handle_restart: Reject log_id if it contains ".."

The log_id is used to create a path name.  We need to make sure the
ID doesn't start with "../", end with "/..", or contain "/../" to
prevent potential path traversal.

Thanks to Joshua Rogers for finding this.

Author: millert

MANIFEST

@@ -419,6 +419,7 @@ lib/zlib/zlib.h
 lib/zlib/zutil.c
 lib/zlib/zutil.h
 logsrvd/Makefile.in
+logsrvd/dotdot.c
 logsrvd/iolog_writer.c
 logsrvd/logsrv_util.c
 logsrvd/logsrv_util.h
@@ -436,6 +437,7 @@ logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4
 logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5
 logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6
 logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.7
+logsrvd/regress/dotdot/dotdot_test.c
 logsrvd/regress/fuzz/fuzz_logsrvd_conf.c
 logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict
 logsrvd/regress/logsrvd_conf/cacert.pem

logsrvd/Makefile.in

@@ -116,7 +116,7 @@ FUZZ_MAX_LEN = 4096
 FUZZ_RUNS = 8192
 FUZZ_VERBOSE =
 
-TEST_PROGS = logsrvd_conf_test
+TEST_PROGS = logsrvd_conf_test dotdot_test
 TEST_LIBS = $(LIBS)
 TEST_LDFLAGS = $(LDFLAGS)
 TEST_VERBOSE =
@@ -131,7 +131,7 @@ SHELL = @SHELL@
 
 PROGS = sudo_logsrvd sudo_sendlog
 
-LOGSRVD_OBJS = logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o \
+LOGSRVD_OBJS = dotdot.o logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o \
 	       logsrvd_journal.o logsrvd_local.o logsrvd_relay.o \
 	       logsrvd_queue.o tls_client.o tls_init.o
 
@@ -151,6 +151,8 @@ FUZZ_LOGSRVD_CONF_CORPUS = $(srcdir)/regress/corpus/seed/logsrvd_conf/logsrvd.co
 
 CONF_TEST_OBJS = logsrvd_conf_test.o logsrvd_conf.o tls_init.o
 
+DOTDOT_TEST_OBJS = dotdot_test.o dotdot.o
+
 all: $(PROGS)
 
 depend:
@@ -187,6 +189,9 @@ fuzz_logsrvd_conf: $(FUZZ_LOGSRVD_CONF_OBJS) $(LIBFUZZSTUB) $(LT_LIBS)
 logsrvd_conf_test: $(CONF_TEST_OBJS) $(LT_LIBS)
 	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(CONF_TEST_OBJS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(HARDENING_LDFLAGS) $(TEST_LDFLAGS) $(TEST_LIBS)
 
+dotdot_test: $(DOTDOT_TEST_OBJS) $(LT_LIBS)
+	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(DOTDOT_TEST_OBJS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(HARDENING_LDFLAGS) $(TEST_LDFLAGS) $(TEST_LIBS)
+
 fuzz_logsrvd_conf_seed_corpus.zip:
 	tdir=fuzz_logsrvd_conf.$$$$; \
 	mkdir $$tdir; \
@@ -278,6 +283,7 @@ check: $(TEST_PROGS) check-fuzzer
 	    unset LANGUAGE || LANGUAGE=; \
 	    MALLOC_OPTIONS=S; export MALLOC_OPTIONS; \
 	    MALLOC_CONF="abort:true,junk:true"; export MALLOC_CONF; \
+	    ./dotdot_test; \
 	    builddir=$(abs_top_builddir)/logsrvd; \
 	    cd $(srcdir) || exit 1; \
 	    if test -n "@LIBTLS@"; then \
@@ -313,6 +319,30 @@ cleandir: realclean
 	$(FUZZ_SEED_CORPUS) run-fuzz_logsrvd_conf
 
