find_path: collapse extra "/" and "./" components in the command path

millert · millert · commit 4b3a5e7d1a33 · 2026-03-18T06:54:22.000-06:00
When fully-qualifying the command path, collapse multiple
consecutive '/' characters and remove "./" path components.
This does not attempt to resolve "../" components, which will
be performed during canonicalization.
diff --git a/MANIFEST b/MANIFEST
@@ -770,6 +770,7 @@ plugins/sudoers/prompt.c
 plugins/sudoers/pwutil.c
 plugins/sudoers/pwutil.h
 plugins/sudoers/pwutil_impl.c
+plugins/sudoers/rationalize.c
 plugins/sudoers/redblack.c
 plugins/sudoers/redblack.h
 plugins/sudoers/regress/check_symbols/check_symbols.c
@@ -895,6 +896,7 @@ plugins/sudoers/regress/parser/check_digest.c
 plugins/sudoers/regress/parser/check_digest.out.ok
 plugins/sudoers/regress/parser/check_fill.c
 plugins/sudoers/regress/parser/check_gentime.c
+plugins/sudoers/regress/rationalize/check_rationalize.c
 plugins/sudoers/regress/serialize_list/check_serialize_list.c
 plugins/sudoers/regress/starttime/check_starttime.c
 plugins/sudoers/regress/sudoers/test1.in
diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in
@@ -1,7 +1,7 @@
 #
 # SPDX-License-Identifier: ISC
 #
-# Copyright (c) 1996, 1998-2005, 2007-2024
+# Copyright (c) 1996, 1998-2005, 2007-2026
 #       Todd C. Miller <Todd.Miller@sudo.ws>
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -157,9 +157,9 @@ PROGS = sudoers.la visudo sudoreplay cvtsudoers testsudoers tsdump
 
 # Regression tests
 TEST_PROGS = check_addr check_digest check_editor check_env_pattern \
-	     check_exptilde check_fill check_gentime \
-	     check_iolog_plugin check_serialize_list \
-	     check_starttime check_unesc @SUDOERS_TEST_PROGS@
+	     check_exptilde check_fill check_gentime check_iolog_plugin \
+	     check_rationalize check_serialize_list check_starttime \
+	     check_unesc @SUDOERS_TEST_PROGS@
 TEST_VERBOSE =
 HARNESS = $(SHELL) regress/harness $(TEST_VERBOSE)
 
@@ -189,16 +189,16 @@ SUDOERS_OBJS = $(AUTH_OBJS) audit.lo boottime.lo check.lo check_util.lo \
                file.lo find_path.lo fmtsudoers.lo gc.lo goodpath.lo \
                group_plugin.lo interfaces.lo iolog.lo iolog_path_escapes.lo \
                locale.lo log_client.lo logging.lo lookup.lo policy.lo \
-	       prompt.lo serialize_list.lo set_perms.lo sethost.lo \
-	       starttime.lo strlcpy_unesc.lo strvec_join.lo sudo_nss.lo \
-	       sudoers.lo sudoers_cb.lo sudoers_ctx_free.lo timestamp.lo \
-	       unesc_str.lo @SUDOERS_OBJS@
+	       prompt.lo rationalize.lo serialize_list.lo set_perms.lo \
+	       sethost.lo starttime.lo strlcpy_unesc.lo strvec_join.lo \
+	       sudo_nss.lo sudoers.lo sudoers_cb.lo sudoers_ctx_free.lo \
+	       timestamp.lo unesc_str.lo @SUDOERS_OBJS@
 
 SUDOERS_IOBJS = $(SUDOERS_OBJS:.lo=.i)
 
 VISUDO_OBJS = check_aliases.o editor.lo find_path.lo gc.lo goodpath.lo \
-	      locale.lo sethost.lo stubs.o sudo_printf.o sudoers_ctx_free.lo \
-	      visudo.o visudo_cb.o
+	      locale.lo rationalize.lo sethost.lo stubs.o sudo_printf.o \
+	      sudoers_ctx_free.lo visudo.o visudo_cb.o
 
 VISUDO_IOBJS = sudo_printf.i visudo.i
 
@@ -247,6 +247,8 @@ CHECK_IOLOG_PLUGIN_OBJS = check_iolog_plugin.o iolog.lo log_client.lo \
 			  locale.lo pwutil.lo pwutil_impl.lo redblack.lo \
 			  strlist.lo sudoers_debug.lo unesc_str.lo
 
+CHECK_RATIONALIZE_OBJS = check_rationalize.lo rationalize.lo sudoers_debug.lo
+
 CHECK_SYMBOLS_OBJS = check_symbols.o
 
