From a9d971d94ddbc6efbabb67be5962b10e4448b2f1 Mon Sep 17 00:00:00 2001
From: huof6890 <68298506@qq.com>
Date: Thu, 14 Jul 2022 17:39:23 +0800
Subject: [PATCH] fix potential file inclusion via variable

---
 e2etest/util.go                                | 3 ++-
 ioctl/client.go                                | 3 ++-
 ioctl/cmd/account/account.go                   | 2 +-
 ioctl/cmd/contract/contract.go                 | 3 ++-
 ioctl/cmd/contract/contractshare.go            | 4 ++--
 ioctl/cmd/hdwallet/hdwalletderive.go           | 3 ++-
 ioctl/config/config.go                         | 3 ++-
 ioctl/doc/doc.go                               | 2 +-
 ioctl/util/util.go                             | 3 ++-
 pkg/recovery/recovery.go                       | 2 +-
 state/factory/patchstore.go                    | 9 +++++----
 tools/actioninjector.v2/internal/cmd/inject.go | 3 ++-
 tools/util/injectorutil.go                     | 3 ++-
 13 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/e2etest/util.go b/e2etest/util.go
index 6592871cf9..b6d6433d1b 100644
--- a/e2etest/util.go
+++ b/e2etest/util.go
@@ -11,6 +11,7 @@ import (
 	"encoding/hex"
 	"math/big"
 	"os"
+	"path/filepath"
 
 	"github.com/iotexproject/go-pkgs/hash"
 	"github.com/pkg/errors"
@@ -194,7 +195,7 @@ func addTestingTsfBlocks(bc blockchain.Blockchain, ap actpool.ActPool) error {
 }
 
 func copyDB(srcDB, dstDB string) error {
-	input, err := os.ReadFile(srcDB)
+	input, err := os.ReadFile(filepath.Clean(srcDB))
 	if err != nil {
 		return errors.Wrap(err, "failed to read source db file")
 	}
diff --git a/ioctl/client.go b/ioctl/client.go
index b7921efebc..3d2e739f9a 100644
--- a/ioctl/client.go
+++ b/ioctl/client.go
@@ -17,6 +17,7 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 
 	"github.com/ethereum/go-ethereum/accounts/keystore"
@@ -257,7 +258,7 @@ func (c *client) NewKeyStore() *keystore.KeyStore {
 }
 
 func (c *client) DecryptPrivateKey(passwordOfKeyStore, keyStorePath string) (*ecdsa.PrivateKey, error) {
-	keyJSON, err := os.ReadFile(keyStorePath)
+	keyJSON, err := os.ReadFile(filepath.Clean(keyStorePath))
 	if err != nil {
 		return nil, fmt.Errorf("keystore file \"%s\" read error", keyStorePath)
 	}
diff --git a/ioctl/cmd/account/account.go b/ioctl/cmd/account/account.go
index 31c35a772b..6462d6c668 100644
--- a/ioctl/cmd/account/account.go
+++ b/ioctl/cmd/account/account.go
@@ -306,7 +306,7 @@ func newAccountByKey(alias string, privateKey string, walletDir string) (string,
 }
 
 func newAccountByKeyStore(alias, passwordOfKeyStore, keyStorePath string, walletDir string) (string, error) {
-	keyJSON, err := os.ReadFile(keyStorePath)
+	keyJSON, err := os.ReadFile(filepath.Clean(keyStorePath))
 	if err != nil {
 		return "", output.NewError(output.ReadFileError,
 			fmt.Sprintf("keystore file \"%s\" read error", keyStorePath), nil)
diff --git a/ioctl/cmd/contract/contract.go b/ioctl/cmd/contract/contract.go
index 17f042f85c..8b71f96cbe 100644
--- a/ioctl/cmd/contract/contract.go
+++ b/ioctl/cmd/contract/contract.go
@@ -10,6 +10,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/ethereum/go-ethereum/accounts/abi"
 	"github.com/ethereum/go-ethereum/common/compiler"
@@ -101,7 +102,7 @@ func checkCompilerVersion(solc *compiler.Solidity) bool {
 }
 
