Merge branch 'task/config-get' of github.com:pocockn/iotex-core into …

…task/config-get * 'task/config-get' of github.com:pocockn/iotex-core: [ioctl] Build action command line into new ioctl (iotexproject#3472) fix potential file inclusion via variable (iotexproject#3549)
pocockn · Jul 16, 2022 · f4535ad · f4535ad
2 parents e7b9f69 + e301d11
commit f4535ad
Show file tree

Hide file tree

Showing 15 changed files with 653 additions and 17 deletions.
diff --git a/e2etest/util.go b/e2etest/util.go
@@ -11,6 +11,7 @@ import (
 	"encoding/hex"
 	"math/big"
 	"os"
+	"path/filepath"
 
 	"github.com/iotexproject/go-pkgs/hash"
 	"github.com/pkg/errors"
@@ -194,7 +195,7 @@ func addTestingTsfBlocks(bc blockchain.Blockchain, ap actpool.ActPool) error {
 }
 
 func copyDB(srcDB, dstDB string) error {
-	input, err := os.ReadFile(srcDB)
+	input, err := os.ReadFile(filepath.Clean(srcDB))
 	if err != nil {
 		return errors.Wrap(err, "failed to read source db file")
 	}

diff --git a/ioctl/client.go b/ioctl/client.go
@@ -17,6 +17,7 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 
 	"github.com/ethereum/go-ethereum/accounts/keystore"
@@ -257,7 +258,7 @@ func (c *client) NewKeyStore() *keystore.KeyStore {
 }
 
 func (c *client) DecryptPrivateKey(passwordOfKeyStore, keyStorePath string) (*ecdsa.PrivateKey, error) {
-	keyJSON, err := os.ReadFile(keyStorePath)
+	keyJSON, err := os.ReadFile(filepath.Clean(keyStorePath))
 	if err != nil {
 		return nil, fmt.Errorf("keystore file \"%s\" read error", keyStorePath)
 	}

diff --git a/ioctl/cmd/account/account.go b/ioctl/cmd/account/account.go
@@ -306,7 +306,7 @@ func newAccountByKey(alias string, privateKey string, walletDir string) (string,
 }
 
 func newAccountByKeyStore(alias, passwordOfKeyStore, keyStorePath string, walletDir string) (string, error) {
-	keyJSON, err := os.ReadFile(keyStorePath)
+	keyJSON, err := os.ReadFile(filepath.Clean(keyStorePath))
 	if err != nil {
 		return "", output.NewError(output.ReadFileError,
 			fmt.Sprintf("keystore file \"%s\" read error", keyStorePath), nil)

diff --git a/ioctl/cmd/contract/contract.go b/ioctl/cmd/contract/contract.go
@@ -10,6 +10,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/ethereum/go-ethereum/accounts/abi"
 	"github.com/ethereum/go-ethereum/common/compiler"
@@ -101,7 +102,7 @@ func checkCompilerVersion(solc *compiler.Solidity) bool {
 }
 
 func readAbiFile(abiFile string) (*abi.ABI, error) {
-	abiBytes, err := os.ReadFile(abiFile)
+	abiBytes, err := os.ReadFile(filepath.Clean(abiFile))
 	if err != nil {
 		return nil, output.NewError(output.ReadFileError, "failed to read abi file", err)
 	}

diff --git a/ioctl/cmd/contract/contractshare.go b/ioctl/cmd/contract/contractshare.go
@@ -92,7 +92,7 @@ func isDir(path string) bool {
 
 func isReadOnly(path string) bool {
 	var readOnly = false
-	file, err := os.OpenFile(path, os.O_WRONLY, 0666)
+	file, err := os.OpenFile(filepath.Clean(path), os.O_WRONLY, 0666)
 	if err != nil {
 		if os.IsPermission(err) {
 			log.Println("Error: Write permission denied.")
@@ -198,7 +198,7 @@ func share(args []string) error {
 				t := request.Payload
 				getPayload := reflect.ValueOf(t).Index(0).Interface().(map[string]interface{})
 				getPayloadPath := getPayload["path"].(string)
-				upload, err := os.ReadFile(_givenPath + "/" + getPayloadPath)
+				upload, err := os.ReadFile(filepath.Clean(_givenPath + "/" + getPayloadPath))
 				if err != nil {
 					log.Println("read file failed: ", err)
 				}

diff --git a/ioctl/cmd/hdwallet/hdwalletderive.go b/ioctl/cmd/hdwallet/hdwalletderive.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	ecrypt "github.com/ethereum/go-ethereum/crypto"
 	hdwallet "github.com/miguelmota/go-ethereum-hdwallet"
@@ -71,7 +72,7 @@ func DeriveKey(account, change, index uint32, password string) (string, crypto.P
 		return "", nil, output.NewError(output.InputError, "Run 'ioctl hdwallet create' to create your HDWallet first.", nil)
 	}
 
-	enctxt, err := os.ReadFile(hdWalletConfigFile)
+	enctxt, err := os.ReadFile(filepath.Clean(hdWalletConfigFile))
 	if err != nil {
 		return "", nil, output.NewError(output.InputError, "failed to read config", err)
 	}

diff --git a/ioctl/config/config.go b/ioctl/config/config.go
@@ -9,6 +9,7 @@ package config
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v2"
@@ -139,7 +140,7 @@ func LoadConfig() (Config, error) {
 	ReadConfig := Config{
 		Aliases: make(map[string]string),
 	}
-	in, err := os.ReadFile(DefaultConfigFile)
+	in, err := os.ReadFile(filepath.Clean(DefaultConfigFile))
 	if err == nil {
 		if err := yaml.Unmarshal(in, &ReadConfig); err != nil {
 			return ReadConfig, err

diff --git a/ioctl/doc/doc.go b/ioctl/doc/doc.go
@@ -32,7 +32,7 @@ func GenMarkdownTreeCustom(c *cobra.Command, dir string, name string, path strin
 		filename = filepath.Join(path, "README.md")
 	}
 
-	f, err := os.Create(filename)
+	f, err := os.Create(filepath.Clean(filename))
 	if err != nil {
 		return err
 	}