From d2fe4fb60fb3a49ea0712ec82f15d486a3e8c17b Mon Sep 17 00:00:00 2001 From: Pana Date: Tue, 18 Jun 2024 11:57:25 +0800 Subject: [PATCH] fix path traversal issue (#51) --- build.gradle | 2 +- .../java/conflux/web3j/AccountManager.java | 25 +++++++++++-------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/build.gradle b/build.gradle index e98338d..1f8e415 100644 --- a/build.gradle +++ b/build.gradle @@ -27,7 +27,7 @@ dependencies { // This dependency is used internally, and not exposed to consumers on their own compile classpath. implementation 'com.google.guava:guava:28.0-jre' - compile 'org.web3j:core:4.9.0' + compile 'org.web3j:core:4.9.3' // Use JUnit test framework testImplementation 'junit:junit:4.12' diff --git a/src/main/java/conflux/web3j/AccountManager.java b/src/main/java/conflux/web3j/AccountManager.java index e575394..db24906 100644 --- a/src/main/java/conflux/web3j/AccountManager.java +++ b/src/main/java/conflux/web3j/AccountManager.java @@ -40,6 +40,7 @@ public class AccountManager { // directory to store the key files. private String dir; + private Path dirPath; // unlocked accounts: map private ConcurrentHashMap unlocked; @@ -61,8 +62,10 @@ public AccountManager(int networkId) throws Exception { * @throws IOException if failed to create directories. */ public AccountManager(String dir, int networkId) throws IOException { - Files.createDirectories(Paths.get(dir)); - this.dir = dir; + Path p = Paths.get(dir).normalize(); + Files.createDirectories(p); + this.dir = p.toString(); + this.dirPath = p; this.networkId = networkId; this.unlocked = new ConcurrentHashMap(); } @@ -118,7 +121,7 @@ protected Address createKeyFile(String password, ECKeyPair ecKeyPair) throws Exc * @throws IOException if read files failed */ public List
list() throws IOException { - return Files.list(Paths.get(this.dir)) + return Files.list(this.dirPath) .map(path -> this.parseAddressFromFilename(path.getFileName().toString())) .filter(path -> !path.isEmpty()) .sorted() @@ -190,7 +193,7 @@ public Optional
imports(String privateKey, String password) throws Exce * @throws Exception if read file failed */ public boolean exists(Address address) throws Exception { - return Files.list(Paths.get(this.dir)) + return Files.list(this.dirPath) .map(path -> this.parseAddressFromFilename(path.getFileName().toString())) .anyMatch(path -> path.equalsIgnoreCase(address.getHexAddress())); } @@ -204,7 +207,7 @@ public boolean exists(Address address) throws Exception { */ public boolean delete(Address address) throws Exception { String hexAddress = address.getHexAddress(); - List files = Files.list(Paths.get(this.dir)) + List files = Files.list(this.dirPath) .filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(hexAddress)) .collect(Collectors.toList()); @@ -213,7 +216,7 @@ public boolean delete(Address address) throws Exception { } for (Path file : files) { - Files.delete(file); + Files.delete(file.normalize()); } this.unlocked.remove(hexAddress); @@ -230,7 +233,7 @@ public boolean delete(Address address) throws Exception { * @throws Exception if file read failed */ public boolean update(Address address, String password, String newPassword) throws Exception { - List files = Files.list(Paths.get(this.dir)) + List files = Files.list(this.dirPath) .filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(address.getHexAddress())) .collect(Collectors.toList()); @@ -239,7 +242,7 @@ public boolean update(Address address, String password, String newPassword) thro } ECKeyPair ecKeyPair = WalletUtils.loadCredentials(password, files.get(0).toString()).getEcKeyPair(); - Files.delete(files.get(0)); + Files.delete(files.get(0).normalize()); this.createKeyFile(newPassword, ecKeyPair); return true; @@ -253,7 +256,7 @@ public boolean update(Address address, String password, String newPassword) thro * @throws Exception if file read failed */ public String exportPrivateKey(Address address, String password) throws Exception { - List files = Files.list(Paths.get(this.dir)) + List files = Files.list(this.dirPath) .filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(address.getHexAddress())) .collect(Collectors.toList()); @@ -275,7 +278,7 @@ public String exportPrivateKey(Address address, String password) throws Exceptio */ public boolean unlock(Address address, String password, Duration... timeout) throws Exception { String hexAddress = address.getHexAddress(); - List files = Files.list(Paths.get(this.dir)) + List files = Files.list(this.dirPath) .filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(hexAddress)) .collect(Collectors.toList()); @@ -346,7 +349,7 @@ private ECKeyPair getEcKeyPair(Address cfxAddress, String... password) throws IO this.unlocked.remove(address); } - List files = Files.list(Paths.get(this.dir)) + List files = Files.list(this.dirPath) .filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(address)) .collect(Collectors.toList());