 CHECK_STARTTIME_OBJS = check_starttime.o starttime.lo sudoers_debug.lo
@@ -394,6 +396,9 @@ check_gentime: $(CHECK_GENTIME_OBJS) $(LIBUTIL)
 check_iolog_plugin: $(CHECK_IOLOG_PLUGIN_OBJS) $(LIBUTIL) $(LIBIOLOG) $(LIBLOGSRV)
 	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(CHECK_IOLOG_PLUGIN_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(HARDENING_LDFLAGS) $(LIBIOLOG) $(LIBLOGSRV) @LIBTLS@
 
+check_rationalize: $(CHECK_RATIONALIZE_OBJS) $(LIBUTIL)
+	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(CHECK_RATIONALIZE_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(HARDENING_LDFLAGS) $(LIBS)
+
 check_serialize_list: $(CHECK_SERIALIZE_LIST_OBJS) $(LIBUTIL)
 	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(CHECK_SERIALIZE_LIST_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(HARDENING_LDFLAGS) $(LIBS)
 
@@ -662,6 +667,7 @@ check: $(TEST_PROGS) visudo testsudoers cvtsudoers check-fuzzer
 	    ./check_gentime $(TEST_VERBOSE) || rval=`expr $$rval + $$?`; \
 	    mkdir -p regress/iolog_plugin; \
 	    ./check_iolog_plugin $(TEST_VERBOSE) regress/iolog_plugin/iolog || rval=`expr $$rval + $$?`; \
+	    ./check_rationalize $(TEST_VERBOSE) || rval=`expr $$rval + $$?`; \
 	    ./check_serialize_list $(TEST_VERBOSE) || rval=`expr $$rval + $$?`; \
 	    ./check_starttime $(TEST_VERBOSE) || rval=`expr $$rval + $$?`; \
 	    ./check_unesc $(TEST_VERBOSE) || rval=`expr $$rval + $$?`; \
@@ -1107,6 +1113,32 @@ check_iolog_plugin.i: $(srcdir)/regress/iolog_plugin/check_iolog_plugin.c \
 	$(CPP) $(CPPFLAGS) $(srcdir)/regress/iolog_plugin/check_iolog_plugin.c > $@
 check_iolog_plugin.plog: check_iolog_plugin.i
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --source-file $(srcdir)/regress/iolog_plugin/check_iolog_plugin.c --i-file check_iolog_plugin.i --output-file $@
+check_rationalize.lo: $(srcdir)/regress/rationalize/check_rationalize.c \
+                      $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+                      $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
+                      $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \
+                      $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                      $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                      $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                      $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                      $(top_builddir)/pathnames.h
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/rationalize/check_rationalize.c
+check_rationalize.i: $(srcdir)/regress/rationalize/check_rationalize.c \
+                      $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+                      $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
+                      $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \
+                      $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                      $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                      $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                      $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                      $(top_builddir)/pathnames.h
+	$(CPP) $(CPPFLAGS) $(srcdir)/regress/rationalize/check_rationalize.c > $@
+check_rationalize.plog: check_rationalize.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --source-file $(srcdir)/regress/rationalize/check_rationalize.c --i-file check_rationalize.i --output-file $@
 check_serialize_list.lo: \
                          $(srcdir)/regress/serialize_list/check_serialize_list.c \
                          $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
@@ -2525,6 +2557,30 @@ pwutil_impl.i: $(srcdir)/pwutil_impl.c $(devdir)/def_data.h \
 	$(CPP) $(CPPFLAGS) $(srcdir)/pwutil_impl.c > $@
 pwutil_impl.plog: pwutil_impl.i
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --source-file $(srcdir)/pwutil_impl.c --i-file pwutil_impl.i --output-file $@
+rationalize.lo: $(srcdir)/rationalize.c $(devdir)/def_data.h \
+                $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+                $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+                $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/rationalize.c
+rationalize.i: $(srcdir)/rationalize.c $(devdir)/def_data.h \
+                $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+                $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+                $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+	$(CPP) $(CPPFLAGS) $(srcdir)/rationalize.c > $@
+rationalize.plog: rationalize.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --source-file $(srcdir)/rationalize.c --i-file rationalize.i --output-file $@
 redblack.lo: $(srcdir)/redblack.c $(devdir)/def_data.h \
              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
              $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
diff --git a/plugins/sudoers/find_path.c b/plugins/sudoers/find_path.c
@@ -45,6 +45,9 @@ cmnd_allowed(char *cmnd, size_t cmnd_size, const char *runchroot,
     char * const *al;
     debug_decl(cmnd_allowed, SUDOERS_DEBUG_UTIL);
 
