<fix>(build,utils): upgrade dependencies, fix path manipulation bug. (#…

…148)

Changelog.md

@@ -5,8 +5,9 @@
 **更新**
 
 * log4j版本升级至2.19
+* 更新gson、snakeyaml版本以修复安全问题
 * WeCross stub 版本号更新到1.3.0
- *去除netty和tcnative的依赖
+ * 去除netty和tcnative的依赖
 
 ### v1.2.1
 

build.gradle

@@ -55,10 +55,13 @@ List logger = [
 dependencies {
  compile logger
 
- implementation 'com.moandjiezana.toml:toml4j:0.7.2'
+ implementation ('com.moandjiezana.toml:toml4j:0.7.2') {
+ exclude group: 'com.google.code.gson', module: 'gson'
+ }
+ implementation 'com.google.code.gson:gson:2.8.9'
  implementation 'org.slf4j:slf4j-api:1.7.36'
  implementation 'com.google.guava:guava:30.1-jre'
- implementation 'org.yaml:snakeyaml:1.27'
+ implementation 'org.yaml:snakeyaml:2.0'
 
  // Fabric
  implementation 'javassist:javassist:3.12.1.GA'

src/main/java/com/webank/wecross/account/FabricAccountFactory.java

@@ -265,6 +265,9 @@ public static PrivateKey buildPemPrivateKey(String keyContent) throws Exception
  }
 
  public static String loadPemCert(String certPath) throws Exception {
+
+ // to avoid path manipulation
+ certPath = certPath.replace("..", "");
  if (certPath.indexOf("classpath:") == 0) {
  PathMatchingResourcePatternResolver resolver =
  new PathMatchingResourcePatternResolver();

src/main/java/com/webank/wecross/utils/FabricUtils.java

@@ -44,6 +44,8 @@ public static long bytesToLong(byte[] bytes) {
 
  public static String getPath(String fileName) throws Exception {
  try {
+ // to avoid path manipulation
+ fileName = fileName.replace("..", "");
  if (fileName.indexOf("classpath:") != 0) {
  return fileName;
  }
@@ -62,6 +64,8 @@ public static String getPath(String fileName) throws Exception {
 
  public static String readFileContent(String fileName) throws Exception {
  try {
+ // to avoid path manipulation
+ fileName = fileName.replace("..", "");
  Path path;
 
  if (fileName.indexOf("classpath:") != 0) {