}' already exists.  Use the -Force parameter if you want to overwrite the directory and files within the directory.</value>
   </data>
+  <data name="ExportPSSession_ErrorModuleNameOrPath" xml:space="preserve">
+    <value>The -OutputModule parameter does not resolve to a path, and a user module path cannot be found for the provided name.</value>
+  </data>
   <data name="ExportPSSession_CannotCreateOutputDirectory" xml:space="preserve">
     <value>Cannot create the module {0} due to the following: {1}. Use a different argument for the -OutputModule parameter and retry.</value>
     <comment>{StrContains="OutputModule"}

src/System.Management.Automation/utils/PathUtils.cs

@@ -367,6 +367,16 @@ internal static DirectoryInfo CreateModuleDirectory(PSCmdlet cmdlet, string modu
                 if (string.IsNullOrEmpty(rootedPath))
                 {
                     string personalModuleRoot = ModuleIntrinsics.GetPersonalModulePath();
+                    if (string.IsNullOrEmpty(personalModuleRoot))
+                    {
+                        cmdlet.ThrowTerminatingError(
+                            new ErrorRecord(
+                                new ArgumentException(PathUtilsStrings.ExportPSSession_ErrorModuleNameOrPath),
+                                "ExportPSSession_ErrorModuleNameOrPath",
+                                ErrorCategory.InvalidArgument,
+                                cmdlet));
+                    }
+
                     rootedPath = Path.Combine(personalModuleRoot, moduleNameOrPath);
                 }