fix path traversal issue (#51)

Conflux-Chain · Jun 18, 2024 · d2fe4fb · d2fe4fb
1 parent 1d594c1
commit d2fe4fb
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 12 deletions.
diff --git a/build.gradle b/build.gradle
@@ -27,7 +27,7 @@ dependencies {
     // This dependency is used internally, and not exposed to consumers on their own compile classpath.
     implementation 'com.google.guava:guava:28.0-jre'
 
-    compile 'org.web3j:core:4.9.0'
+    compile 'org.web3j:core:4.9.3'
 
     // Use JUnit test framework
     testImplementation 'junit:junit:4.12'

diff --git a/src/main/java/conflux/web3j/AccountManager.java b/src/main/java/conflux/web3j/AccountManager.java
@@ -40,6 +40,7 @@ public class AccountManager {
 
 	// directory to store the key files.
 	private String dir;
+	private Path dirPath;
 	// unlocked accounts: map<address, item>
 	private ConcurrentHashMap<String, UnlockedItem> unlocked;
 
@@ -61,8 +62,10 @@ public AccountManager(int networkId) throws Exception {
 	 * @throws IOException if failed to create directories.
 	 */
 	public AccountManager(String dir, int networkId) throws IOException {
-		Files.createDirectories(Paths.get(dir));
-		this.dir = dir;
+		Path p = Paths.get(dir).normalize();
+		Files.createDirectories(p);
+		this.dir = p.toString();
+		this.dirPath = p;
 		this.networkId = networkId;
 		this.unlocked = new ConcurrentHashMap<String, UnlockedItem>();
 	}
@@ -118,7 +121,7 @@ protected Address createKeyFile(String password, ECKeyPair ecKeyPair) throws Exc
 	 * @throws IOException if read files failed
 	 */
 	public List<Address> list() throws IOException {
-		return Files.list(Paths.get(this.dir))
+		return Files.list(this.dirPath)
 				.map(path -> this.parseAddressFromFilename(path.getFileName().toString()))
 				.filter(path -> !path.isEmpty())
 				.sorted()
@@ -190,7 +193,7 @@ public Optional<Address> imports(String privateKey, String password) throws Exce
 	 * @throws Exception if read file failed
 	 */
 	public boolean exists(Address address) throws Exception {
-		return Files.list(Paths.get(this.dir))
+		return Files.list(this.dirPath)
 				.map(path -> this.parseAddressFromFilename(path.getFileName().toString()))
 				.anyMatch(path -> path.equalsIgnoreCase(address.getHexAddress()));
 	}
@@ -204,7 +207,7 @@ public boolean exists(Address address) throws Exception {
 	 */
 	public boolean delete(Address address) throws Exception {
 		String hexAddress = address.getHexAddress();
-		List<Path> files = Files.list(Paths.get(this.dir))
+		List<Path> files = Files.list(this.dirPath)
 				.filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(hexAddress))
 				.collect(Collectors.toList());
 
@@ -213,7 +216,7 @@ public boolean delete(Address address) throws Exception {
 		}
 
 		for (Path file : files) {
-			Files.delete(file);
+			Files.delete(file.normalize());
 		}
 
 		this.unlocked.remove(hexAddress);
@@ -230,7 +233,7 @@ public boolean delete(Address address) throws Exception {
 	 * @throws Exception if file read failed
 	 */
 	public boolean update(Address address, String password, String newPassword) throws Exception {
-		List<Path> files = Files.list(Paths.get(this.dir))
+		List<Path> files = Files.list(this.dirPath)
 				.filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(address.getHexAddress()))
 				.collect(Collectors.toList());
 
@@ -239,7 +242,7 @@ public boolean update(Address address, String password, String newPassword) thro
 		}
 
 		ECKeyPair ecKeyPair = WalletUtils.loadCredentials(password, files.get(0).toString()).getEcKeyPair();
-		Files.delete(files.get(0));
+		Files.delete(files.get(0).normalize());
 		this.createKeyFile(newPassword, ecKeyPair);
 
 		return true;
@@ -253,7 +256,7 @@ public boolean update(Address address, String password, String newPassword) thro
 	 * @throws Exception if file read failed
 	 */
 	public String exportPrivateKey(Address address, String password) throws Exception {
-		List<Path> files = Files.list(Paths.get(this.dir))
+		List<Path> files = Files.list(this.dirPath)
 				.filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(address.getHexAddress()))
 				.collect(Collectors.toList());
 
@@ -275,7 +278,7 @@ public String exportPrivateKey(Address address, String password) throws Exceptio
 	 */
 	public boolean unlock(Address address, String password, Duration... timeout) throws Exception {
 		String hexAddress = address.getHexAddress();
-		List<Path> files = Files.list(Paths.get(this.dir))
+		List<Path> files = Files.list(this.dirPath)
 				.filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(hexAddress))
 				.collect(Collectors.toList());
 
@@ -346,7 +349,7 @@ private ECKeyPair getEcKeyPair(Address cfxAddress, String... password) throws IO
 				this.unlocked.remove(address);
 			}
 
-			List<Path> files = Files.list(Paths.get(this.dir))
+			List<Path> files = Files.list(this.dirPath)
 					.filter(path -> this.parseAddressFromFilename(path.getFileName().toString()).equalsIgnoreCase(address))
 					.collect(Collectors.toList());