Check for embedded ".." in the expanded I/O log dir and file.

millert · millert · commit 4bd549d7f41c · 2025-11-11T16:10:14.000-07:00
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
diff --git a/logsrvd/iolog_writer.c b/logsrvd/iolog_writer.c
@@ -596,13 +596,23 @@ create_iolog_path(struct connection_closure *closure)
 	    logsrvd_conf_iolog_dir());
 	goto bad;
     }
+    if (contains_dot_dot(expanded_dir)) {
+	sudo_warnx(U_("unable to expand iolog path %s: path traversal attack"),
+	    logsrvd_conf_iolog_dir());
+	goto bad;
+    }
 
     if (!expand_iolog_path(logsrvd_conf_iolog_file(), expanded_file,
 	    sizeof(expanded_file), &path_escapes[0], &path_closure)) {
 	sudo_warnx(U_("unable to expand iolog path %s"),
 	    logsrvd_conf_iolog_file());
 	goto bad;
     }
+    if (contains_dot_dot(expanded_file)) {
+	sudo_warnx(U_("unable to expand iolog path %s: path traversal attack"),
+	    logsrvd_conf_iolog_file());
+	goto bad;
+    }
 
     len = snprintf(pathbuf, sizeof(pathbuf), "%s/%s", expanded_dir,
 	expanded_file);
