Fix for Server Challenge Token Security Incident

[stefong99]

Description

This change makes a fix for CVE-2025-47158

Incident 31000000381506 : [MSRC] [98867] - ElevationOfPrivilege - Local Privilege Escalation that results in Arbitrary File Read in Azure File Sync Agent on Arc enabled Windows server

Mandatory Checklist

• Please choose the target release of Azure PowerShell. (⚠️Target release is a different concept from API readiness. Please click below links for details.)

  • General release
  • Public preview
  • Private preview
  • Engineering build
  • No need for a release

• Check this box to confirm: I have read the Submitting Changes section of CONTRIBUTING.md and reviewed the following information:

• SHOULD update ChangeLog.md file(s) appropriately
  • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
    • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
  • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
• SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
• SHOULD have proper test coverage for changes in pull request.
• SHOULD NOT adjust version of module manually in pull request

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[Copilot]

Pull Request Overview

This PR addresses CVE-2025-47158 by strengthening how the server challenge token’s secret file path is parsed and validated.

• Renamed and clarified the header variable and improved its parsing
• Centralized path normalization and validation in a new IsSecretFilePathValid helper
• Updated error handling to use a consistent error resource

Comments suppressed due to low confidence (3)

src/StorageSync/StorageSync/Interop/ManagedIdentity/ServerManagedIdentityUtils.cs:275

• [nitpick] The variable name wwwHeader is ambiguous. Consider renaming it to something more descriptive like authenticateHeaderValue or challengeHeaderValue to improve readability.

                    var wwwHeader = authenticateHeaderValues.FirstOrDefault();

src/StorageSync/StorageSync/Interop/ManagedIdentity/ServerManagedIdentityUtils.cs:344

• The new IsSecretFilePathValid method contains critical security logic but lacks dedicated unit tests. Please add tests covering valid paths, invalid paths, edge cases, and path traversal attempts.

        private static bool IsSecretFilePathValid(string secretFilePath)

src/StorageSync/StorageSync/Interop/ManagedIdentity/ServerManagedIdentityUtils.cs:296

• [nitpick] Reusing the same error message for both a missing secret file and an invalid path may be confusing. Consider using distinct error codes or messages to differentiate missing file vs invalid path scenarios.

                            StorageSyncResources.AgentMI_InvalidSecretFileError,

[YanaXu]

/azp run azure-powershell - security-tools

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[YanaXu]

Please provide the test result before and after this change. Thanks!

[YanaXu]

/azp run azure-powershell - security-tools

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[ankushbindlish2]

It is advisable to re-record atleast one test which is exercising this new code path.

[ankushbindlish2]

Please provide the test result before and after this change. Thanks!

I presume that re-recording a test which is exercising this code path or creating a new test covering this path should be sufficient. There is no need of "before" test result.

[github-actions]

This PR was labeled "needs-revision" because it has unresolved review comments or CI failures.
Please resolve all open review comments and make sure all CI checks are green. Refer to our guide to troubleshoot common CI failures.

[YanaXu]

/azp run azure-powershell - security-tools

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).