rpc: fix ExpandHome restrictions bypass (#667)

`go-home` seems to be using environment variables first

CHANGELOG.md

@@ -67,6 +67,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ### Bug Fixes
 
+* (rpc) [tharsis#667](https://github.com/tharsis/ethermint/issues/667) Fix ExpandHome restrictions bypass
 * (rpc) [tharsis#642](https://github.com/tharsis/ethermint/issues/642) Fix `eth_getLogs` when string is specified in filter's from or to fields
 * (evm) [tharsis#616](https://github.com/tharsis/ethermint/issues/616) Fix halt on deeply nested stack of cache context. Stack is now flattened before iterating over the tx logs.
 * (rpc, evm) [tharsis#614](https://github.com/tharsis/ethermint/issues/614) Use JSON for (un)marshaling tx `Log`s from events.

rpc/ethereum/namespaces/debug/api.go

@@ -292,7 +292,12 @@ func (a *API) StartCPUProfile(file string) error {
 		a.logger.Debug("CPU profiling already in progress")
 		return errors.New("CPU profiling already in progress")
 	default:
-		f, err := os.Create(ExpandHome(file))
+		fp, err := ExpandHome(file)
+		if err != nil {
+			a.logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+			return err
+		}
+		f, err := os.Create(fp)
 		if err != nil {
 			a.logger.Debug("failed to create CPU profile file", "error", err.Error())
 			return err

rpc/ethereum/namespaces/debug/trace.go

@@ -35,7 +35,12 @@ func (a *API) StartGoTrace(file string) error {
 		a.logger.Debug("trace already in progress")
 		return errors.New("trace already in progress")
 	}
-	f, err := os.Create(ExpandHome(file))
+	fp, err := ExpandHome(file)
+	if err != nil {
+		a.logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+		return err
+	}
+	f, err := os.Create(fp)
 	if err != nil {
 		a.logger.Debug("failed to create go trace file", "error", err.Error())
 		return err

rpc/ethereum/namespaces/debug/utils.go

@@ -24,26 +24,27 @@ func isCPUProfileConfigurationActivated(ctx *server.Context) bool {
 
 // ExpandHome expands home directory in file paths.
 // ~someuser/tmp will not be expanded.
-func ExpandHome(p string) string {
+func ExpandHome(p string) (string, error) {
 	if strings.HasPrefix(p, "~/") || strings.HasPrefix(p, "~\\") {
-		home := os.Getenv("HOME")
+		usr, err := user.Current()
-		if home == "" {
+		if err != nil {
-			if usr, err := user.Current(); err == nil {
+			return p, err
-				home = usr.HomeDir
 		}
-		}
+		home := usr.HomeDir
-		if home != "" {
 		p = home + p[1:]
 	}
-	}
+	return filepath.Clean(p), nil
-	return filepath.Clean(p)
 }
 
 // writeProfile writes the data to a file
 func writeProfile(name, file string, log log.Logger) error {
 	p := pprof.Lookup(name)
 	log.Info("Writing profile records", "count", p.Count(), "type", name, "dump", file)
-	f, err := os.Create(ExpandHome(file))
+	fp, err := ExpandHome(file)
+	if err != nil {
+		return err
+	}
+	f, err := os.Create(fp)
 	if err != nil {
 		return err
 	}

server/start.go

@@ -223,7 +223,12 @@ func startInProcess(ctx *server.Context, clientCtx client.Context, appCreator ty
 	var cpuProfileCleanup func()
 
 	if cpuProfile := ctx.Viper.GetString(srvflags.CPUProfile); cpuProfile != "" {
-		f, err := os.Create(ethdebug.ExpandHome(cpuProfile))
+		fp, err := ethdebug.ExpandHome(cpuProfile)
+		if err != nil {
+			ctx.Logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
+			return err
+		}
+		f, err := os.Create(fp)
 		if err != nil {
 			return err
 		}