rpc: fix ExpandHome restrictions bypass (#667)

`go-home` seems to be using environment variables first
2021-10-13 18:52:05 +08:00 · 2021-10-13 18:52:05 +08:00 · 8e12d94359
commit 8e12d94359
parent 4ead9814cc
5 changed files with 31 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -67,6 +67,7 @@ Ref: https://keepachangelog.com/en/1.0.0/

 ### Bug Fixes

+* (rpc) [tharsis#667](https://github.com/tharsis/ethermint/issues/667) Fix ExpandHome restrictions bypass
 * (rpc) [tharsis#642](https://github.com/tharsis/ethermint/issues/642) Fix `eth_getLogs` when string is specified in filter's from or to fields
 * (evm) [tharsis#616](https://github.com/tharsis/ethermint/issues/616) Fix halt on deeply nested stack of cache context. Stack is now flattened before iterating over the tx logs.
 * (rpc, evm) [tharsis#614](https://github.com/tharsis/ethermint/issues/614) Use JSON for (un)marshaling tx `Log`s from events.
--- a/rpc/ethereum/namespaces/debug/api.go
+++ b/rpc/ethereum/namespaces/debug/api.go
@ -292,7 +292,12 @@ func (a *API) StartCPUProfile(file string) error {
 		a.logger.Debug("CPU profiling already in progress")
 		return errors.New("CPU profiling already in progress")
 	default:
-		f, err := os.Create(ExpandHome(file))
+		fp, err := ExpandHome(file)
+		if err != nil {
+			a.logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+			return err
+		}
+		f, err := os.Create(fp)
 		if err != nil {
 			a.logger.Debug("failed to create CPU profile file", "error", err.Error())
 			return err
--- a/rpc/ethereum/namespaces/debug/trace.go
+++ b/rpc/ethereum/namespaces/debug/trace.go
@ -35,7 +35,12 @@ func (a *API) StartGoTrace(file string) error {
 		a.logger.Debug("trace already in progress")
 		return errors.New("trace already in progress")
 	}
-	f, err := os.Create(ExpandHome(file))
+	fp, err := ExpandHome(file)
+	if err != nil {
+		a.logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+		return err
+	}
+	f, err := os.Create(fp)
 	if err != nil {
 		a.logger.Debug("failed to create go trace file", "error", err.Error())
 		return err
--- a/rpc/ethereum/namespaces/debug/utils.go
+++ b/rpc/ethereum/namespaces/debug/utils.go
@ -24,26 +24,27 @@ func isCPUProfileConfigurationActivated(ctx *server.Context) bool {

 // ExpandHome expands home directory in file paths.
 // ~someuser/tmp will not be expanded.
-func ExpandHome(p string) string {
+func ExpandHome(p string) (string, error) {
 	if strings.HasPrefix(p, "~/") || strings.HasPrefix(p, "~\\") {
-		home := os.Getenv("HOME")
-		if home == "" {
-			if usr, err := user.Current(); err == nil {
-				home = usr.HomeDir
-			}
-		}
-		if home != "" {
-			p = home + p[1:]
+		usr, err := user.Current()
+		if err != nil {
+			return p, err
 		}
+		home := usr.HomeDir
+		p = home + p[1:]
 	}
-	return filepath.Clean(p)
+	return filepath.Clean(p), nil
 }

 // writeProfile writes the data to a file
 func writeProfile(name, file string, log log.Logger) error {
 	p := pprof.Lookup(name)
 	log.Info("Writing profile records", "count", p.Count(), "type", name, "dump", file)
-	f, err := os.Create(ExpandHome(file))
+	fp, err := ExpandHome(file)
+	if err != nil {
+		return err
+	}
+	f, err := os.Create(fp)
 	if err != nil {
 		return err
 	}
--- a/server/start.go
+++ b/server/start.go
@ -223,7 +223,12 @@ func startInProcess(ctx *server.Context, clientCtx client.Context, appCreator ty
 	var cpuProfileCleanup func()

 	if cpuProfile := ctx.Viper.GetString(srvflags.CPUProfile); cpuProfile != "" {
-		f, err := os.Create(ethdebug.ExpandHome(cpuProfile))
+		fp, err := ethdebug.ExpandHome(cpuProfile)
+		if err != nil {
+			ctx.Logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+			return err
+		}
+		f, err := os.Create(fp)
 		if err != nil {
 			return err
 		}