security: CWE-22: Fix path traversal in certificate export — VC-53779

[torresashjiancyber]

Summary

Fixed CWE-22 path traversal vulnerability in Export-CmCertificate (alias Export-VdcCertificate) that allowed a malicious or compromised TPP server to write arbitrary files on the operator host via crafted FileName fields in certificate export responses.

Finding

CVSS: 8.5 High (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

The function joins the server-supplied FileName field from POST /vedsdk/certificates/retrieve response to the operator's -OutPath with only .Trim('"') sanitization before passing to [IO.File]::WriteAllBytes(). This allows path traversal attacks using .., \, /, or rooted paths, enabling arbitrary file write with server-controlled content.

Vulnerable code (VenafiPS/Public/Export-CmCertificate.ps1:394):

$outFile = Join-Path -Path (Resolve-Path -Path $using:OutPath) -ChildPath ($innerResponse.FileName.Trim('"'))

Remediation

Applied server-supplied filename sanitization using [IO.Path]::GetFileName() to extract only the leaf name, with validation to detect and reject path traversal attempts:

$serverFileName = $innerResponse.FileName.Trim('"')
$safeFileName = [IO.Path]::GetFileName($serverFileName)
if ( -not $safeFileName -or $safeFileName -ne $serverFileName ) {
    throw ('Server returned an unsafe FileName: {0}' -f $serverFileName)
}
$outFile = Join-Path -Path (Resolve-Path -Path $using:OutPath) -ChildPath $safeFileName

This prevents directory traversal by:

1. Extracting only the filename component (strips paths)
2. Validating that the safe name matches the original (detects traversal attempts)
3. Throwing an error if any path components or traversal sequences are detected

Verification

• ✅ Minimal fix applied (7 lines changed in 1 file)
• ✅ No regression introduced (PowerShell module - no automated tests detected)
• ✅ Diff report generated: reports/VC-53779/