rpc: fix ExpandHome restrictions bypass

CHANGELOG.md

@@ -67,6 +67,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ### Bug Fixes
 
+* (rpc) [tharsis#667](https://github.com/tharsis/ethermint/issues/667) Fix ExpandHome restrictions bypass
 * (rpc) [tharsis#642](https://github.com/tharsis/ethermint/issues/642) Fix `eth_getLogs` when string is specified in filter's from or to fields
 * (evm) [tharsis#616](https://github.com/tharsis/ethermint/issues/616) Fix halt on deeply nested stack of cache context. Stack is now flattened before iterating over the tx logs.
 * (rpc, evm) [tharsis#614](https://github.com/tharsis/ethermint/issues/614) Use JSON for (un)marshaling tx `Log`s from events.

rpc/ethereum/namespaces/debug/api.go

@@ -292,7 +292,12 @@ func (a *API) StartCPUProfile(file string) error {
  a.logger.Debug("CPU profiling already in progress")
  return errors.New("CPU profiling already in progress")
  default:
- f, err := os.Create(ExpandHome(file))
+ fp, err := ExpandHome(file)
+ if err != nil {
+ a.logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+ return err
+ }
+ f, err := os.Create(fp)
  if err != nil {
  a.logger.Debug("failed to create CPU profile file", "error", err.Error())
  return err

rpc/ethereum/namespaces/debug/trace.go

@@ -35,7 +35,12 @@ func (a *API) StartGoTrace(file string) error {
  a.logger.Debug("trace already in progress")
  return errors.New("trace already in progress")
  }
- f, err := os.Create(ExpandHome(file))
+ fp, err := ExpandHome(file)
+ if err != nil {
+ a.logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+ return err
+ }
+ f, err := os.Create(fp)
  if err != nil {
  a.logger.Debug("failed to create go trace file", "error", err.Error())
  return err

rpc/ethereum/namespaces/debug/utils.go

@@ -24,26 +24,27 @@ func isCPUProfileConfigurationActivated(ctx *server.Context) bool {
 
 // ExpandHome expands home directory in file paths.
 // ~someuser/tmp will not be expanded.
-func ExpandHome(p string) string {
+func ExpandHome(p string) (string, error) {
  if strings.HasPrefix(p, "~/") || strings.HasPrefix(p, "~\\") {
- home := os.Getenv("HOME")
- if home == "" {
- if usr, err := user.Current(); err == nil {
- home = usr.HomeDir
- }
- }
- if home != "" {
- p = home + p[1:]
+ usr, err := user.Current()
+ if err != nil {
+ return p, err
  }
+ home := usr.HomeDir
+ p = home + p[1:]
  }
- return filepath.Clean(p)
+ return filepath.Clean(p), nil
 }
 
 // writeProfile writes the data to a file
 func writeProfile(name, file string, log log.Logger) error {
  p := pprof.Lookup(name)
  log.Info("Writing profile records", "count", p.Count(), "type", name, "dump", file)
- f, err := os.Create(ExpandHome(file))
+ fp, err := ExpandHome(file)
+ if err != nil {
+ return err
+ }
+ f, err := os.Create(fp)
  if err != nil {
  return err
  }

server/start.go

@@ -223,7 +223,12 @@ func startInProcess(ctx *server.Context, clientCtx client.Context, appCreator ty
  var cpuProfileCleanup func()
 
  if cpuProfile := ctx.Viper.GetString(srvflags.CPUProfile); cpuProfile != "" {
- f, err := os.Create(ethdebug.ExpandHome(cpuProfile))
+ fp, err := ethdebug.ExpandHome(cpuProfile)
+ if err != nil {
+ ctx.Logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+ return err
+ }
+ f, err := os.Create(fp)
  if err != nil {
  return err
  }