 func readAbiFile(abiFile string) (*abi.ABI, error) {
-	abiBytes, err := os.ReadFile(abiFile)
+	abiBytes, err := os.ReadFile(filepath.Clean(abiFile))
 	if err != nil {
 		return nil, output.NewError(output.ReadFileError, "failed to read abi file", err)
 	}
diff --git a/ioctl/cmd/contract/contractshare.go b/ioctl/cmd/contract/contractshare.go
index 5fcbc769ad..704251410c 100644
--- a/ioctl/cmd/contract/contractshare.go
+++ b/ioctl/cmd/contract/contractshare.go
@@ -92,7 +92,7 @@ func isDir(path string) bool {
 
 func isReadOnly(path string) bool {
 	var readOnly = false
-	file, err := os.OpenFile(path, os.O_WRONLY, 0666)
+	file, err := os.OpenFile(filepath.Clean(path), os.O_WRONLY, 0666)
 	if err != nil {
 		if os.IsPermission(err) {
 			log.Println("Error: Write permission denied.")
@@ -198,7 +198,7 @@ func share(args []string) error {
 				t := request.Payload
 				getPayload := reflect.ValueOf(t).Index(0).Interface().(map[string]interface{})
 				getPayloadPath := getPayload["path"].(string)
-				upload, err := os.ReadFile(_givenPath + "/" + getPayloadPath)
+				upload, err := os.ReadFile(filepath.Clean(_givenPath + "/" + getPayloadPath))
 				if err != nil {
 					log.Println("read file failed: ", err)
 				}
diff --git a/ioctl/cmd/hdwallet/hdwalletderive.go b/ioctl/cmd/hdwallet/hdwalletderive.go
index 44d0ec23c3..4c5b3a2211 100644
--- a/ioctl/cmd/hdwallet/hdwalletderive.go
+++ b/ioctl/cmd/hdwallet/hdwalletderive.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	ecrypt "github.com/ethereum/go-ethereum/crypto"
 	hdwallet "github.com/miguelmota/go-ethereum-hdwallet"
@@ -71,7 +72,7 @@ func DeriveKey(account, change, index uint32, password string) (string, crypto.P
 		return "", nil, output.NewError(output.InputError, "Run 'ioctl hdwallet create' to create your HDWallet first.", nil)
 	}
 
-	enctxt, err := os.ReadFile(hdWalletConfigFile)
+	enctxt, err := os.ReadFile(filepath.Clean(hdWalletConfigFile))
 	if err != nil {
 		return "", nil, output.NewError(output.InputError, "failed to read config", err)
 	}
diff --git a/ioctl/config/config.go b/ioctl/config/config.go
index 228a0a66e7..d1e3ba2bde 100644
--- a/ioctl/config/config.go
+++ b/ioctl/config/config.go
@@ -9,6 +9,7 @@ package config
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v2"
@@ -137,7 +138,7 @@ func LoadConfig() (Config, error) {
 	ReadConfig := Config{
 		Aliases: make(map[string]string),
 	}
-	in, err := os.ReadFile(DefaultConfigFile)
+	in, err := os.ReadFile(filepath.Clean(DefaultConfigFile))
 	if err == nil {
 		if err := yaml.Unmarshal(in, &ReadConfig); err != nil {
 			return ReadConfig, err
diff --git a/ioctl/doc/doc.go b/ioctl/doc/doc.go
index 2a7cebed66..d887ccf4bc 100644
--- a/ioctl/doc/doc.go
+++ b/ioctl/doc/doc.go
@@ -32,7 +32,7 @@ func GenMarkdownTreeCustom(c *cobra.Command, dir string, name string, path strin
 		filename = filepath.Join(path, "README.md")
 	}
 