 # Autogenerated dependencies, do not modify
+dotdot.o: $(srcdir)/dotdot.c $(incdir)/compat/stdbool.h \
+          $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
+          $(incdir)/sudo_queue.h $(srcdir)/logsrv_util.h \
+          $(top_builddir)/config.h
+	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/dotdot.c
+dotdot.i: $(srcdir)/dotdot.c $(incdir)/compat/stdbool.h \
+          $(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
+          $(incdir)/sudo_queue.h $(srcdir)/logsrv_util.h \
+          $(top_builddir)/config.h
+	$(CPP) $(CPPFLAGS) $(srcdir)/dotdot.c > $@
+dotdot.plog: dotdot.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/dotdot.c --i-file dotdot.i --output-file $@
+dotdot_test.o: $(srcdir)/regress/dotdot/dotdot_test.c \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+               $(incdir)/sudo_fatal.h $(incdir)/sudo_plugin.h \
+               $(srcdir)/logsrv_util.h $(top_builddir)/config.h
+	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/dotdot/dotdot_test.c
+dotdot_test.i: $(srcdir)/regress/dotdot/dotdot_test.c \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+               $(incdir)/sudo_fatal.h $(incdir)/sudo_plugin.h \
+               $(srcdir)/logsrv_util.h $(top_builddir)/config.h
+	$(CPP) $(CPPFLAGS) $(srcdir)/regress/dotdot/dotdot_test.c > $@
+dotdot_test.plog: dotdot_test.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/dotdot/dotdot_test.c --i-file dotdot_test.i --output-file $@
 fuzz_logsrvd_conf.o: $(srcdir)/regress/fuzz/fuzz_logsrvd_conf.c \
                      $(incdir)/compat/stdbool.h $(incdir)/log_server.pb-c.h \
                      $(incdir)/protobuf-c/protobuf-c.h $(incdir)/sudo_compat.h \

logsrvd/logsrv_util.h

@@ -53,6 +53,9 @@ struct connection_buffer {
 };
 TAILQ_HEAD(connection_buffer_list, connection_buffer);
 
+/* dotdot.c */
+bool contains_dot_dot(const char *str);
+
 /* logsrv_util.c */
 struct iolog_file;
 bool expand_buf(struct connection_buffer *buf, size_t needed);

logsrvd/logsrvd.c

@@ -591,6 +591,14 @@ handle_restart(const RestartMessage *msg, const uint8_t *buf, size_t len,
 	"%s: received RestartMessage for %s from %s", __func__, msg->log_id,
 	source);
 
+    /* The log_id is used to create a path name, prevent path traversal. */
+    if (contains_dot_dot(msg->log_id)) {
+	sudo_warnx(U_("%s: %s"), source,
+	    U_("RestartMessage log_id path traversal attack"));
+	closure->errstr = _("invalid RestartMessage");
+	debug_return_bool(false);
+    }
+
     /* Only I/O logs are restartable. */
     closure->log_io = true;
 

logsrvd/regress/dotdot/dotdot_test.c

@@ -0,0 +1,138 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2025 Todd C. Miller <[email protected]>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# include <compat/stdbool.h>
+#endif /* HAVE_STDBOOL_H */
+
+#define SUDO_ERROR_WRAP 0
+
+#include <sudo_compat.h>
+#include <sudo_util.h>
+#include <sudo_fatal.h>
+#include <sudo_queue.h>
+
+#include <logsrv_util.h>
+
+sudo_dso_public int main(int argc, char *argv[]);
+
+struct test_data {
+    const char *str;		/* input string */
+    bool expected;		/* expected result */
+};
+
+static struct test_data test_data[] = {
+    {
+	"/foo/bar",
+	false
+    }, {
+	"..",
+	true
+    }, {
+	"../",
+	true
+    }, {
+	"/..",
+	true
+    }, {
+	"/../",
+	true
+    }, {
+	"foo/../",
+	true
+    }, {
+	"foo/..",
+	true
+    }, {
+	"foo/../bar",
+	true
+    }, {
+	"../bar",
+	true
+    }, {
+	"foo../bar",
+	false
+    }, {
+	"foo/..bar",
+	false
+    }, {
+	"...",
+	false
+    }, {
+	".../",
+	false
+    }, {
+	"/...",
+	false
+    }, {
+	"/.../",
+	false
+    }, {
+	NULL,
+	false
+    }
+};
+
+/*
+ * Verify contains_dot_dot() behavior
+ */
+int
+main(int argc, char *argv[])
+{
+    int errors = 0, ntests = 0;
+    size_t i;
+    int ch;
+
+    initprogname(argc > 0 ? argv[0] : "dotdot_test");
+
+    while ((ch = getopt(argc, argv, "v")) != -1) {
+	switch (ch) {
+	case 'v':
+	    /* ignore */
+	    break;
+	default:
+	    fprintf(stderr, "usage: %s [-v]\n", getprogname());
+	    return EXIT_FAILURE;
+	}
+    }
+
+    for (i = 0; test_data[i].str != NULL; i++) {
+	bool result = contains_dot_dot(test_data[i].str);
+	if (result != test_data[i].expected) {
+	    sudo_warnx("test %zu:%s: expected %s, got %s", i,
+		test_data[i].str, test_data[i].expected ? "true" : "false",
+		result ? "true" : "false");
+	    errors++;
+	}
+	ntests++;
+    }
+
+    if (ntests != 0) {
+	printf("%s: %d tests run, %d errors, %d%% success rate\n",
+	    getprogname(), ntests, errors, (ntests - errors) * 100 / ntests);
+    }
+
+    return errors;
+}