+    /* First, collapse extra "/" and "./" components. */
+    rationalize_path(cmnd);
+
     if (!sudo_goodpath(cmnd, runchroot, cmnd_sbp))
 	debug_return_bool(false);
 
diff --git a/plugins/sudoers/rationalize.c b/plugins/sudoers/rationalize.c
@@ -0,0 +1,60 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2026 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <sudoers.h>
+
+/*
+ * Rationalize a path by removing consecutive '/' and "/./" path elements.
+ */
+char *
+rationalize_path(char *path)
+{
+    char *cp, *ep, *path_end;
+    debug_decl(rationalize_path, SUDOERS_DEBUG_UTIL);
+
+    path_end = path + strlen(path);
+    for (cp = path; *cp != '\0';) {
+	if (cp[0] == '/') {
+	    /* Collapse consecutive '/' characters. */
+	    if (cp[1] == '/') {
+		for (ep = cp + 1; ep[1] == '/'; ep++)
+		    continue;
+
+		/* The size argument includes the terminating NUL byte. */
+		memmove(cp, ep, (size_t)(path_end - ep) + 1);
+		continue;
+	    }
+
+	    /* Remove "/./" in path or "/." at path_end. */
+	    if (cp[1] == '.' && (cp[2] == '/' || cp[2] == '\0')) {
+		/* /./foo -> /foo OR /foo/. -> /foo */
+		ep = cp + 2;
+
+		/* The size argument includes the terminating NUL byte. */
+		memmove(cp, ep, (size_t)(path_end - ep) + 1);
+		continue;
+	    }
+	}
+	cp++;
+    }
+    debug_return_str(path);
+}
diff --git a/plugins/sudoers/regress/rationalize/check_rationalize.c b/plugins/sudoers/regress/rationalize/check_rationalize.c
@@ -0,0 +1,107 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2026 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#define SUDO_ERROR_WRAP 0
+
+#include <sudoers.h>
+
+struct test_data {
+    const char *input;
+    const char *result;
+};
+
+static struct test_data rationalize_test_data[] = {
+    { "./bin/ls", "./bin/ls" },			/* 1 */
+    { "/usr//bin/who", "/usr/bin/who" },	/* 2 */
+    { "//usr//bin/who", "/usr/bin/who" },	/* 3 */
+    { "/etc/./shadow", "/etc/shadow" },		/* 4 */
+    { "//etc/./shadow", "/etc/shadow" },	/* 5 */
+    { "/usr/bin//", "/usr/bin/" },		/* 6 */
+    { "//usr///bin////", "/usr/bin/" },		/* 7 */
+    { "/./usr/bin", "/usr/bin" },		/* 8 */
+    { "/usr/bin/.//", "/usr/bin/" },		/* 9 */
+    { "/usr/bin/.", "/usr/bin" },		/* 10 */
+    { "/usr/bin//.", "/usr/bin" },		/* 11 */
+    { NULL }
+};
+
+sudo_dso_public int main(int argc, char *argv[]);
+
+static void
+test_rationalize_path(int *ntests_out, int *errors_out)
+{
+    int ntests = *ntests_out;
+    int errors = *errors_out;
+    struct test_data *td;
+    char buf[1024];
+
+    for (td = rationalize_test_data; td->input != NULL; td++) {
+	ntests++;
+	if (strlcpy(buf, td->input, sizeof(buf)) >= sizeof(buf)) {
+	    errno = ENAMETOOLONG;
+	    sudo_warn("%d: \"%s\"", ntests, td->input);
+	    errors++;
+	    continue;
+	}
+	if (strcmp(td->result, rationalize_path(buf)) != 0) {
+	    sudo_warnx("%d: \"%s\": got \"%s\", expected \"%s\"",
+		ntests, td->input, buf, td->result);
+	    errors++;
+	}
+    }
+
+    *ntests_out = ntests;
+    *errors_out = errors;
+}
+
+int
+main(int argc, char *argv[])
+{
+    int ch, ntests = 0, errors = 0;
+
+    initprogname(argc > 0 ? argv[0] : "check_rationalize");
+
+    while ((ch = getopt(argc, argv, "v")) != -1) {
+	switch (ch) {
+	case 'v':
+	    /* ignored */
+	    break;
+	default:
+	    fprintf(stderr, "usage: %s [-v]\n", getprogname());
+	    return EXIT_FAILURE;
+	}
+    }
+    argc -= optind;
+    argv += optind;
+
+    test_rationalize_path(&ntests, &errors);
+
+    if (ntests != 0) {
+	printf("%s: %d tests run, %d errors, %d%% success rate\n",
+	    getprogname(), ntests, errors, (ntests - errors) * 100 / ntests);
+    }
+
+    exit(errors);
+}
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
@@ -320,6 +320,9 @@ int find_path(const char *infile, char **outfile, struct stat *sbp,
     const char *path, const char *runchroot, bool ignore_dot,
     char * const *allowlist);
 
+/* rationalize.c */
+char *rationalize_path(char *cmnd);
+
 /* resolve_cmnd.c */
 int resolve_cmnd(struct sudoers_context *ctx, const char *infile,
     char **outfile, const char *path, const char *runchroot);