-	f, err := os.Create(filename)
+	f, err := os.Create(filepath.Clean(filename))
 	if err != nil {
 		return err
 	}
diff --git a/ioctl/util/util.go b/ioctl/util/util.go
index e2251ebbf2..fcf1f394a8 100644
--- a/ioctl/util/util.go
+++ b/ioctl/util/util.go
@@ -13,6 +13,7 @@ import (
 	"math/big"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"
@@ -169,7 +170,7 @@ func Address(in string) (string, error) {
 // JwtAuth used for ioctl set auth and send for every grpc request
 func JwtAuth() (jwt metadata.MD, err error) {
 	jwtFile := os.Getenv("HOME") + "/.config/ioctl/default/auth.jwt"
-	jwtString, err := os.ReadFile(jwtFile)
+	jwtString, err := os.ReadFile(filepath.Clean(jwtFile))
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/recovery/recovery.go b/pkg/recovery/recovery.go
index a2612817d3..3d2d4fe957 100644
--- a/pkg/recovery/recovery.go
+++ b/pkg/recovery/recovery.go
@@ -79,7 +79,7 @@ func LogCrash(r interface{}) {
 }
 
 func writeHeapProfile(path string) {
-	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0644)
+	f, err := os.OpenFile(filepath.Clean(path), os.O_CREATE|os.O_RDWR, 0644)
 	if err != nil {
 		log.S().Errorf("crashlog: open heap profile error: %v", err)
 		return
diff --git a/state/factory/patchstore.go b/state/factory/patchstore.go
index 064d884a88..a48d665090 100644
--- a/state/factory/patchstore.go
+++ b/state/factory/patchstore.go
@@ -11,6 +11,7 @@ import (
 	"encoding/hex"
 	"io"
 	"os"
+	"path/filepath"
 	"strconv"
 
 	"github.com/pkg/errors"
@@ -43,16 +44,16 @@ type (
  *     key: hex string
  *     value: hex string
  */
-func newPatchStore(filepath string) (*patchStore, error) {
+func newPatchStore(fpath string) (*patchStore, error) {
 	store := &patchStore{
 		patchs: map[uint64][]*patch{},
 	}
-	if filepath == "" {
+	if fpath == "" {
 		return store, nil
 	}
-	file, err := os.Open(filepath)
+	file, err := os.Open(filepath.Clean(fpath))
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to open kvstore patch, %s", filepath)
+		return nil, errors.Wrapf(err, "failed to open kvstore patch, %s", fpath)
 	}
 	reader := csv.NewReader(file)
 	reader.FieldsPerRecord = -1
diff --git a/tools/actioninjector.v2/internal/cmd/inject.go b/tools/actioninjector.v2/internal/cmd/inject.go
index 3ac37d0733..1a03076938 100644
--- a/tools/actioninjector.v2/internal/cmd/inject.go
+++ b/tools/actioninjector.v2/internal/cmd/inject.go
@@ -16,6 +16,7 @@ import (
 	"math/big"
 	"math/rand"
 	"os"
+	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -112,7 +113,7 @@ func (p *injectProcessor) randAccounts(num int) error {
 }
 
 func (p *injectProcessor) loadAccounts(keypairsPath string) error {
-	keyPairBytes, err := os.ReadFile(keypairsPath)
+	keyPairBytes, err := os.ReadFile(filepath.Clean(keypairsPath))
 	if err != nil {
 		return errors.Wrap(err, "failed to read key pairs file")
 	}
diff --git a/tools/util/injectorutil.go b/tools/util/injectorutil.go
index 59c9825193..ba650c6a79 100644
--- a/tools/util/injectorutil.go
+++ b/tools/util/injectorutil.go
@@ -12,6 +12,7 @@ import (
 	"math/big"
 	"math/rand"
 	"os"
+	"path/filepath"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -81,7 +82,7 @@ func GetTotalTsfFailed() uint64 {
 // LoadAddresses loads key pairs from key pair path and construct addresses
 func LoadAddresses(keypairsPath string, chainID uint32) ([]*AddressKey, error) {
 	// Load Senders' public/private key pairs
-	keyPairBytes, err := os.ReadFile(keypairsPath)
+	keyPairBytes, err := os.ReadFile(filepath.Clean(keypairsPath))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to read key pairs file")
 	}