From bf498149f6759cada1b09b16b41b316e6acf0312 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 15 Nov 2023 11:54:21 +0100
Subject: [PATCH] Ensure the machine name is valid in AuditManager

Checking that the resolved host path is in the expected folder ensures
no malicious machineName parameter can get us to list folder that
shouldn't be listed.
---
 .../redhat/rhn/manager/audit/AuditManager.java   | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/java/code/src/com/redhat/rhn/manager/audit/AuditManager.java b/java/code/src/com/redhat/rhn/manager/audit/AuditManager.java
index 27aaef8e1b1d..86f5db81b1ce 100644
--- a/java/code/src/com/redhat/rhn/manager/audit/AuditManager.java
+++ b/java/code/src/com/redhat/rhn/manager/audit/AuditManager.java
@@ -14,9 +14,9 @@
  */
 package com.redhat.rhn.manager.audit;
 
+import com.redhat.rhn.common.RhnRuntimeException;
 import com.redhat.rhn.common.conf.Config;
 import com.redhat.rhn.common.db.datasource.DataResult;
-import com.redhat.rhn.common.util.FileUtils;
 import com.redhat.rhn.frontend.dto.AuditDto;
 import com.redhat.rhn.frontend.dto.AuditMachineDto;
 import com.redhat.rhn.frontend.dto.AuditReviewDto;
@@ -279,7 +279,6 @@ public static DataResult<AuditMachineDto> getMachines() {
      * @param machineName The machine to get review sections for; can be null
      * @return The set of review sections
      */
-    @SuppressWarnings("javasecurity:S2083") // host.list() is validated right after it is declared
     public static DataResult<AuditReviewDto> getMachineReviewSections(String machineName) {
         // if machineName is null, get all review sections by recursion
         if (machineName == null || machineName.isEmpty()) {
@@ -287,7 +286,18 @@ public static DataResult<AuditReviewDto> getMachineReviewSections(String machine
         }
 
         // otherwise, just look up this one machine
-        File hostDir = Path.of(logDirStr, machineName.replace(File.separator, ""), "audit").toFile();
+        File hostDir = Path.of(logDirStr, machineName, "audit").toFile();
+
+        try {
+            String hostPath = hostDir.getCanonicalPath();
+            if (!hostPath.startsWith(logDirStr)) {
+                throw new RhnRuntimeException("Invalid machine name");
+            }
+        }
+        catch (IOException e) {
+            log.warn("Failed getting canonical path of {}", hostDir.getAbsolutePath(), e);
+            return new DataResult<>(new LinkedList<>());
+        }
 
         if (!hostDir.exists()) {
             return new DataResult<>(new LinkedList<>());