Skip to content

Commit

Permalink
Problem: medium shiftleft scan findings (fix #127)
Browse files Browse the repository at this point in the history 
fix lint issue
  • Loading branch information
@leejw51crypto
leejw51crypto committed Oct 21, 2020
1 parent 59b2dad commit 51de149
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 7 deletions.
18 changes: 15 additions & 3 deletions cmd/chain-maind/app/app.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package app
import (
"context"
"encoding/json"
"fmt"
"io"
"os"

Expand Down Expand Up @@ -142,26 +143,37 @@ func initRootCmd(rootCmd *cobra.Command, encodingConfig params.EncodingConfig) {
config.SetRoot(clientCtx.HomeDir)
path := config.GenesisFile()

file, err := os.OpenFile(path, os.O_RDWR, 0644)
file, err := os.OpenFile(path, os.O_RDWR, 0600)
if !chaingenutilcli.IsValidPath(path) {
return fmt.Errorf("insecure filepath %s", path)
}

if err != nil {
return err
}
defer file.Close()

var genesis map[string]interface{}
if err := json.NewDecoder(file).Decode(&genesis); err != nil {
file.Close()
return err
}

if err := mergo.Merge(&genesis, genesisPatch, mergo.WithOverride); err != nil {
file.Close()
return err
}
if err := file.Truncate(0); err != nil {
file.Close()
return err
}
if _, err := file.Seek(0, 0); err != nil {
file.Close()
return err
}
return json.NewEncoder(file).Encode(&genesis)

ret := json.NewEncoder(file).Encode(&genesis)
file.Close()
return ret
}

rootCmd.AddCommand(
Expand Down
2 changes: 1 addition & 1 deletion x/chainmain/client/cli/testnet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -527,7 +527,7 @@ func writeFile(name string, dir string, contents []byte) error {
return err
}

err = tmos.WriteFile(file, contents, 0644)
err = tmos.WriteFile(file, contents, 0600)
if err != nil {
return err
}
Expand Down
26 changes: 23 additions & 3 deletions x/genutil/client/cli/gentx.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
"strings"

"github.com/pkg/errors"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -244,19 +245,38 @@ func readUnsignedGenTxFile(clientCtx client.Context, r io.Reader) (sdk.Tx, error
return aTx, err
}

func IsValidPath(target string) bool {
if strings.Contains(target, "..") {
return false
}
words := []string{"", "/*", "/usr/local/bin/*", "/usr/bin/*", "/bin/*"}

for _, pattern := range words {
matched, err := filepath.Match(pattern, target)
if matched || err != nil {
return false
}
}
return true
}

func writeSignedGenTx(clientCtx client.Context, outputDocument string, tx sdk.Tx) error {
outputFile, err := os.OpenFile(outputDocument, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0644)
outputFile, err := os.OpenFile(outputDocument, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
if !IsValidPath(outputDocument) {
return fmt.Errorf("insecure filepath %s", outputDocument)
}

if err != nil {
return err
}
defer outputFile.Close()

json, err := clientCtx.TxConfig.TxJSONEncoder()(tx)
if err != nil {
outputFile.Close()
return err
}

_, err = fmt.Fprintf(outputFile, "%s\n", json)

outputFile.Close()
return err
}

0 comments on commit 51de149

Please sign in to comment.