command_matches_regex: use canonicalized path if user path contains ".."

millert · millert · commit 620ba7a3880d · 2026-04-23T07:22:25.000-06:00
We already fall back on the canonicalized path if the user-specified
path is relative.  This helps prevent abuse of overly broad command
regular expressions in sudoers.

Reported by Christos Papakonstantinou from Cantina (cantina.xyz)
diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c
@@ -475,7 +475,8 @@ command_matches_regex(struct sudoers_context *ctx, const char *sudoers_cmnd,
      *
      * Neither sudoers_cmnd nor user_cmnd are relative to runchroot.
      */
-    if (cmnd[0] != '/' || regex_matches(sudoers_cmnd, cmnd) != ALLOW) {
+    if (cmnd[0] != '/' || sudo_contains_dot_dot(cmnd) ||
+	    regex_matches(sudoers_cmnd, cmnd) != ALLOW) {
 	/* No match, retry using the canonicalized path (if possible). */
 	if (ctx->user.cmnd_dir == NULL)
 	    debug_return_int(DENY);
